Full Analysis Report of 1334058379_minipartitiontools52.exe

Summary:

  • Summary of the findings

      No. What's been found Severity

Technical details:

  • General

    • User : \\TEST-R7CHD9Q826\Administrator
    • Application type : Windows application
    • Priority : Normal
    • Size : 323776
    • Path : C:\Samples\1334058379_minipartitiontools52.exe
    • Command : "C:\Samples\1334058379_minipartitiontools52.exe"
    • MD5: 89ad3d205da055bcd8dcac78e2918abd
    • SHA1: 6701195139dab19ec4d7e9399eb0865bcb9216bb
    • Alias

      • MalSign.Generic.256 [AVG]
      • Trojan.AntiFW! [Agnitum]
      • PUP/Win32.TSULoader [AhnLab-V3]
      • TR/Kazy.324119.8 [AntiVir]
      • RiskWare[Downloader:not-a-virus,HEUR]/Win32.AdLoad [Antiy-AVL]
      • Win32:InstalleRex-BI [PUP] [Avast]
      • Trojan.Win32.AntiFW.aiT [Baidu-International]
      • Application.Win32.InstalleRex.KG [Comodo]
      • Trojan.WebPick.29 [DrWeb]
      • a variant of Win32/InstalleRex.P [ESET-NOD32]
      • Win32.Application.EZDownloader.A [GData]
      • Trojan ( 00454f271 ) [K7AntiVirus]
      • Trojan ( 00454f271 ) [K7GW]
      • Trojan.Win32.AntiFW.b [Kaspersky]
      • Win32.Troj.AntiFW.b.(kcloud) [Kingsoft]
      • PUP.Optional.Installrex [Malwarebytes]
      • PUP-FHQ!3DE662B83461 [McAfee]
      • PUP-FHQ!3DE662B83461 [McAfee-GW-Edition]
      • Riskware.Win32.InfoLeak.cvgqot [NANO-Antivirus]
      • Win32/Trojan.ca3 [Qihoo-360]
      • PE:PUF.InstallRex!1.9E4C [Rising]
      • Adware.InstallRex/Variant [SUPERAntiSpyware]
      • InstallRex [Sophos]
      • TROJ_GEN.F47V0325 [TrendMicro-HouseCall]
      • Downloader.AdLoad [VBA32]
      • Trojan.Win32.Generic!BT [VIPRE]
    • Version details

      • Company : MyApps
      • File version : 2014.4.24.1440
      • Product version : 1.0.0.3
      • Desciption : Installer for MyApps
      • Product name : MyApps
      • Legal copyright : Copyright ? 2014 MyApps
      • Internal name : TSULoader
    • File times

      • Creation time : Friday, April 25, 2014 - 20:57:43
      • Modification time : Friday, April 25, 2014 - 20:57:44
      • Last access time : Friday, April 25, 2014 - 21:02:48
    • Process times

      • Start time : 21 : 02 : 48
      • Exit time : 21 : 02 : 50
      • Kernel time : 0.343750 (s)
      • User time : 0.125000 (s)
    • IO counters

      • Read operation : 82
      • Write operation : 1148
      • Other operation : 2578
      • Read transfer : 1216259
      • Write transfer : 1113598
      • Other transfer : 30702
    • Memory details

      • Page fault count : 6896
      • Page file usage : 0
      • Peak page file usage : 15081472
      • Peak working set size : 9940992
      • Quota non paged pool usage : 0
      • Quota paged pool usage : 0
      • Quota peak non paged pool usage : 7064
      • Quota peak paged pool usage : 85940
      • Working set size : 28672
    • Process privileges

      • SeChangeNotifyPrivilege
      • SeSecurityPrivilege
      • SeBackupPrivilege
      • SeRestorePrivilege
      • SeSystemtimePrivilege
      • SeShutdownPrivilege
      • SeRemoteShutdownPrivilege
      • SeTakeOwnershipPrivilege
      • SeDebugPrivilege
      • SeSystemEnvironmentPrivilege
      • SeSystemProfilePrivilege
      • SeProfileSingleProcessPrivilege
      • SeIncreaseBasePriorityPrivilege
      • SeLoadDriverPrivilege
      • SeCreatePagefilePrivilege
      • SeIncreaseQuotaPrivilege
      • SeUndockPrivilege
      • SeManageVolumePrivilege
      • SeImpersonatePrivilege
      • SeCreateGlobalPrivilege
  • Events statistics

      Event Count
      OpenKey 20
      DeleteValueKey 1
      SetValueKey 27
      CreateFile 10
      CreateFolder 4
      WriteFile 1021
      Process Create 1
      Process Exit 1
      Thread Create 2
      Thread Exit 2
      Load Image 57
  • Modules

