Analysis Report

Overview

General Information

Analysis ID:	64922
Start time:	21:32:46
Start date:	04/05/2015
Overall analysis duration:	0h 2m 46s
Report type:	full
Sample file name:	virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2003 SP1, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36)
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
HCA enabled:	true
HCA success:	true, ratio: 93% Number of executed functions: 13 Number of non-executed functions: 25
Cookbook Comments:	Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, conhost.exe Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	76	0 - 100	Report FP / FN

Signature Overview

AV Detection:

Yara signature match

Show sources

Source: 5dac7ebf.exe.dr	Yara output: _ASPack_v212_
Source: FastUserSwitchingCompatibility.dll.dr	Yara output: _epp_ASPack_v211d_
Source: 5dac7ebf.exe.dr	Yara output: _epp_ASPack_v212_
Source: 00000001.00000002.4324852324.005F8000.00000080.sdmp	Yara output: _ASPack_v212_
Source: 5dac7ebf.exe.dr	Yara output: _epp_PESHiELD_v02__v02b__v02b2_
Source: FastUserSwitchingCompatibility.dll.dr	Yara output: _ASProtect_V2X_DLL__Alexey_Solodovnikov_
Source: 00000001.00000000.4310439242.005F8000.00000080.sdmp	Yara output: _ASPack_v212_
Source: FastUserSwitchingCompatibility.dll.dr	Yara output: _epp_ASPack_v212_
Source: virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Yara output: _ASPack_v212_
Source: 00000002.00000000.4312316940.00C07000.00000080.sdmp	Yara output: _ASPack_v212_
Source: 00000002.00000002.4313928312.00C07000.00000040.sdmp	Yara output: _ASPack_v212_
Source: FastUserSwitchingCompatibility.dll.dr	Yara output: _epp_PESHiELD_v02__v02b__v02b2_
Source: 5dac7ebf.exe.dr	Yara output: _epp_ASPack_v211d_
Source: 5dac7ebf.exe.dr	Yara output: _ASProtect_V2X_DLL__Alexey_Solodovnikov_
Source: 00000001.00000001.4311024977.005F8000.00000080.sdmp	Yara output: _ASPack_v212_
Source: FastUserSwitchingCompatibility.dll.dr	Yara output: _ASPack_v212_

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Show sources

Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe

Code function: 1_2_00404CEA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_00404CEA

Networking:

Urls found in memory or binary data

Show sources

Source: 5dac7ebf.exe	String found in binary or memory: http://%s:%d/%s?%s
Source: iexplore.exe	String found in binary or memory: http://193.166.255.171:8080/mac.htm?28
Source: reg.exe	String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=92362.
Source: virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	String found in binary or memory: http://nsis.sf.net/nsis_error

Downloads files

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sqm

Boot Survival:

Creates or modifies windows services

Show sources

Source: C:\5dac7ebf.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\5dac7ebf.exe	File created: C:\Windows\System32\FastUserSwitchingCompatibility.dll
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	File created: C:\5dac7ebf.exe

Drops PE files to the windows directory (C:\Windows)

Show sources

Source: C:\5dac7ebf.exe

File created: C:\Windows\System32\FastUserSwitchingCompatibility.dll

Creates a Windows Service pointing to an executable in C:\Windows

Show sources

Source: C:\5dac7ebf.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters ServiceDll C:\Windows\system32\FastUserSwitchingCompatibility.dll

Data Obfuscation:

Sample is packed with UPX

Show sources

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Binary may include packed or encrypted code

Show sources

Source: initial sample

Static PE information: section name: .UPX entropy: 7.50170873655

Contains functionality to dynamically determine API calls

Show sources

Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe

Code function: 1_2_00405CF5 GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00405CF5

Entry point lies outside standard sections

Show sources

Source: initial sample

Static PE information: section where entry point is pointing to: .UPX

PE file contains an invalid checksum

Show sources

Source: initial sample

Static PE information: real checksum: 0x0 should be: 0x4701e

PE file contains sections with non-standard names

Show sources

Source: initial sample

Static PE information: section name: .UPX

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe

Code function: 1_2_0040668F DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,

1_2_0040668F

Enumerates the file system

Show sources

Source: C:\Windows\System32\ie4uinit.exe	File opened: C:\Windows\System32\config\systemprofile\AppData\Roaming
Source: C:\Windows\System32\ie4uinit.exe	File opened: C:\Windows\System32\config\systemprofile
Source: C:\Windows\System32\ie4uinit.exe	File opened: C:\Windows\System32\config\systemprofile\AppData
Source: C:\Windows\System32\ie4uinit.exe	File opened: C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft
Source: C:\Windows\System32\ie4uinit.exe	File opened: C:\Windows\System32
Source: C:\Windows\System32\ie4uinit.exe	File opened: C:\Windows\System32\config

System Summary:

Binary contains paths to debug symbols

Show sources

Source:

Binary string: C:\exe.pdb source: 5dac7ebf.exe

Contains functionality to check free disk space

Show sources

Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe

Code function: 1_2_00404141 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_00404141

Creates files inside the user directory

Show sources

Source: C:\5dac7ebf.exe

File created: C:\Users\Infotmp.txt

Creates temporary files

Show sources

Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe

File created: C:\Users\admin\AppData\Local\Temp\nso5566.tmp

Reads ini files

Show sources

Source: C:\Windows\System32\ie4uinit.exe

File read: C:\Program Files\desktop.ini

Spawns processes

Show sources

Source: unknown	Process created: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe
Source: unknown	Process created: C:\5dac7ebf.exe
Source: unknown	Process created: C:\Windows\System32\reg.exe
Source: unknown	Process created: C:\Windows\System32\reg.exe
Source: unknown	Process created: C:\Windows\System32\reg.exe
Source: unknown	Process created: C:\Windows\System32\reg.exe
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Windows\System32\ie4uinit.exe
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process created: C:\5dac7ebf.exe C:\5dac7ebf.exe
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Windows\System32\ie4uinit.exe C:\Windows\System32\ie4uinit.exe -ShowQLIcon

Uses an in-process (OLE) Automation server

Show sources

Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Writes ini files

Show sources

Source: C:\Windows\System32\ie4uinit.exe

File written: C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

Contains functionality to shutdown / reboot the system

Show sources

Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe

Code function: 1_2_0040354B 73E11541,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,SetErrorInfo,ExitProcess,GetCurrentProcess,ExitWindowsEx,

1_2_0040354B

Creates files inside the system directory

Show sources

Source: C:\5dac7ebf.exe

File created: C:\Windows\system32\FastUserSwitchingCompatibility.dll

Deletes Windows files

Show sources

Source: C:\Windows\System32\reg.exe

File deleted: C:\Windows\Temp\REG5A87.tmp

PE file contains strange resources

Show sources

Source: initial sample	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: initial sample	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: initial sample	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Spawns drivers

Show sources

Source: unknown

Driver loaded: C:\WINDOWS\system32\3AAA263B.sys

PE file has an invalid certificate

Show sources

Source: initial sample

Static PE information: invalid certificate

Uses reg.exe to modify the Windows registry

Show sources

Source: unknown

Process created: C:\Windows\System32\reg.exe

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: 5dac7ebf.exe

Binary or memory string: Program Manager

Anti Debugging:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe

Code function: 1_2_00405CF5 GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00405CF5

Contains functionality to read the PEB

Show sources

Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Code function: 1_2_005F8000 mov eax, dword ptr fs:[00000030h]		1_2_005F8000
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Code function: 1_1_005F8000 mov eax, dword ptr fs:[00000030h]		1_1_005F8000

Malware Analysis System Evasion:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe

Code function: 1_2_0040668F DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,

1_2_0040668F

Queries a list of all running processes

Show sources

Source: C:\5dac7ebf.exe

Process information queried: ProcessInformation

Enumerates the file system

Show sources

Source: C:\Windows\System32\ie4uinit.exe	File opened: C:\Windows\System32\config\systemprofile\AppData\Roaming
Source: C:\Windows\System32\ie4uinit.exe	File opened: C:\Windows\System32\config\systemprofile
Source: C:\Windows\System32\ie4uinit.exe	File opened: C:\Windows\System32\config\systemprofile\AppData
Source: C:\Windows\System32\ie4uinit.exe	File opened: C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft
Source: C:\Windows\System32\ie4uinit.exe	File opened: C:\Windows\System32
Source: C:\Windows\System32\ie4uinit.exe	File opened: C:\Windows\System32\config

Found dropped PE file which has not been started or loaded

Show sources

Source: C:\5dac7ebf.exe

Dropped PE file which has not been started: C:\Windows\System32\FastUserSwitchingCompatibility.dll

Found large amount of non-executed APIs

Show sources

Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe

API coverage: 8.6 %

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX

Hooks files or directories query functions (used to hide files and directories)

Show sources

Source: system

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Show sources

Source: system

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Show sources

Source: system

IAT, EAT, inline or SSDT hook detected: function: NtQueryValueKey

Modifies the prolog of kernel mode functions (kernel mode inline hooks)

Show sources

Source: system

Kernel code has chanced: module: ntoskrnl.exe function: KeInsertQueueApc new code: 0xE9 0x90 0x00 0x00 0x07 0x78

Modifies the system service dispatch table (places SSDT hooks)

Show sources

Source: system

SSDT hook detected: NtQueryVolumeInformationFile

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Show sources

Source: 5dac7ebf.exe	Binary or memory string: RavMonD.exe
Source: 5dac7ebf.exe	Binary or memory string: 360tray.exe
Source: 5dac7ebf.exe	Binary or memory string: 360Safe.exe

Language, Device and Operating System Detection:

Contains functionality to query windows version

Show sources

Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe

Code function: 1_2_00405DA6 GlobalAlloc,lstrlenW,GetVersionExW,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GlobalFree,lstrcpyW,OpenProcess,CloseHandle,CharUpperW,lstrcmpW,GlobalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,lstrcmpW,CloseHandle,CloseHandle,FreeLibrary,CloseHandle,FreeLibrary,CloseHandle,

1_2_00405DA6

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\ie4uinit.exe	Qeruies volume information: C:\ VolumeInformation
Source: C:\Windows\System32\ie4uinit.exe	Qeruies volume information: C:\Program Files\Internet Explorer\iexplore.exe VolumeInformation

Yara Overview

Source	Match
5dac7ebf.exe.dr	_ASPack_v212_
FastUserSwitchingCompatibility.dll.dr	_epp_ASPack_v211d_
5dac7ebf.exe.dr	_epp_ASPack_v212_
00000001.00000002.4324852324.005F8000.00000080.sdmp	_ASPack_v212_
5dac7ebf.exe.dr	_epp_PESHiELD_v02__v02b__v02b2_
FastUserSwitchingCompatibility.dll.dr	_ASProtect_V2X_DLL__Alexey_Solodovnikov_
00000001.00000000.4310439242.005F8000.00000080.sdmp	_ASPack_v212_
FastUserSwitchingCompatibility.dll.dr	_epp_ASPack_v212_
virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe	_ASPack_v212_
00000002.00000000.4312316940.00C07000.00000080.sdmp	_ASPack_v212_
00000002.00000002.4313928312.00C07000.00000040.sdmp	_ASPack_v212_
FastUserSwitchingCompatibility.dll.dr	_epp_PESHiELD_v02__v02b__v02b2_
5dac7ebf.exe.dr	_epp_ASPack_v211d_
5dac7ebf.exe.dr	_ASProtect_V2X_DLL__Alexey_Solodovnikov_
00000001.00000001.4311024977.005F8000.00000080.sdmp	_ASPack_v212_
FastUserSwitchingCompatibility.dll.dr	_ASPack_v212_

