-
Posts
3 -
Joined
-
Last visited
Posts posted by Cymbeline
-
-
11 hours ago, Simeon Amburgey said:
I was not aware this was an issue and I have not experienced anything crazy but will check it out. The only thing I could think of is where you might have originally downloaded your version. @msmcleod, any thoughts on this?
Thanks for the answer. I downloaded it from the link above in this thread.
- 1
-
I happily installed this software to solve a specific problem with my UAD Apollo interface. I then shared what i did on the Apollo forum thinking i could help other people.
But then someone there explained that the file is malicious and does all kinds of things it shouldn't be doing.
Did anybody here have any issues with it after installing it or anything to share about it?
Thanks.
QuoteWell, thats a very suspicious file. I wouldn't open it.
Registry Keys Opened
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe
\Registry\MACHINE\System\CurrentControlSet\Control \SafeBoot\Option
\Registry\Machine\Software\Policies\Microsoft\Wind ows\Safer\CodeIdentifiers
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Wind ows\Safer\CodeIdentifiers\TransparentEnabled
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\Code Identifiers
\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe\RpcThreadPoolThrottle
\REGISTRY\MACHINE\Software\Policies\Microsoft\Wind ows NT\Rpc
Remote Access
Reads terminal service related keys
MITRE ATT&CK™ Techniques Detection
This report has 3 indicators that were mapped to 4 attack techniques and 4 tactics.
Defense Evasion, Privilege Escalation
Also activates Remote Desktop Protocol and more suspicious stuff... Why?And
QuoteThe software seems to be binded with some sort of malicious software, indeed. FUD Crypter's are used to fool Anti-virus scans, therefore called FULL UNDETECTED Crypter's. You can reverse engineere some of it, and you'll see the things i've posted. It shouldn't activate remote desktop and other things, just like backdoors/trojans does.
>
Installation/Persistance
Monitors specific registry key for changes
Remote Access Related
Reads terminal service related keys (often RDP related)
Unusual Characteristics
Imports suspicious APIs
Installs hooks/patches the running process
Hiding 2 Suspicious Indicators
<
Anti-Reverse Engineering
PE file contains zero-size sections
Installation/Persistance
Touches files in the Windows directory
I'm sure the "original" installer is clean, but this copy doesn't seem to be.
ODeus ASIO Link now available free
in Deals
Posted
Thank you for explaining. I'm with you and highly doubt it's malicious.