      Index Name Path Load Address Image Size Entry Point Version Size Company Description

       

  • File system modifications

    • The following files were created by PUP/Win32.TSULoader

      • %Temp%Tsu56E570BB.dll
      • %Temp%1334058379_minipartitiontools52.log
      • %Temp%B1B7915D.dat
      • %Windir%\Debug\UserMode\ChkAcc.log
      • %Temp%{50097610-63CB-4AC1-A82A-2BE98BEA54E6}\_Setup.dll
      • %Temp%{50097610-63CB-4AC1-A82A-2BE98BEA54E6}\Setup.ico
      • %Temp%{50097610-63CB-4AC1-A82A-2BE98BEA54E6}\Readme.txt
      • %Temp%{50097610-63CB-4AC1-A82A-2BE98BEA54E6}\Custom.dll
      • %Temp%{50097610-63CB-4AC1-A82A-2BE98BEA54E6}\Setup.exe
    • The following folders were created by PUP/Win32.TSULoader

      • %Temp%{50097610-63CB-4AC1-A82A-2BE98BEA54E6}
      • %CommonAppData%\InstallMate
      • %CommonAppData%\InstallMate\B1B7915D
      • %CommonAppData%\InstallMate\B1B7915D\cfg
    • The following files were modified by PUP/Win32.TSULoader

      • %Temp%Tsu56E570BB.dll
      • %Temp%1334058379_minipartitiontools52.log
      • %Temp%B1B7915D.dat
      • %Temp%{50097610-63CB-4AC1-A82A-2BE98BEA54E6}\_Setup.dll
      • %Temp%{50097610-63CB-4AC1-A82A-2BE98BEA54E6}\Setup.ico
      • %Temp%{50097610-63CB-4AC1-A82A-2BE98BEA54E6}\Readme.txt
      • %Temp%{50097610-63CB-4AC1-A82A-2BE98BEA54E6}\Custom.dll
      • %Temp%{50097610-63CB-4AC1-A82A-2BE98BEA54E6}\Setup.exe
    • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
      %Windows% is a variable that refers to the windows root folder. By default, this is C:\windows (Windows 95/98/Me/xp/vista/win7), C:\winnt (Windows NT/2000/2003/2008).
      %CommonAppData% is a variable that refers to the file system directory that contains application data for all users. A typical path is C:\Documents and Settings\All Users\Application Data.

  • Memory modifications

  • Registry modifications

    • The following Registry entry was deleted:

      • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\autoconfigurl
    • The following Registry value was modified:

      • HKEY_LOCAL_MACHINE\software\microsoft\cryptography\rng\seed = 9D BA A3 37 2F 43 26 86 ...
      • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\shell folders\cache = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files"
      • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\internet settings\cache\paths\directory = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5"
      • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\internet settings\cache\paths\path1\cachelimit = 0x0004FFB3
      • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\shell folders\cookies = "C:\Documents and Settings\Administrator\Cookies"
      • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\shell folders\history = "C:\Documents and Settings\Administrator\Local Settings\History"
      • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell folders\common appdata = "C:\Documents and Settings\All Users\Application Data"
      • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\shell folders\appdata = "C:\Documents and Settings\Administrator\Application Data"
      • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\migrateproxy = 0x00000001
      • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\proxyenable = 0x00000001
      • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\proxyserver = "127.0.0.1:8087"
      • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\proxyoverride = ""
      • HKEY_LOCAL_MACHINE\system\controlset001\hardware profiles\0001\software\microsoft\windows\currentversion\internet settings\proxyenable = 0x00000001
      • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\connections\savedlegacysettings = 3C 00 00 00 F8 00 00 00 ...
      • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\proxybypass = 0x00000001
      • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\intranetname = 0x00000001
      • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\uncasintranet = 0x00000001
  • Network activity

  • How to get rid of PUP/Win32.TSULoader

    • Remove these following files:

      • C:\Documents and Settings\Administrator\Local Settings\Temp\Tsu56E570BB.dll
      • C:\Documents and Settings\Administrator\Local Settings\Temp\1334058379_minipartitiontools52.log
      • C:\Documents and Settings\Administrator\Local Settings\Temp\B1B7915D.dat
      • C:\WINDOWS\Debug\UserMode\ChkAcc.log
    • Remove these following folders:

      • C:\Documents and Settings\Administrator\Local Settings\Temp\Tsu56E570BB.dll
      • C:\Documents and Settings\Administrator\Local Settings\Temp\1334058379_minipartitiontools52.log
  • How to protect yourself in the future

This report was created with Ax3soft Scout.