Screenshot

Startup

system is w7

virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe (PID: 2632 MD5: 6F6D18DD0B2C54D34C44FF0A274399E0)

5dac7ebf.exe (PID: 2764 MD5: 7B8215016A01816BD7612AE3B09B023D)

reg.exe (PID: 2792 cmdline: unknown MD5: D69A9ABBB0D795F21995C2F48C1EB560)

reg.exe (PID: 2260 cmdline: unknown MD5: D69A9ABBB0D795F21995C2F48C1EB560)

reg.exe (PID: 3188 cmdline: unknown MD5: D69A9ABBB0D795F21995C2F48C1EB560)

3AAA263B.sys (PID: 4 MD5: 4D7DF3DAF2EE2605FC194649C7B9C7CA)

reg.exe (PID: 2828 cmdline: unknown MD5: D69A9ABBB0D795F21995C2F48C1EB560)

iexplore.exe (PID: 2552 MD5: 363BC25BACB34E9D40441968B1B3D5BE)

ie4uinit.exe (PID: 2568 MD5: 73AFBF165241EB4502CD15107AA12CBA)

cleanup

Created / dropped Files

File Path	Type and Hashes
C:\5dac7ebf.exe	Type: PE32 executable (GUI) Intel 80386, for MS Windows MD5: 7B8215016A01816BD7612AE3B09B023D SHA: C96C64A31C1EBB36C6103D396A5B185866091866 SHA-256: 37EB68D235A774C0AD7354762D9DC705F51557B5744A3523F005D7A8803827DE SHA-512: 7126E11219244922B6D8C52C7C3689A0DFAD1AFDCE1DF73EB7F3D76260B38BBB95524434AF232537BE870FC210EBDA23E71F63C85D4EF585D2D2B582A48025DF
C:\Users\Infotmp.txt	Type: data MD5: 2C90835792ACE9ABF037DC3B441539A6 SHA: 7EC958F5FA244953E25AEA6141C2004982235521 SHA-256: F162EF8B1A86BC577DDB5AE7332E2AF6CD3C028DE298F848E4C8A9FD125F76F3 SHA-512: BC2DDB23A61F797DE0F7984417F3C442319F015634277337AFE6811CCB8724EAA9DC1B01262D694DD70FB69AAB75A2AE4A16CD9B35D907AA3FFFED15881843AB
C:\Windows\System32\FastUserSwitchingCompatibility.dll	Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5: F8156E10F28F57FA3FC74DA5A7CAB8E4 SHA: 44F4F19D6873376880C87CE4ECC994D0EA45B974 SHA-256: 348AC1103E537CF63874999770AC418DAC826C2AB18283029B77433638718B02 SHA-512: 5A36E0AAE13597FE4AB1D5C8FA20D8A9D15E488403ED5F5D88288CBC9E98B5056F4B0D8251A2C93067C7EE2FD65A31DB99CE74E48DAA1080B96D25D9DF4C0753
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	Type: MS Windows shortcut MD5: D5781544A938EF6BD657E81FC6BCFA1D SHA: 4B3F99AE09DCBFC3313F610A9A99A83F81CF2F07 SHA-256: 366B9C3DB365D3969088E1EFE49FFFCAAC2760C456D8BB6884C19FF491E2F079 SHA-512: 7D6DF692B464637A3DB881862A60CB99D613042B8B0AB70D2F761060A1420575E93385C8E2086825B9C5445A30DF9413E80FB986737C49909360B625CE96530E
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Type: ASCII text, with CRLF line terminators MD5: 45746B5317D380078FEBE04385B81405 SHA: E6B9A47DEAB744C12125936C5E5ABB3E07B87FE8 SHA-256: A42B05C8BA93F4F590F5F367118F4850DFF4F3EC3A4A5E1AECCE87A9AE4D5511 SHA-512: CAF91351C5590922A9A3FAA41F5EBC82B450208A486A7A1CEE32C140C2290F8890BCDD216371CFE5135E5CC0CFECA323B1D3A09973CD415239B1F7959AF28098
C:\Windows\Temp\REG5A87.tmp	Type: Little-endian UTF-16 Unicode text, with CRLF, CR line terminators MD5: A7C2651F1697BE3F92F6524FB282EDB8 SHA: C39731AABD0F3B2104C92909057EA4FD5BDF7E13 SHA-256: 0514E94E05C107D320F41C212F141C1ED64EF11B5DCE23B780C5295C9F5B430B SHA-512: 1A015A10BEF232913394599065FF2E395B469CB682060AD75A0AF13EFE4881DD7F73C6D15F5766C0CFBEAF3A1E84A07C9A034EB883E38D98A9A844C389A2FAD2
C:\Windows\Temp\r27104c9d.txt	Type: Little-endian UTF-16 Unicode text, with CRLF, CR line terminators MD5: A7C2651F1697BE3F92F6524FB282EDB8 SHA: C39731AABD0F3B2104C92909057EA4FD5BDF7E13 SHA-256: 0514E94E05C107D320F41C212F141C1ED64EF11B5DCE23B780C5295C9F5B430B SHA-512: 1A015A10BEF232913394599065FF2E395B469CB682060AD75A0AF13EFE4881DD7F73C6D15F5766C0CFBEAF3A1E84A07C9A034EB883E38D98A9A844C389A2FAD2
\srvsvc	Type: Hitachi SH big-endian COFF object, not stripped MD5: 1FF3DE735A87D719B35ED6D00689168C SHA: 6711956511BAB8C677A411EA33830E1A2139AC84 SHA-256: 36A192FDB029E0357EB75DF25BF3C2EF035DBCBB9B811527B7276C5CA6D2177E SHA-512: 1160A3480E574315832F8A9B60D0A6293A14D3A259EA3B6E220EEC46D72504C66AF2712A7CEF030F0E0F548845FD1AFC1FEC43985FE56614A6AF27FB75C3BA57

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
TrID:	UPX compressed Win32 Executable (30571/9) 46.56% Win32 EXE Yoda's Crypter (26571/9) 40.46% Win32 Executable (generic) (4510/7) 6.87% Generic Win/DOS Executable (2004/3) 3.05% DOS Executable Generic (2002/1) 3.05%
File name:	virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe
File size:	225792
MD5:	6f6d18dd0b2c54d34c44ff0a274399e0
SHA1:	3d9b01048504fb6e5e482884a9b42946a7a6d2cf
SHA256:	45bd56102f6b224a627937dc2f32b00985cf19c0a4102bbe6ecfed8379fc820c
SHA512:	1ddc356658ad10ed093230f15d064901c824f07ae7f2f47755915655a5258f51138bf2213f5b250d66602dab46c5ee091ddfbfd8eb349e72a1e23f46f814b5d4

File Icon

Static PE Info

General
Entrypoint:	0x5f8000
Entrypoint Section:	.UPX
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui 50
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4AA7AC4B [Wed Sep 9 13:23:23 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0

Authenticode Signature

Signature Valid:	false
Signature Issuer:
Signature Timestamp:
Signature Validation Error:	2148204800
Not Before, Not After
Subject Chain

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000008Ch
mov eax, dword ptr fs:[00000030h]
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-18h], 0000E000h
mov dword ptr [ebp-3Ch], 355C3A43h
mov dword ptr [ebp-38h], 37636164h
mov dword ptr [ebp-34h], 2E666265h
mov dword ptr [ebp-30h], 00657865h
mov eax, dword ptr [ebp-28h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+1Ch]
mov dword ptr [ebp-1Ch], eax
mov eax, dword ptr [ebp-1Ch]
mov eax, dword ptr [eax]
mov dword ptr [ebp-1Ch], eax
mov eax, dword ptr [ebp-1Ch]
mov eax, dword ptr [eax+08h]
mov dword ptr [ebp-0Ch], eax
mov eax, dword ptr [ebp-0Ch]
mov eax, dword ptr [eax+3Ch]
mov ecx, dword ptr [ebp-0Ch]
mov edx, dword ptr [ebp-0Ch]
add edx, dword ptr [ecx+eax+78h]
mov dword ptr [ebp-24h], edx
mov eax, dword ptr [ebp-24h]
mov ecx, dword ptr [ebp-0Ch]
add ecx, dword ptr [eax+20h]
mov dword ptr [ebp-50h], ecx
mov eax, dword ptr [ebp-24h]
mov ecx, dword ptr [ebp-0Ch]
add ecx, dword ptr [eax+24h]
mov dword ptr [ebp-44h], ecx
mov eax, dword ptr [ebp-24h]
mov ecx, dword ptr [ebp-0Ch]
add ecx, dword ptr [eax+1Ch]
mov dword ptr [ebp-48h], ecx
mov dword ptr [ebp-74h], 50746547h
mov dword ptr [ebp-70h], 41636F72h
mov dword ptr [ebp-6Ch], 65726464h
mov dword ptr [ebp-68h], 00007373h
and dword ptr [ebp-78h], 00000000h
jmp 00007F90ECD79B49h
mov eax, dword ptr [ebp-78h]
inc eax
mov dword ptr [ebp-78h], eax
mov eax, dword ptr [ebp-24h]
mov ecx, dword ptr [ebp-78h]
cmp ecx, dword ptr [eax+18h]
jnc 00007F90ECD79BD0h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1f771c	0x214	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1d4000	0x2371c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1aa88b0	0x2108
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Xored PE	ZLIB Complexity	File Type	Characteristics
UPX0	0x1000	0x1ce000	0x0	0.0	False	0	empty	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
UPX1	0x1cf000	0x5000	0x5000	7.82231638058	False	0.944921875	data	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1d4000	0x24000	0x23a00	6.3385403468	False	0.578453947368	data	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.UPX	0x1f8000	0xf000	0xe400	7.50170873655	False	0.856599506579	data	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	Xored PE
RT_ICON	0x1d43ec	0x10828	data	English	United States	False
RT_ICON	0x1e4c18	0xc1e8	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	False
RT_ICON	0x1f0e04	0x25a8	data	English	United States	False
RT_ICON	0x1f33b0	0x10a8	data	English	United States	False
RT_ICON	0x1f445c	0xea8	data	English	United States	False
RT_ICON	0x1f5308	0x8a8	data	English	United States	False
RT_ICON	0x1f5bb4	0x668	data	English	United States	False
RT_ICON	0x1f6220	0x568	GLS_BINARY_LSB_FIRST	English	United States	False
RT_ICON	0x1f678c	0x468	GLS_BINARY_LSB_FIRST	English	United States	False
RT_ICON	0x1f6bf8	0x2e8	data	English	United States	False
RT_ICON	0x1f6ee4	0x128	GLS_BINARY_LSB_FIRST	English	United States	False
RT_DIALOG	0x1d0fe0	0x10c	data	English	United States	False
RT_DIALOG	0x1d10f0	0x1ec	data	English	United States	False
RT_DIALOG	0x1d12e0	0xe4	data	English	United States	False
RT_DIALOG	0x1d13c8	0xda	data	English	United States	False
RT_GROUP_ICON	0x1f7010	0xa0	MS Windows icon resource - 11 icons, 48x48, 16-colors	English	United States	False
RT_VERSION	0x1f70b4	0x29c	data			False
RT_MANIFEST	0x1f7354	0x3c8	XML document text	English	United States	False

