Application.GenericKD.4561911_d09434dac2

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):

%original file name%.exe:2948

The Application injects its code into the following process(es):

amtemu.v0.9.2-painter.exe:2504

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process amtemu.v0.9.2-painter.exe:2504 makes changes in the file system.

The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\spc_player.dll (64 bytes)

The process %original file name%.exe:2948 makes changes in the file system.

The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\svcarm.exe (19234 bytes)
%Program Files%\PainteR\ProxyEmu\amtemu.v0.9.2-painter.exe (37602 bytes)
%Program Files%\PainteR\ProxyEmu\Uninstall.exe (3727 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\2.tmp (68 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\temp_0.tmp (3070 bytes)
%Program Files%\PainteR\ProxyEmu\Uninstall.ini (2 bytes)

The Application deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\temp_0.tmp (0 bytes)

Registry activity

The process %original file name%.exe:2948 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProxyEmu 0.9.2.0]
"InstallSource" = "c:\"
"DisplayIcon" = "%Program Files%\PainteR\ProxyEmu\Uninstall.exe"
"NoRepair" = "1"
"Language" = "1036"
"InstallDate" = "20170326"
"NoModify" = "1"
"InstallLocation" = "%Program Files%\PainteR\ProxyEmu\"
"DisplayVersion" = "0.9.2.0"
"Publisher" = "PainteR"
"UninstallString" = "%Program Files%\PainteR\ProxyEmu\Uninstall.exe"
"EstimatedSize" = "3745"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProxyEmu 0.9.2.0]
"VersionMinor" = "9"
"DisplayName" = "ProxyEmu 0.9.2.0"
"VersionMajor" = "0"

The Application deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5	File path
bf41da0a5f27daacb869e15bef8d766b	c:\Program Files\PainteR\ProxyEmu\Uninstall.exe
8abdc20f619641e29aa9ad2b999a0dcc	c:\Program Files\PainteR\ProxyEmu\amtemu.v0.9.2-painter.exe
41afbf49ba7f6ee164f31faa2cd38e15	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\spc_player.dll
4a4848a3c13da545774f4e905d472a67	c:\Users\"%CurrentUserName%"\AppData\Roaming\svcarm.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   %original file name%.exe:2948

2. Delete the original Application file.
   
3. Delete or disinfect the following files created/modified by the Application:

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\spc_player.dll (64 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\svcarm.exe (19234 bytes)
   %Program Files%\PainteR\ProxyEmu\amtemu.v0.9.2-painter.exe (37602 bytes)
   %Program Files%\PainteR\ProxyEmu\Uninstall.exe (3727 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\2.tmp (68 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\temp_0.tmp (3070 bytes)
   %Program Files%\PainteR\ProxyEmu\Uninstall.ini (2 bytes)

4. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: PainteR
Product Name:
Product Version:
Legal Copyright: PainteR
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 0.9.2.0
File Description: ProxyEmu 0.9.2.0 Installation
Comments:
Language: English (United States)

Company Name: PainteR Product Name: Product Version: Legal Copyright: PainteR Legal Trademarks: Original Filename: Internal Name: File Version: 0.9.2.0File Description: ProxyEmu 0.9.2.0 Installation Comments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	148684	148992	4.57091	5e14e4ede2e2215bc7d72837b9871f8f
DATA	155648	10388	10752	2.62963	abafcbfbd7f8ac0226ca496a92a0cf06
BSS	167936	4341	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	176128	6040	6144	3.3864	a4e0ac39d5ed487ceea059fa23dfce5e
.tls	184320	8	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	188416	24	512	0.14174	c4fdd0c5c9efb616fcc85d66056ca490
.reloc	192512	6276	6656	4.56552	867a1120317d51734587a74f6ee70016
.rsrc	200704	24360	24576	4.13029	6ed73f87158f61fcfb18220e76d8b0c9

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
5cb505a9a998b08c634938cfdf85f294

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Application connects to the servers at the folowing location(s):

Strings from Dumps