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	RegEnumKeyW
COMCTL32.dll
GDI32.dll	SetBkMode
ole32.dll	CoTaskMemFree
SHELL32.dll	ShellExecuteW
USER32.dll	GetDC
VERSION.dll	VerQueryValueW

Version Infos

Description	Data
LegalCopyright	2012 Sogou.com Inc. All rights reserved.
FileVersion	6.5.0.8721
CompanyName	Sogou.com Inc.
Comments
ProductName
ProductVersion	6.5.0.8721
FileDescription
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Hooks - Code Manipulation Behavior

SSDT

Function Name	New Address
NtQueryVolumeInformationFile	828A67AF
NtQueryDirectoryFile	8288402E
NtProtectVirtualMemory	8289278F
NtAllocateVirtualMemory	82879D68
NtMapViewOfSection	8289672F
NtSystemDebugControl	828D5A2E
NtDeviceIoControlFile	828C38A1
NtLoadDriver	82815A94
NtUnloadDriver	82909D2B
NtCreateFile	8289F5AE
NtOpenFile	82881E2D
NtDeleteFile	827E85AE
NtSetInformationFile	828A6C43
NtWriteFile	828BF404
NtReadFile	828B2143
NtReadVirtualMemory	828AFCE3
NtWriteVirtualMemory	828AFBD3
NtCreateMutant	828603F8
NtCreateProcess	8292C9E9
NtSetInformationProcess	828889B3
NtSuspendProcess	8292E4F3
NtResumeProcess	8292E551
NtCreateUserProcess	828BE520
NtCreateProcessEx	8292CA34
NtTerminateProcess	828AAED6
NtCreateKey	82850EAB
NtDeleteKey	8283B8D2
NtDeleteValueKey	8282D2DB
NtSetValueKey	8285A4A8
NtQueryValueKey	8289A7D3
NtNotifyChangeKey	82849E5F
NtEnumerateValueKey	828B9386
NtEnumerateKey	828B6F20
NtCreateSection	828731EB
NtOpenSection	828B9B3B
NtSetSystemInformation	8289E4B8
NtQuerySystemInformation	8287FFF1
NtQueryInformationProcess	82886961
NtCreateThread	8292C7F2
NtCreateThreadEx	828C05FD
NtSetContextThread	8292E05F
NtQueueApcThread	8284BCF2
NtDelayExecution	82878C75
NtTerminateThread	828C883A
NtResumeThread	828C0824
NtSuspendThread	828E53F4
NtQuerySystemTime	828C6FFD
NtAdjustPrivilegesToken	828D50FF
NtRequestWaitReplyPort	8288DC60
NtCreateSymbolicLinkObject	82851876
NtSetSecurityObject	828516A7
NtFsControlFile	828A5B89
NtQueryInformationToken	828A24C5
NtQueryDefaultUILanguage	827F2E5C
NtQueryDefaultLocale	828C7092
NtSetSystemPowerState	82971E4A
NtShutdownSystem	82953419
NtRaiseHardError	82826FE6
NtClose	82894706
NtQueryAttributesFile	828A7E88

IRP Handler

Handler Function	Driver	Address	Type
IRP_MJ_SET_VOLUME_INFORMATION	\Driver\3AAA263B	94F03612	new
IRP_MJ_QUERY_QUOTA	\Driver\3AAA263B	94F03612	new
IRP_MJ_PNP	\Driver\3AAA263B	82703225	new
IRP_MJ_CREATE_MAILSLOT	\Driver\3AAA263B	94F03612	new
IRP_MJ_POWER	\Driver\3AAA263B	94F03612	new
IRP_MJ_DEVICE_CONTROL	\Driver\3AAA263B	94F032E5	new
IRP_MJ_READ	\Driver\3AAA263B	94F03612	new
IRP_MJ_DIRECTORY_CONTROL	\Driver\3AAA263B	94F03612	new
IRP_MJ_QUERY_VOLUME_INFORMATION	\Driver\3AAA263B	94F03612	new
IRP_MJ_SET_SECURITY	\Driver\3AAA263B	94F03612	new
IRP_MJ_WRITE	\Driver\3AAA263B	94F03612	new
IRP_MJ_LOCK_CONTROL	\Driver\3AAA263B	94F03612	new
IRP_MJ_CLEANUP	\Driver\3AAA263B	94F03612	new
IRP_MJ_CLOSE	\Driver\3AAA263B	94F03612	new
IRP_MJ_INTERNAL_DEVICE_CONTROL	\Driver\3AAA263B	94F03612	new
IRP_MJ_CREATE	\Driver\3AAA263B	94F03612	new
IRP_MJ_CREATE_NAMED_PIPE	\Driver\3AAA263B	94F03612	new
IRP_MJ_DEVICE_CHANGE	\Driver\3AAA263B	94F03612	new
IRP_MJ_SET_INFORMATION	\Driver\3AAA263B	94F03612	new
IRP_MJ_QUERY_EA	\Driver\3AAA263B	94F03612	new
IRP_MJ_FILE_SYSTEM_CONTROL	\Driver\3AAA263B	94F03612	new
IRP_MJ_FLUSH_BUFFERS	\Driver\3AAA263B	94F03612	new
IRP_MJ_SET_EA	\Driver\3AAA263B	94F03612	new
IRP_MJ_SYSTEM_CONTROL	\Driver\3AAA263B	94F03612	new
IRP_MJ_QUERY_SECURITY	\Driver\3AAA263B	94F03612	new
IRP_MJ_SET_QUOTA	\Driver\3AAA263B	94F03612	new
IRP_MJ_QUERY_INFORMATION	\Driver\3AAA263B	94F03612	new
IRP_MJ_SHUTDOWN	\Driver\3AAA263B	94F03612	new

New Device

Driver	Device	Attached to (upper)	Attached to (lower)
\Driver\3AAA263B	\Device\FISINF	unknown	unknown

Kernel Modules

Module: ntoskrnl.exe

Function Name	Hook Type	New Data
KeInsertQueueApc	INLINE	0xE9 0x90 0x00 0x00 0x07 0x78

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe PID: 2632 Parent PID: 3792

General

Start time:	21:33:13
Start date:	04/05/2015
Path:	C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x400000
File size:	225792 bytes
MD5 hash:	6F6D18DD0B2C54D34C44FF0A274399E0

Chronological Activities

Analysis Process: 5dac7ebf.exe PID: 2764 Parent PID: 2632

General

Start time:	21:33:14
Start date:	04/05/2015
Path:	C:\5dac7ebf.exe
Wow64 process (32bit):	false
Commandline:	C:\5dac7ebf.exe
Imagebase:	0x76ec0000
File size:	57344 bytes
MD5 hash:	7B8215016A01816BD7612AE3B09B023D

Chronological Activities

Analysis Process: reg.exe PID: 2792 Parent PID: 868

General

Start time:	21:33:14
Start date:	04/05/2015
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x430000
File size:	62464 bytes
MD5 hash:	D69A9ABBB0D795F21995C2F48C1EB560

Chronological Activities

Analysis Process: reg.exe PID: 2260 Parent PID: 868

General

Start time:	21:33:14
Start date:	04/05/2015
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x75740000
File size:	62464 bytes
MD5 hash:	D69A9ABBB0D795F21995C2F48C1EB560

Chronological Activities

Analysis Process: reg.exe PID: 3188 Parent PID: 868

General

Start time:	21:33:15
Start date:	04/05/2015
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x754b0000
File size:	62464 bytes
MD5 hash:	D69A9ABBB0D795F21995C2F48C1EB560

Chronological Activities

Analysis Process: 3AAA263B.sys PID: 4 Parent PID: -1

General

Start time:	21:33:15
Start date:	04/05/2015
Path:	C:\WINDOWS\system32\3AAA263B.sys
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x9a0000
File size:	7888 bytes
MD5 hash:	4D7DF3DAF2EE2605FC194649C7B9C7CA

Chronological Activities

Analysis Process: reg.exe PID: 2828 Parent PID: 868

General

Start time:	21:33:15
Start date:	04/05/2015
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x75740000
File size:	62464 bytes
MD5 hash:	D69A9ABBB0D795F21995C2F48C1EB560

Chronological Activities

Analysis Process: iexplore.exe PID: 2552 Parent PID: 868

General

Start time:	21:33:17
Start date:	04/05/2015
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0xb40000
File size:	815288 bytes
MD5 hash:	363BC25BACB34E9D40441968B1B3D5BE

Chronological Activities

Analysis Process: ie4uinit.exe PID: 2568 Parent PID: 2552

General

Start time:	21:33:18
Start date:	04/05/2015
Path:	C:\Windows\System32\ie4uinit.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\ie4uinit.exe -ShowQLIcon
Imagebase:	0xb60000
File size:	684544 bytes
MD5 hash:	73AFBF165241EB4502CD15107AA12CBA

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe PID: 2632 Parent PID: 3792

Execution Graph

Execution Coverage:	5.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	28.3%
Total number of Nodes:	668
Total number of Limit Nodes:	25

Executed Functions

Function 0040354B, Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 245

APIs

73E11541.COMCTL32 ref: 0040356A
SetErrorMode.KERNELBASE(00008001), ref: 00403575
OleInitialize.OLE32(00000000), ref: 0040357C

Part of subcall function 00405CF5: GetModuleHandleA.KERNEL32(?,00000000,00000013,00406663,00000001,0040181E,00000000,00000000,00000000,?,00000000), ref: 00405D05
Part of subcall function 00405CF5: LoadLibraryA.KERNEL32(?), ref: 00405D10
Part of subcall function 00405CF5: GetProcAddress.KERNEL32(00000000,?,?,00000000), ref: 00405D21

SHGetFileInfoW.SHELL32(0040861C,00000000,?,000002B4,00000000), ref: 004035A4

Part of subcall function 00405BEE: lstrcpynW.KERNEL32(0040648D,0040648D,00002004,0040648D,?,00460520,00404BE0,0043E220,00401605,?), ref: 00405BFB

GetCommandLineW.KERNEL32(NSIS Error,NSIS Error), ref: 004035B9
GetModuleHandleW.KERNEL32(00000000,"C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe" ,00000000), ref: 004035CC

Part of subcall function 004058E9: CharNextW.USER32(00000000), ref: 004058F7

CharNextW.USER32(00000000), ref: 004035F3
GetTempPathW.KERNEL32(00002004,C:\Users\admin\AppData\Local\Temp\), ref: 004036C6

Part of subcall function 0040347E: CreateDirectoryW.KERNELBASE(C:\Users\admin\AppData\Local\Temp\,00000000,C:\Users\admin\AppData\Local\Temp\,C:\Users\admin\AppData\Local\Temp\,C:\Users\admin\AppData\Local\Temp\), ref: 0040349F

GetWindowsDirectoryW.KERNEL32(C:\Users\admin\AppData\Local\Temp\,00001FFF), ref: 004036DB
lstrcatW.KERNEL32(C:\Users\admin\AppData\Local\Temp\,\Temp), ref: 004036E7
DeleteFileW.KERNELBASE(C:\Users\admin\AppData\Local\Temp\nso5566.tmp), ref: 004036FE

Part of subcall function 004031E3: GetTickCount.KERNEL32 ref: 004031F7
Part of subcall function 004031E3: GetModuleFileNameW.KERNEL32(00000000,C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe,00002004), ref: 00403213
Part of subcall function 004031E3: GetFileSize.KERNEL32(00000000,00000000,virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe,00000000,004CD0B8,004CD0B8,C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe,C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe,80000000,00000003), ref: 0040325C
Part of subcall function 004031E3: GlobalAlloc.KERNEL32(00000040,?), ref: 00403398
Part of subcall function 004031E3: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,04000100,00000000), ref: 004033D1

Part of subcall function 00406178: lstrlenW.KERNEL32(004562B0,?,00000000,004562B0,004562B0,004066A2,004120B8,00000000,004066A2,?,00471000), ref: 004061D9
Part of subcall function 00406178: GetFileAttributesW.KERNEL32(004562B0,004562B0), ref: 004061E6

Part of subcall function 0040552E: lstrcatW.KERNEL32(C:\Users\admin\AppData\Local\Temp\nso5566.tmp,00446230), ref: 004055B2
Part of subcall function 0040552E: lstrlenW.KERNEL32(00460520,?,00000000,?,00460520,00000000,004C50A8,C:\Users\admin\AppData\Local\Temp\nso5566.tmp,00446230,80000001,Control Panel\Desktop\ResourceLocale,00000000,00446230,00000000,00000006,"C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe" ), ref: 00405635
Part of subcall function 0040552E: lstrcmpiW.KERNEL32(00460518,.exe,00460520,?,00000000,?,00460520,00000000,004C50A8,C:\Users\admin\AppData\Local\Temp\nso5566.tmp,00446230,80000001,Control Panel\Desktop\ResourceLocale,00000000,00446230,00000000), ref: 00405648
Part of subcall function 0040552E: GetFileAttributesW.KERNEL32(00460520,?,?,?,?,00000000,00403786), ref: 00405653
Part of subcall function 0040552E: LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C50A8), ref: 004056A5
Part of subcall function 0040552E: RegisterClassW.USER32(00468540), ref: 004056F5
Part of subcall function 0040552E: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0040570C
Part of subcall function 0040552E: CreateWindowExW.USER32(00000080,00000000,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040573E
Part of subcall function 0040552E: ShowWindow.USER32(00000005), ref: 00405774
Part of subcall function 0040552E: LoadLibraryW.KERNEL32(RichEd20), ref: 00405785
Part of subcall function 0040552E: LoadLibraryW.KERNEL32(RichEd32), ref: 00405790
Part of subcall function 0040552E: GetClassInfoW.USER32(00000000,RichEdit20A,00468540), ref: 0040579F
Part of subcall function 0040552E: GetClassInfoW.USER32(00000000,RichEdit,00468540), ref: 004057AC
Part of subcall function 0040552E: RegisterClassW.USER32(00468540), ref: 004057B9
Part of subcall function 0040552E: DialogBoxParamW.USER32(?,00000000,0040507B,00000000), ref: 004057D8

Part of subcall function 00403509: CloseHandle.KERNEL32(FFFFFFFF), ref: 0040351B
Part of subcall function 00403509: CloseHandle.KERNEL32(FFFFFFFF), ref: 0040352F

SetErrorInfo.OLE32(?,004CD0B8), ref: 0040378F
ExitWindowsEx.USER32(00000002,00000000), ref: 004038FE

Part of subcall function 00405883: MessageBoxIndirectW.USER32(0040A030), ref: 004058E0

ExitProcess.KERNEL32 ref: 004037AF
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004038C2

Strings

SeShutdownPrivilege, xrefs: 004038D4
C:\Users\admin\AppData\Local\Temp\, xrefs: 004036BB, 004036C0, 004036DA, 004036E6
NSIS Error, xrefs: 004035AA
C:\Users\admin\AppData\Local\Temp\nso5566.tmp, xrefs: 004036F9
NCRC, xrefs: 00403642
NSIS Error, xrefs: 004035AF
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040355E
\Temp, xrefs: 004036E1
"C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe" , xrefs: 004035C0, 004035C5, 0040371E
_?=, xrefs: 0040372A
~nsu.tmp, xrefs: 004037B5
/D=, xrefs: 0040366D
Error launching installer, xrefs: 00403742

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 005F8000, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160

APIs

CreateFileA.KERNEL32(C:\5dac7ebf.exe,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 005F8232

Strings

C:\5dac7ebf.exe, xrefs: 005F822E, 005F8231
GetProcAddress, xrefs: 005F80E2

Memory Dump Source

Source File: 00000001.00000002.4324852324.005F8000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324751431.00401000.00000040.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 00405CF5, Relevance: 4.5, APIs: 3, Instructions: 19

APIs

GetModuleHandleA.KERNEL32(?,00000000,00000013,00406663,00000001,0040181E,00000000,00000000,00000000,?,00000000), ref: 00405D05
LoadLibraryA.KERNEL32(?), ref: 00405D10
GetProcAddress.KERNEL32(00000000,?,?,00000000), ref: 00405D21

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 004031E3, Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 205

APIs

GetTickCount.KERNEL32 ref: 004031F7
GetModuleFileNameW.KERNEL32(00000000,C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe,00002004), ref: 00403213

Part of subcall function 00405A34: GetFileAttributesW.KERNEL32(?,0040656E,0045F910,C0000000,00000004,0045F910,?,00000000,00000000,?,00000000), ref: 00405A38
Part of subcall function 00405A34: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405A5A

Part of subcall function 00405BEE: lstrcpynW.KERNEL32(0040648D,0040648D,00002004,0040648D,?,00460520,00404BE0,0043E220,00401605,?), ref: 00405BFB

Part of subcall function 0040614B: lstrlenW.KERNEL32(004562B0,004562B0,004061D8,004562B0,004562B0), ref: 00406151
Part of subcall function 0040614B: CharPrevW.USER32(004562B0,00000000), ref: 00406162

GetFileSize.KERNEL32(00000000,00000000,virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe,00000000,004CD0B8,004CD0B8,C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe,C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe,80000000,00000003), ref: 0040325C

Part of subcall function 00402E4F: DestroyWindow.USER32(00000000), ref: 00402E6A
Part of subcall function 00402E4F: GetTickCount.KERNEL32(00000000,00000001,?,00471000,?,004030ED,00000004,00000000,0040A0A8,?,?,?,00401A17,00000000,00000001,00000000), ref: 00402E88
Part of subcall function 00402E4F: wsprintfW.USER32 ref: 00402EB6
Part of subcall function 00402E4F: CreateDialogParamW.USER32(0000006F,00000000,00402DD0,00000000), ref: 00402EDA
Part of subcall function 00402E4F: ShowWindow.USER32(00000000,00000005), ref: 00402EE8

GlobalAlloc.KERNEL32(00000040,?), ref: 00403398

Part of subcall function 00405A63: GetTickCount.KERNEL32(00000000,000000EF,?,?,?,004018D2,00000000,00000000,?,00000000), ref: 00405A81
Part of subcall function 00405A63: GetTempFileNameW.KERNELBASE(00000000,?,00000000,?,?,?,?,004018D2,00000000,00000000,?,00000000), ref: 00405A9C

CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,04000100,00000000), ref: 004033D1

Part of subcall function 00402F23: SetFilePointer.KERNEL32(00000000,00000000,00000000,00402F74,?,00471000,?,004030ED,00000004,00000000,0040A0A8,?,?,?,00401A17,00000000), ref: 00402F31

Part of subcall function 004030B8: SetFilePointer.KERNEL32(?,00000000,00000000,00000000,0040A0A8,?,?,?,00401A17,00000000,00000001,00000000,00000000,000000EA,?,0040A0A8), ref: 004030DE
Part of subcall function 004030B8: ReadFile.KERNEL32(?,00000004,00000000,00000000,00471000), ref: 0040310C
Part of subcall function 004030B8: ReadFile.KERNEL32(0042E1C8,00004000,00000000,00000000,?), ref: 00403166
Part of subcall function 004030B8: WriteFile.KERNEL32(00000000,0042E1C8,00000000,00000000,00000000), ref: 0040317E
Part of subcall function 004030B8: ReadFile.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 004031C2

Part of subcall function 00402EF1: ReadFile.KERNEL32(?,00000000,00000000,00000000,0042E1C8), ref: 00402F08

Strings

C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe, xrefs: 00403202, 00403207, 00403220, 0040323D
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004033F3
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004033E1
Null, xrefs: 004032DA
C:\Users\admin\AppData\Local\Temp\, xrefs: 004033AA
virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe, xrefs: 00403250
soft, xrefs: 004032D1
Error launching installer, xrefs: 00403233
Inst, xrefs: 004032C8

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 004037BA, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 71

APIs

Part of subcall function 00405CF5: GetModuleHandleA.KERNEL32(?,00000000,00000013,00406663,00000001,0040181E,00000000,00000000,00000000,?,00000000), ref: 00405D05
Part of subcall function 00405CF5: LoadLibraryA.KERNEL32(?), ref: 00405D10
Part of subcall function 00405CF5: GetProcAddress.KERNEL32(00000000,?,?,00000000), ref: 00405D21

Part of subcall function 00403509: CloseHandle.KERNEL32(FFFFFFFF), ref: 0040351B
Part of subcall function 00403509: CloseHandle.KERNEL32(FFFFFFFF), ref: 0040352F

SetErrorInfo.OLE32(?,004CD0B8), ref: 0040378F
ExitWindowsEx.USER32(00000002,00000000), ref: 004038FE

Part of subcall function 00405883: MessageBoxIndirectW.USER32(0040A030), ref: 004058E0

ExitProcess.KERNEL32 ref: 004037AF
lstrcatW.KERNEL32 ref: 004037BB
lstrcmpiW.KERNEL32(?,004CD0B8), ref: 004037C7
CreateDirectoryW.KERNEL32(?,?,?,004CD0B8), ref: 004037D3
SetCurrentDirectoryW.KERNEL32(?,?,?,?,004CD0B8), ref: 004037DA

Part of subcall function 00405BEE: lstrcpynW.KERNEL32(0040648D,0040648D,00002004,0040648D,?,00460520,00404BE0,0043E220,00401605,?), ref: 00405BFB

Part of subcall function 00406200: GetVersion.KERNEL32(0043E220,00000000,00000000,00404BE0,0043E220,00401605,?), ref: 004062D1
Part of subcall function 00406200: GetSystemDirectoryW.KERNEL32(00460520,00002004), ref: 00406353
Part of subcall function 00406200: GetWindowsDirectoryW.KERNEL32(00460520,00002004), ref: 00406366
Part of subcall function 00406200: SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004063A2
Part of subcall function 00406200: SHGetPathFromIDListW.SHELL32(?,00460520), ref: 004063B0
Part of subcall function 00406200: CoTaskMemFree.OLE32(?), ref: 004063BB
Part of subcall function 00406200: lstrcatW.KERNEL32(00460520,\Microsoft\Internet Explorer\Quick Launch), ref: 004063E0
Part of subcall function 00406200: lstrlenW.KERNEL32(00460520,0043E220,00000000,00000000,00404BE0,0043E220,00401605,?), ref: 00406442

DeleteFileW.KERNEL32(004321D8,004321D8,?,00475008,004085BC,00471000,?,?,?,?,?,004CD0B8), ref: 0040382B
CopyFileW.KERNEL32(C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe,004321D8,00000001), ref: 0040383F

Part of subcall function 00405822: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00456268,00000000), ref: 00405847
Part of subcall function 00405822: CloseHandle.KERNEL32(?), ref: 00405854

CloseHandle.KERNEL32(00000000), ref: 0040386C
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004038C2

Strings

C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe, xrefs: 0040383A

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 005D3D20, Relevance: 7.7, APIs: 5, Instructions: 184

APIs

LoadLibraryA.KERNEL32(?), ref: 005D3E5A
GetProcAddress.KERNEL32(?,005D1FF9), ref: 005D3E78
ExitProcess.KERNEL32(?,005D1FF9), ref: 005D3E89
VirtualProtect.KERNELBASE(00400000,00001000,00000004,?,-000000E8), ref: 005D3EA6
VirtualProtect.KERNELBASE(00400000,00001000), ref: 005D3EBB

Memory Dump Source

Source File: 00000001.00000001.4311015150.005CF000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.4310766025.00400000.00000002.sdmp
Associated: 00000001.00000001.4310775873.00401000.00000040.sdmp
Associated: 00000001.00000001.4311019089.005D4000.00000008.sdmp
Associated: 00000001.00000001.4311024977.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_virussign.jbxd

Function 005F8247, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42

APIs

WriteFile.KERNEL32(000000FF,?,0000E000,?,00000000), ref: 005F82B1
CloseHandle.KERNEL32(000000FF), ref: 005F82B7
WinExec.KERNEL32(C:\5dac7ebf.exe,00000005), ref: 005F82C0

Strings

C:\5dac7ebf.exe, xrefs: 005F82BC, 005F82BF

Memory Dump Source

Source File: 00000001.00000001.4311024977.005F8000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.4310766025.00400000.00000002.sdmp
Associated: 00000001.00000001.4310775873.00401000.00000040.sdmp
Associated: 00000001.00000001.4311015150.005CF000.00000080.sdmp
Associated: 00000001.00000001.4311019089.005D4000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_virussign.jbxd

Function 00405A63, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37

APIs

GetTickCount.KERNEL32(00000000,000000EF,?,?,?,004018D2,00000000,00000000,?,00000000), ref: 00405A81
GetTempFileNameW.KERNELBASE(00000000,?,00000000,?,?,?,?,004018D2,00000000,00000000,?,00000000), ref: 00405A9C

Strings

nsa, xrefs: 00405A70

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 0040347E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20

APIs

Part of subcall function 00405C1D: CharNextW.USER32( C), ref: 00405C80
Part of subcall function 00405C1D: CharNextW.USER32( C), ref: 00405C8F
Part of subcall function 00405C1D: CharNextW.USER32( C), ref: 00405C94
Part of subcall function 00405C1D: CharPrevW.USER32( C, C), ref: 00405CA8

Part of subcall function 0040611C: lstrlenW.KERNEL32(?,0040A0A8,00401916,00000000,0040A0A8,004C90B0,00000000,00000000,00000000,00000000,?,00000000), ref: 00406122
Part of subcall function 0040611C: CharPrevW.USER32(?,00000000), ref: 0040612D
Part of subcall function 0040611C: lstrcatW.KERNEL32(?,004082C8), ref: 0040613F

CreateDirectoryW.KERNELBASE(C:\Users\admin\AppData\Local\Temp\,00000000,C:\Users\admin\AppData\Local\Temp\,C:\Users\admin\AppData\Local\Temp\,C:\Users\admin\AppData\Local\Temp\), ref: 0040349F

Part of subcall function 00405A63: GetTickCount.KERNEL32(00000000,000000EF,?,?,?,004018D2,00000000,00000000,?,00000000), ref: 00405A81
Part of subcall function 00405A63: GetTempFileNameW.KERNELBASE(00000000,?,00000000,?,?,?,?,004018D2,00000000,00000000,?,00000000), ref: 00405A9C

Strings

C:\Users\admin\AppData\Local\Temp\, xrefs: 0040347F, 00403484, 00403496, 0040349E, 004034A5
C:\Users\admin\AppData\Local\Temp\nso5566.tmp, xrefs: 004034A6

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 00405883, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22

APIs

MessageBoxIndirectW.USER32(0040A030), ref: 004058E0

Strings

NSIS Error, xrefs: 004058D0

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 00405A34, Relevance: 3.0, APIs: 2, Instructions: 16

APIs

GetFileAttributesW.KERNEL32(?,0040656E,0045F910,C0000000,00000004,0045F910,?,00000000,00000000,?,00000000), ref: 00405A38
CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405A5A

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 00403509, Relevance: 2.5, APIs: 2, Instructions: 20

APIs

CloseHandle.KERNEL32(FFFFFFFF), ref: 0040351B
CloseHandle.KERNEL32(FFFFFFFF), ref: 0040352F

Part of subcall function 00403941: FreeLibrary.KERNEL32(?,?,00000000,759CE918,0040353D), ref: 0040395B
Part of subcall function 00403941: GlobalFree.KERNEL32(00000000,?,00000000,759CE918,0040353D), ref: 00403962

Part of subcall function 0040668F: DeleteFileW.KERNEL32(?,?,00471000), ref: 004066AE
Part of subcall function 0040668F: lstrcatW.KERNEL32(0045B908,\*.*), ref: 004066FE
Part of subcall function 0040668F: lstrcatW.KERNEL32(?,004082C8), ref: 0040671E
Part of subcall function 0040668F: lstrlenW.KERNEL32(?), ref: 00406721
Part of subcall function 0040668F: FindFirstFileW.KERNEL32(0045B908,?), ref: 00406735
Part of subcall function 0040668F: DeleteFileW.KERNEL32(?,?,00000000,?,?,0000003F), ref: 004067B0
Part of subcall function 0040668F: FindNextFileW.KERNEL32(00000000,00000010,000000F2,?), ref: 004067EB
Part of subcall function 0040668F: FindClose.KERNEL32(00000000), ref: 004067FC
Part of subcall function 0040668F: RemoveDirectoryW.KERNEL32(?,?,?,?), ref: 00406838

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 00402EF1, Relevance: 1.5, APIs: 1, Instructions: 22

APIs

ReadFile.KERNEL32(?,00000000,00000000,00000000,0042E1C8), ref: 00402F08

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Non-executed Functions

Function 00405DA6, Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0,00000000,00000001,FFFFFD66), ref: 00405DB9
lstrlenW.KERNEL32(00000000), ref: 00405DC6
GetVersionExW.KERNEL32(?), ref: 00405E24
LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00405E63
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00405E82
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00405E8C
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00405E97
FreeLibrary.KERNEL32(00000000), ref: 00405ECE
GlobalFree.KERNEL32(?), ref: 00405ED7
lstrcpyW.KERNEL32(?,Unknown), ref: 00405F02
OpenProcess.KERNEL32(00000410,00000000,?), ref: 00405F18
CloseHandle.KERNEL32(00000000), ref: 00405F4A
CharUpperW.USER32(?), ref: 00405F57
lstrcmpW.KERNEL32(00000000,?), ref: 00405F65
GlobalFree.KERNEL32(?), ref: 00405F82
LoadLibraryA.KERNEL32(Kernel32.DLL), ref: 00405F9A
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00405FB5
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 00405FC0
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 00405FCB
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 00405FD6
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 00405FE1
FreeLibrary.KERNEL32(00000000), ref: 0040604B
lstrcmpW.KERNEL32(?,?), ref: 0040608D
CloseHandle.KERNEL32(00000000), ref: 004060B1
CloseHandle.KERNEL32(?), ref: 004060D1
FreeLibrary.KERNEL32(?), ref: 004060DA
CloseHandle.KERNEL32(?), ref: 004060EC
FreeLibrary.KERNEL32(00000000), ref: 004060F3
CloseHandle.KERNEL32(00000000), ref: 004060FF

Part of subcall function 00405C10: CharUpperW.USER32(?), ref: 00405C16

Strings

Process32FirstW, xrefs: 00405FB7
GetModuleBaseNameW, xrefs: 00405E8E
EnumProcessModules, xrefs: 00405E84
Process32NextW, xrefs: 00405FC2
Kernel32.DLL, xrefs: 00405F95
PSAPI.DLL, xrefs: 00405E5E
EnumProcesses, xrefs: 00405E7C
Unknown, xrefs: 00405EF6
Module32FirstW, xrefs: 00405FCD
CreateToolhelp32Snapshot, xrefs: 00405FAF
Module32NextW, xrefs: 00405FD8

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 00404CEA, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 290

APIs

GetDlgItem.USER32(?,00000403), ref: 00404D4C
GetDlgItem.USER32(?,000003EE), ref: 00404D5B
GetDlgItem.USER32(?,000003F8), ref: 00404D6A
GetClientRect.USER32(?,?), ref: 00404D98
GetSystemMetrics.USER32(00000015), ref: 00404DA0
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 00404DC1
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00404DD2
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00404DE5
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00404DF3
SendMessageW.USER32(?,00001024,00000000,?), ref: 00404E06

Part of subcall function 004039FD: SetDlgItemTextW.USER32(?,?,00000000), ref: 00403A17

ShowWindow.USER32(00000000), ref: 00404E28
ShowWindow.USER32(?,00000008), ref: 00404E3C
GetDlgItem.USER32(?,000003EC), ref: 00404E5D
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00404E6D
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00404E82
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00404E8E
GetDlgItem.USER32(?,000003EC), ref: 00404EAD
CreateThread.KERNEL32(00000000,00000000,Function_00004C7E,00000000), ref: 00404EBB
CloseHandle.KERNEL32(00000000), ref: 00404EC2
ShowWindow.USER32(00000000), ref: 00404EE9
ShowWindow.USER32(00000000,00000008), ref: 00404EEE

Part of subcall function 00403A56: SendMessageW.USER32(00000028,?,00000001), ref: 00403A64

Part of subcall function 00403A88: GetWindowLongW.USER32(?,000000EB), ref: 00403AA2
Part of subcall function 00403A88: GetSysColor.USER32(00000000), ref: 00403ABE
Part of subcall function 00403A88: SetTextColor.GDI32(?,00000000), ref: 00403ACA
Part of subcall function 00403A88: SetBkMode.GDI32(?,?), ref: 00403AD6
Part of subcall function 00403A88: GetSysColor.USER32(?), ref: 00403AE9
Part of subcall function 00403A88: SetBkColor.GDI32(?,?), ref: 00403AF9
Part of subcall function 00403A88: DeleteObject.GDI32(?), ref: 00403B13
Part of subcall function 00403A88: CreateBrushIndirect.GDI32(?), ref: 00403B1D

ShowWindow.USER32(00000008), ref: 00404F35

Part of subcall function 00404BA9: lstrlenW.KERNEL32(0043E220,?), ref: 00404BE1
Part of subcall function 00404BA9: lstrlenW.KERNEL32(?,0043E220,?), ref: 00404BF1
Part of subcall function 00404BA9: lstrcatW.KERNEL32(0043E220,?), ref: 00404C04
Part of subcall function 00404BA9: SetWindowTextW.USER32(0043E220,0043E220), ref: 00404C16
Part of subcall function 00404BA9: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404C3C
Part of subcall function 00404BA9: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00404C56
Part of subcall function 00404BA9: SendMessageW.USER32(?,00001013,?,00000000), ref: 00404C64

Part of subcall function 004039D6: SendMessageW.USER32(00000408,?,00000000), ref: 004039F4

SendMessageW.USER32(00000000,00001004,00000000,00000000), ref: 00404F67
CreatePopupMenu.USER32 ref: 00404F78

Part of subcall function 00406200: GetVersion.KERNEL32(0043E220,00000000,00000000,00404BE0,0043E220,00401605,?), ref: 004062D1
Part of subcall function 00406200: GetSystemDirectoryW.KERNEL32(00460520,00002004), ref: 00406353
Part of subcall function 00406200: GetWindowsDirectoryW.KERNEL32(00460520,00002004), ref: 00406366
Part of subcall function 00406200: SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004063A2
Part of subcall function 00406200: SHGetPathFromIDListW.SHELL32(?,00460520), ref: 004063B0
Part of subcall function 00406200: CoTaskMemFree.OLE32(?), ref: 004063BB
Part of subcall function 00406200: lstrcatW.KERNEL32(00460520,\Microsoft\Internet Explorer\Quick Launch), ref: 004063E0
Part of subcall function 00406200: lstrlenW.KERNEL32(00460520,0043E220,00000000,00000000,00404BE0,0043E220,00401605,?), ref: 00406442

AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00404F8D
GetWindowRect.USER32(00000000,?), ref: 00404FA0
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00404FC2
SendMessageW.USER32(?,00001073,00000000,?), ref: 00404FFD
OpenClipboard.USER32(00000000), ref: 0040500D
EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 00405013
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040501F
GlobalLock.KERNEL32(00000000), ref: 00405029
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040503D
GlobalUnlock.KERNEL32(00000000), ref: 0040505F
SetClipboardData.USER32(0000000D,00000000), ref: 0040506A
CloseClipboard.USER32 ref: 00405070

Strings

{, xrefs: 00404F54

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 00404141, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 272

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404190
SetWindowTextW.USER32(?,?), ref: 004041BD

Part of subcall function 004039FD: SetDlgItemTextW.USER32(?,?,00000000), ref: 00403A17

Part of subcall function 00403A56: SendMessageW.USER32(00000028,?,00000001), ref: 00403A64

Part of subcall function 00406200: GetVersion.KERNEL32(0043E220,00000000,00000000,00404BE0,0043E220,00401605,?), ref: 004062D1
Part of subcall function 00406200: GetSystemDirectoryW.KERNEL32(00460520,00002004), ref: 00406353
Part of subcall function 00406200: GetWindowsDirectoryW.KERNEL32(00460520,00002004), ref: 00406366
Part of subcall function 00406200: SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004063A2
Part of subcall function 00406200: SHGetPathFromIDListW.SHELL32(?,00460520), ref: 004063B0
Part of subcall function 00406200: CoTaskMemFree.OLE32(?), ref: 004063BB
Part of subcall function 00406200: lstrcatW.KERNEL32(00460520,\Microsoft\Internet Explorer\Quick Launch), ref: 004063E0
Part of subcall function 00406200: lstrlenW.KERNEL32(00460520,0043E220,00000000,00000000,00404BE0,0043E220,00401605,?), ref: 00406442

SHBrowseForFolderW.SHELL32(?), ref: 00404275
CoTaskMemFree.OLE32(00000000), ref: 00404280

Part of subcall function 0040611C: lstrlenW.KERNEL32(?,0040A0A8,00401916,00000000,0040A0A8,004C90B0,00000000,00000000,00000000,00000000,?,00000000), ref: 00406122
Part of subcall function 0040611C: CharPrevW.USER32(?,00000000), ref: 0040612D
Part of subcall function 0040611C: lstrcatW.KERNEL32(?,004082C8), ref: 0040613F

lstrcmpiW.KERNEL32(00460520,00446230,00000000,?,?), ref: 004042B2
lstrcatW.KERNEL32(?,00460520), ref: 004042BE
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004042CE

Part of subcall function 00405867: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403C1E), ref: 0040587A

Part of subcall function 00406178: lstrlenW.KERNEL32(004562B0,?,00000000,004562B0,004562B0,004066A2,004120B8,00000000,004066A2,?,00471000), ref: 004061D9
Part of subcall function 00406178: GetFileAttributesW.KERNEL32(004562B0,004562B0), ref: 004061E6

Part of subcall function 00405BEE: lstrcpynW.KERNEL32(0040648D,0040648D,00002004,0040648D,?,00460520,00404BE0,0043E220,00401605,?), ref: 00405BFB

Part of subcall function 00405CF5: GetModuleHandleA.KERNEL32(?,00000000,00000013,00406663,00000001,0040181E,00000000,00000000,00000000,?,00000000), ref: 00405D05
Part of subcall function 00405CF5: LoadLibraryA.KERNEL32(?), ref: 00405D10
Part of subcall function 00405CF5: GetProcAddress.KERNEL32(00000000,?,?,00000000), ref: 00405D21

Part of subcall function 0040614B: lstrlenW.KERNEL32(004562B0,004562B0,004061D8,004562B0,004562B0), ref: 00406151
Part of subcall function 0040614B: CharPrevW.USER32(004562B0,00000000), ref: 00406162

Part of subcall function 0040593D: CharNextW.USER32(000000F0), ref: 0040594B
Part of subcall function 0040593D: CharNextW.USER32(00000000), ref: 00405950
Part of subcall function 0040593D: CharNextW.USER32(00000000), ref: 00405968

GetDiskFreeSpaceW.KERNEL32(0043A218,?,?,0000040F,?,0043A218,0043A218,?,00000000,0043A218,?,?,000003FB,?), ref: 00404390
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004043AB
SetDlgItemTextW.USER32(00000000,00000400,0040861C), ref: 00404424

Part of subcall function 00403A43: EnableWindow.USER32(?), ref: 00403A4D

Part of subcall function 00403A88: GetWindowLongW.USER32(?,000000EB), ref: 00403AA2
Part of subcall function 00403A88: GetSysColor.USER32(00000000), ref: 00403ABE
Part of subcall function 00403A88: SetTextColor.GDI32(?,00000000), ref: 00403ACA
Part of subcall function 00403A88: SetBkMode.GDI32(?,?), ref: 00403AD6
Part of subcall function 00403A88: GetSysColor.USER32(?), ref: 00403AE9
Part of subcall function 00403A88: SetBkColor.GDI32(?,?), ref: 00403AF9
Part of subcall function 00403A88: DeleteObject.GDI32(?), ref: 00403B13
Part of subcall function 00403A88: CreateBrushIndirect.GDI32(?), ref: 00403B1D

Part of subcall function 00403A1F: SendMessageW.USER32(?,000000F4,00000001,00000001), ref: 00403A3C

Part of subcall function 00404049: lstrlenW.KERNEL32(00446230,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00446230,?), ref: 004040E6
Part of subcall function 00404049: wsprintfW.USER32 ref: 004040F3
Part of subcall function 00404049: SetDlgItemTextW.USER32(?,00446230,000000DF), ref: 00404106

Part of subcall function 00405C1D: CharNextW.USER32( C), ref: 00405C80
Part of subcall function 00405C1D: CharNextW.USER32( C), ref: 00405C8F
Part of subcall function 00405C1D: CharNextW.USER32( C), ref: 00405C94
Part of subcall function 00405C1D: CharPrevW.USER32( C, C), ref: 00405CA8

Strings

A, xrefs: 0040426E

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 0040668F, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162

APIs

Part of subcall function 00406178: lstrlenW.KERNEL32(004562B0,?,00000000,004562B0,004562B0,004066A2,004120B8,00000000,004066A2,?,00471000), ref: 004061D9
Part of subcall function 00406178: GetFileAttributesW.KERNEL32(004562B0,004562B0), ref: 004061E6

Part of subcall function 00405BEE: lstrcpynW.KERNEL32(0040648D,0040648D,00002004,0040648D,?,00460520,00404BE0,0043E220,00401605,?), ref: 00405BFB

lstrcatW.KERNEL32(0045B908,\*.*), ref: 004066FE

Part of subcall function 0040614B: lstrlenW.KERNEL32(004562B0,004562B0,004061D8,004562B0,004562B0), ref: 00406151
Part of subcall function 0040614B: CharPrevW.USER32(004562B0,00000000), ref: 00406162

lstrcatW.KERNEL32(?,004082C8), ref: 0040671E
lstrlenW.KERNEL32(?), ref: 00406721
FindFirstFileW.KERNEL32(0045B908,?), ref: 00406735

Part of subcall function 0040668F: DeleteFileW.KERNEL32(?,?,00471000), ref: 004066AE

DeleteFileW.KERNEL32(?,?,00000000,?,?,0000003F), ref: 004067B0
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?), ref: 004067EB
FindClose.KERNEL32(00000000), ref: 004067FC

Part of subcall function 00405CCE: FindFirstFileW.KERNEL32(00000000,0045AEB8,00000000,004017C3,00000000), ref: 00405CD9
Part of subcall function 00405CCE: FindClose.KERNEL32(00000000), ref: 00405CE5

Part of subcall function 0040611C: lstrlenW.KERNEL32(?,0040A0A8,00401916,00000000,0040A0A8,004C90B0,00000000,00000000,00000000,00000000,?,00000000), ref: 00406122
Part of subcall function 0040611C: CharPrevW.USER32(?,00000000), ref: 0040612D
Part of subcall function 0040611C: lstrcatW.KERNEL32(?,004082C8), ref: 0040613F

Part of subcall function 00405A14: GetFileAttributesW.KERNEL32(00000000,0040196F,0040A0A8,0040A0A8,00000000,00000000,0040A0A8,004C90B0,00000000,00000000,00000000,00000000,?,00000000), ref: 00405A18
Part of subcall function 00405A14: SetFileAttributesW.KERNEL32(?,00000000,?,00000000), ref: 00405A2B

RemoveDirectoryW.KERNEL32(?,?,?,?), ref: 00406838

Part of subcall function 00404BA9: lstrlenW.KERNEL32(0043E220,?), ref: 00404BE1
Part of subcall function 00404BA9: lstrlenW.KERNEL32(?,0043E220,?), ref: 00404BF1
Part of subcall function 00404BA9: lstrcatW.KERNEL32(0043E220,?), ref: 00404C04
Part of subcall function 00404BA9: SetWindowTextW.USER32(0043E220,0043E220), ref: 00404C16
Part of subcall function 00404BA9: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404C3C
Part of subcall function 00404BA9: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00404C56
Part of subcall function 00404BA9: SendMessageW.USER32(?,00001013,?,00000000), ref: 00404C64

Part of subcall function 004058E9: CharNextW.USER32(00000000), ref: 004058F7

Strings

\*.*, xrefs: 004066F8

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 004045B3, Relevance: 61.7, APIs: 30, Strings: 5, Instructions: 470

APIs

GetDlgItem.USER32(?,000003F9), ref: 004045CA
GetDlgItem.USER32(?,00000408), ref: 004045D7
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00404626
LoadBitmapW.USER32(0000006E), ref: 00404639
SetWindowLongW.USER32(?,000000FC,Function_00004503), ref: 00404653
SendMessageW.USER32(?,00001109,00000002), ref: 0040468F
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 0040469B
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 004046AB
DeleteObject.GDI32(?), ref: 004046B0

Part of subcall function 00406200: GetVersion.KERNEL32(0043E220,00000000,00000000,00404BE0,0043E220,00401605,?), ref: 004062D1
Part of subcall function 00406200: GetSystemDirectoryW.KERNEL32(00460520,00002004), ref: 00406353
Part of subcall function 00406200: GetWindowsDirectoryW.KERNEL32(00460520,00002004), ref: 00406366
Part of subcall function 00406200: SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004063A2
Part of subcall function 00406200: SHGetPathFromIDListW.SHELL32(?,00460520), ref: 004063B0
Part of subcall function 00406200: CoTaskMemFree.OLE32(?), ref: 004063BB
Part of subcall function 00406200: lstrcatW.KERNEL32(00460520,\Microsoft\Internet Explorer\Quick Launch), ref: 004063E0
Part of subcall function 00406200: lstrlenW.KERNEL32(00460520,0043E220,00000000,00000000,00404BE0,0043E220,00401605,?), ref: 00406442

SendMessageW.USER32(?,00000143,00000000,00000000), ref: 004046DB
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 004046E7

Part of subcall function 004039FD: SetDlgItemTextW.USER32(?,?,00000000), ref: 00403A17

SendMessageW.USER32(?,00001132,00000000,?), ref: 00404788
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 004047AB
SendMessageW.USER32(?,00001132,00000000,?), ref: 004047BC
GetWindowLongW.USER32(?,000000F0), ref: 004047E6
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004047F5
ShowWindow.USER32(?,00000005), ref: 00404806

Part of subcall function 00403A56: SendMessageW.USER32(00000028,?,00000001), ref: 00403A64

Part of subcall function 00404485: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004044A0
Part of subcall function 00404485: GetMessagePos.USER32 ref: 004044A8
Part of subcall function 00404485: ScreenToClient.USER32(?,?), ref: 004044C0
Part of subcall function 00404485: SendMessageW.USER32(?,00001111,00000000,?), ref: 004044D2
Part of subcall function 00404485: SendMessageW.USER32(?,0000113E,00000000,?), ref: 004044F8

SendMessageW.USER32(?,00000419,00000000,?), ref: 00404904
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040495F
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404974
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404998
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004049BE
GlobalFree.KERNEL32(00000000), ref: 004049E3
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404A53
SendMessageW.USER32(?,00001102,?,?), ref: 00404B01
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404B10
InvalidateRect.USER32(?,00000000,00000001), ref: 00404B30

Part of subcall function 00404049: lstrlenW.KERNEL32(00446230,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00446230,?), ref: 004040E6
Part of subcall function 00404049: wsprintfW.USER32 ref: 004040F3
Part of subcall function 00404049: SetDlgItemTextW.USER32(?,00446230,000000DF), ref: 00404106

ShowWindow.USER32(?,00000000), ref: 00404B80
GetDlgItem.USER32(?,000003FE), ref: 00404B8B
ShowWindow.USER32(00000000), ref: 00404B92

Part of subcall function 00403A88: GetWindowLongW.USER32(?,000000EB), ref: 00403AA2
Part of subcall function 00403A88: GetSysColor.USER32(00000000), ref: 00403ABE
Part of subcall function 00403A88: SetTextColor.GDI32(?,00000000), ref: 00403ACA
Part of subcall function 00403A88: SetBkMode.GDI32(?,?), ref: 00403AD6
Part of subcall function 00403A88: GetSysColor.USER32(?), ref: 00403AE9
Part of subcall function 00403A88: SetBkColor.GDI32(?,?), ref: 00403AF9
Part of subcall function 00403A88: DeleteObject.GDI32(?), ref: 00403B13
Part of subcall function 00403A88: CreateBrushIndirect.GDI32(?), ref: 00403B1D

Strings

, xrefs: 00404B70
N, xrefs: 0040483D
u<s, xrefs: 00404665
@, xrefs: 004047C7
M, xrefs: 0040477A

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 0040507B, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004050B7
ShowWindow.USER32(?), ref: 004050D4
DestroyWindow.USER32 ref: 004050E8
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405104
GetDlgItem.USER32(?,?), ref: 00405125
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405139
IsWindowEnabled.USER32(00000000), ref: 00405140

Part of subcall function 004039D6: SendMessageW.USER32(00000408,?,00000000), ref: 004039F4

SendMessageW.USER32(00000111,?,?), ref: 004051B5

Part of subcall function 00403A88: GetWindowLongW.USER32(?,000000EB), ref: 00403AA2
Part of subcall function 00403A88: GetSysColor.USER32(00000000), ref: 00403ABE
Part of subcall function 00403A88: SetTextColor.GDI32(?,00000000), ref: 00403ACA
Part of subcall function 00403A88: SetBkMode.GDI32(?,?), ref: 00403AD6
Part of subcall function 00403A88: GetSysColor.USER32(?), ref: 00403AE9
Part of subcall function 00403A88: SetBkColor.GDI32(?,?), ref: 00403AF9
Part of subcall function 00403A88: DeleteObject.GDI32(?), ref: 00403B13
Part of subcall function 00403A88: CreateBrushIndirect.GDI32(?), ref: 00403B1D

GetDlgItem.USER32(?,00000001), ref: 004051EF
GetDlgItem.USER32(?,00000002), ref: 004051F9
SetClassLongW.USER32(?,000000F2), ref: 00405213
SendMessageW.USER32(0000040F,00000000,00000001), ref: 00405264

Part of subcall function 00403A6D: SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00403A7F

ShowWindow.USER32(?,0000000A), ref: 00405512

Part of subcall function 00406200: GetVersion.KERNEL32(0043E220,00000000,00000000,00404BE0,0043E220,00401605,?), ref: 004062D1
Part of subcall function 00406200: GetSystemDirectoryW.KERNEL32(00460520,00002004), ref: 00406353
Part of subcall function 00406200: GetWindowsDirectoryW.KERNEL32(00460520,00002004), ref: 00406366
Part of subcall function 00406200: SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004063A2
Part of subcall function 00406200: SHGetPathFromIDListW.SHELL32(?,00460520), ref: 004063B0
Part of subcall function 00406200: CoTaskMemFree.OLE32(?), ref: 004063BB
Part of subcall function 00406200: lstrcatW.KERNEL32(00460520,\Microsoft\Internet Explorer\Quick Launch), ref: 004063E0
Part of subcall function 00406200: lstrlenW.KERNEL32(00460520,0043E220,00000000,00000000,00404BE0,0043E220,00401605,?), ref: 00406442

Part of subcall function 004039FD: SetDlgItemTextW.USER32(?,?,00000000), ref: 00403A17

GetDlgItem.USER32(?,00000003), ref: 0040530A
ShowWindow.USER32(00000000,?), ref: 0040532C
EnableWindow.USER32(?,?), ref: 0040533E

Part of subcall function 00403A43: EnableWindow.USER32(?), ref: 00403A4D

EnableWindow.USER32(?), ref: 00405359
GetSystemMenu.USER32(?,00000000), ref: 0040536F
EnableMenuItem.USER32(00000000), ref: 00405376
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040538E
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004053A1

Part of subcall function 00403A56: SendMessageW.USER32(00000028,?,00000001), ref: 00403A64

Part of subcall function 00405BEE: lstrcpynW.KERNEL32(0040648D,0040648D,00002004,0040648D,?,00460520,00404BE0,0043E220,00401605,?), ref: 00405BFB

lstrlenW.KERNEL32(00446230,?,00446230,NSIS Error), ref: 004053CA
SetWindowTextW.USER32(?,00446230), ref: 004053DE

Part of subcall function 0040139B: MulDiv.KERNEL32(00007530,00000000), ref: 004013F6
Part of subcall function 0040139B: SendMessageW.USER32(?,00000402,00000000), ref: 00401406

DestroyWindow.USER32 ref: 00405426
CreateDialogParamW.USER32(?,?,FFB8FA3F), ref: 0040545A
GetDlgItem.USER32(?,000003FA), ref: 00405483
GetWindowRect.USER32(00000000), ref: 0040548A
ScreenToClient.USER32(?,?), ref: 00405496
SetWindowPos.USER32(00000000,?,?,00000000,00000000,00000015), ref: 004054AF
ShowWindow.USER32(00000008), ref: 004054CE
DestroyWindow.USER32(0000040B), ref: 004054E6
EndDialog.USER32(?), ref: 004054F9

Strings

NSIS Error, xrefs: 004053B6

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 0040552E, Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 227

APIs

Part of subcall function 00405CF5: GetModuleHandleA.KERNEL32(?,00000000,00000013,00406663,00000001,0040181E,00000000,00000000,00000000,?,00000000), ref: 00405D05
Part of subcall function 00405CF5: LoadLibraryA.KERNEL32(?), ref: 00405D10
Part of subcall function 00405CF5: GetProcAddress.KERNEL32(00000000,?,?,00000000), ref: 00405D21

Part of subcall function 00405AB7: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000002,?,00406330,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00460520,00460520), ref: 00405AE1
Part of subcall function 00405AB7: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00406330,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00460520,00460520), ref: 00405B03
Part of subcall function 00405AB7: RegCloseKey.ADVAPI32(?,?,00406330,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00460520,00460520), ref: 00405B2A

lstrcatW.KERNEL32(C:\Users\admin\AppData\Local\Temp\nso5566.tmp,00446230), ref: 004055B2

Part of subcall function 00403B32: SetWindowTextW.USER32(00000000,NSIS Error), ref: 00403BCD

Part of subcall function 00406178: lstrlenW.KERNEL32(004562B0,?,00000000,004562B0,004562B0,004066A2,004120B8,00000000,004066A2,?,00471000), ref: 004061D9
Part of subcall function 00406178: GetFileAttributesW.KERNEL32(004562B0,004562B0), ref: 004061E6

lstrlenW.KERNEL32(00460520,?,00000000,?,00460520,00000000,004C50A8,C:\Users\admin\AppData\Local\Temp\nso5566.tmp,00446230,80000001,Control Panel\Desktop\ResourceLocale,00000000,00446230,00000000,00000006,"C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe" ), ref: 00405635
lstrcmpiW.KERNEL32(00460518,.exe,00460520,?,00000000,?,00460520,00000000,004C50A8,C:\Users\admin\AppData\Local\Temp\nso5566.tmp,00446230,80000001,Control Panel\Desktop\ResourceLocale,00000000,00446230,00000000), ref: 00405648
GetFileAttributesW.KERNEL32(00460520,?,?,?,?,00000000,00403786), ref: 00405653

Part of subcall function 0040614B: lstrlenW.KERNEL32(004562B0,004562B0,004061D8,004562B0,004562B0), ref: 00406151
Part of subcall function 0040614B: CharPrevW.USER32(004562B0,00000000), ref: 00406162

Part of subcall function 0040611C: lstrlenW.KERNEL32(?,0040A0A8,00401916,00000000,0040A0A8,004C90B0,00000000,00000000,00000000,00000000,?,00000000), ref: 00406122
Part of subcall function 0040611C: CharPrevW.USER32(?,00000000), ref: 0040612D
Part of subcall function 0040611C: lstrcatW.KERNEL32(?,004082C8), ref: 0040613F

Part of subcall function 00405BEE: lstrcpynW.KERNEL32(0040648D,0040648D,00002004,0040648D,?,00460520,00404BE0,0043E220,00401605,?), ref: 00405BFB

Part of subcall function 004058E9: CharNextW.USER32(00000000), ref: 004058F7

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C50A8), ref: 004056A5
RegisterClassW.USER32(00468540), ref: 004056F5
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0040570C
CreateWindowExW.USER32(00000080,00000000,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040573E
ShowWindow.USER32(00000005), ref: 00405774
LoadLibraryW.KERNEL32(RichEd20), ref: 00405785
LoadLibraryW.KERNEL32(RichEd32), ref: 00405790
GetClassInfoW.USER32(00000000,RichEdit20A,00468540), ref: 0040579F
GetClassInfoW.USER32(00000000,RichEdit,00468540), ref: 004057AC
RegisterClassW.USER32(00468540), ref: 004057B9
DialogBoxParamW.USER32(?,00000000,0040507B,00000000), ref: 004057D8

Part of subcall function 00404C7E: OleInitialize.OLE32(00000000), ref: 00404C8E
Part of subcall function 00404C7E: OleUninitialize.OLE32(00000404,00000000,?,?,?,?,00000000,00403786), ref: 00404CDA

Part of subcall function 00406200: GetVersion.KERNEL32(0043E220,00000000,00000000,00404BE0,0043E220,00401605,?), ref: 004062D1
Part of subcall function 00406200: GetSystemDirectoryW.KERNEL32(00460520,00002004), ref: 00406353
Part of subcall function 00406200: GetWindowsDirectoryW.KERNEL32(00460520,00002004), ref: 00406366
Part of subcall function 00406200: SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004063A2
Part of subcall function 00406200: SHGetPathFromIDListW.SHELL32(?,00460520), ref: 004063B0
Part of subcall function 00406200: CoTaskMemFree.OLE32(?), ref: 004063BB
Part of subcall function 00406200: lstrcatW.KERNEL32(00460520,\Microsoft\Internet Explorer\Quick Launch), ref: 004063E0
Part of subcall function 00406200: lstrlenW.KERNEL32(00460520,0043E220,00000000,00000000,00404BE0,0043E220,00401605,?), ref: 00406442

Part of subcall function 00405B35: wsprintfW.USER32 ref: 00405B42

Strings

RichEd20, xrefs: 00405780
"C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe" , xrefs: 00405536
C:\Users\admin\AppData\Local\Temp\, xrefs: 00405534
C:\Users\admin\AppData\Local\Temp\nso5566.tmp, xrefs: 00405550, 00405561, 004055AD
RichEdit, xrefs: 004057A6
.DEFAULT\Control Panel\International, xrefs: 0040559D
RichEdit20A, xrefs: 00405799, 004057AF
_Nb, xrefs: 004056BF
RichEd32, xrefs: 0040578B
.exe, xrefs: 00405642
Control Panel\Desktop\ResourceLocale, xrefs: 00405576

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 00403D55, Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212

APIs

Part of subcall function 00403C67: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00403C7E
Part of subcall function 00403C67: GlobalAlloc.KERNEL32(00000040,00000001), ref: 00403C8D
Part of subcall function 00403C67: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 00403CA1

Part of subcall function 004039FD: SetDlgItemTextW.USER32(?,?,00000000), ref: 00403A17

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00403E09
GetDlgItem.USER32(?,000003E8), ref: 00403E1D

Part of subcall function 00403A56: SendMessageW.USER32(00000028,?,00000001), ref: 00403A64

SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00403E3A
GetSysColor.USER32(?), ref: 00403E4B
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00403E59
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00403E67
lstrlenW.KERNEL32(?), ref: 00403E72
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00403E7F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00403E8E
GetDlgItem.USER32(?,0000040A), ref: 00403EE8
SendMessageW.USER32(00000000), ref: 00403EEF

Part of subcall function 00403A43: EnableWindow.USER32(?), ref: 00403A4D

Part of subcall function 00403A1F: SendMessageW.USER32(?,000000F4,00000001,00000001), ref: 00403A3C

GetDlgItem.USER32(?,000003E8), ref: 00403F1A
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 00403F5D
LoadCursorW.USER32(00000000,00007F02), ref: 00403F6B
SetCursor.USER32(00000000), ref: 00403F6E
ShellExecuteW.SHELL32(0000070B,open,00460520,00000000,00000000,00000001), ref: 00403F83
LoadCursorW.USER32(00000000,00007F00), ref: 00403F8F
SetCursor.USER32(00000000), ref: 00403F92
SendMessageW.USER32(00000111,00000001,00000000), ref: 00403FC1
SendMessageW.USER32(00000010,00000000,00000000), ref: 00403FD3

Part of subcall function 00403A88: GetWindowLongW.USER32(?,000000EB), ref: 00403AA2
Part of subcall function 00403A88: GetSysColor.USER32(00000000), ref: 00403ABE
Part of subcall function 00403A88: SetTextColor.GDI32(?,00000000), ref: 00403ACA
Part of subcall function 00403A88: SetBkMode.GDI32(?,?), ref: 00403AD6
Part of subcall function 00403A88: GetSysColor.USER32(?), ref: 00403AE9
Part of subcall function 00403A88: SetBkColor.GDI32(?,?), ref: 00403AF9
Part of subcall function 00403A88: DeleteObject.GDI32(?), ref: 00403B13
Part of subcall function 00403A88: CreateBrushIndirect.GDI32(?), ref: 00403B1D

Strings

N, xrefs: 00403F08
open, xrefs: 00403F7B

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 00406491, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 163

APIs

lstrcpyW.KERNEL32(0045A2B8,NUL), ref: 004064A1
CloseHandle.KERNEL32(00000000), ref: 004064C0
GetShortPathNameW.KERNEL32(00000001,0045A2B8,00000400,?,00000000,?,00406684,?,?,00000001,0040181E,00000000,00000000,00000000,?,00000000), ref: 004064C9
GetShortPathNameW.KERNEL32(?,0045F910,00000400,?,00000000,?,00406684,?,?,00000001,0040181E,00000000,00000000,00000000,?,00000000), ref: 004064EA
WideCharToMultiByte.KERNEL32(00000000,00000000,0045A2B8,000000FF,0045AAB8,00000400,00000000,00000000,?,00000000,?,00406684,?,?,00000001,0040181E), ref: 00406513
WideCharToMultiByte.KERNEL32(00000000,00000000,0045F910,000000FF,0045B108,00000400,00000000,00000000,?,00000000,?,00406684,?,?,00000001,0040181E), ref: 0040652B
wsprintfA.USER32(0045B508,%s=%s,0045AAB8,0045B108,?,00000000,?,00406684,?,?,00000001,0040181E,00000000,00000000,00000000), ref: 00406545

Part of subcall function 00406200: GetVersion.KERNEL32(0043E220,00000000,00000000,00404BE0,0043E220,00401605,?), ref: 004062D1
Part of subcall function 00406200: GetSystemDirectoryW.KERNEL32(00460520,00002004), ref: 00406353
Part of subcall function 00406200: GetWindowsDirectoryW.KERNEL32(00460520,00002004), ref: 00406366
Part of subcall function 00406200: SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004063A2
Part of subcall function 00406200: SHGetPathFromIDListW.SHELL32(?,00460520), ref: 004063B0
Part of subcall function 00406200: CoTaskMemFree.OLE32(?), ref: 004063BB
Part of subcall function 00406200: lstrcatW.KERNEL32(00460520,\Microsoft\Internet Explorer\Quick Launch), ref: 004063E0
Part of subcall function 00406200: lstrlenW.KERNEL32(00460520,0043E220,00000000,00000000,00404BE0,0043E220,00401605,?), ref: 00406442

Part of subcall function 00405A34: GetFileAttributesW.KERNEL32(?,0040656E,0045F910,C0000000,00000004,0045F910,?,00000000,00000000,?,00000000), ref: 00405A38
Part of subcall function 00405A34: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405A5A

GetFileSize.KERNEL32(00000000,00000000,0045F910,C0000000,00000004,0045F910,?,00000000,00000000,?,00000000), ref: 0040657D
GlobalAlloc.KERNEL32(00000040,0000000A,?,00000000), ref: 0040658C
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 004065A8

Part of subcall function 0040599A: lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,004065CB,00000000,[Rename],?,00000000), ref: 004059AA
Part of subcall function 0040599A: lstrcmpi.KERNEL32(00000000,?,?,00000000,004065CB,00000000,[Rename],?,00000000), ref: 004059C2
Part of subcall function 0040599A: CharNextA.USER32(00000000), ref: 004059D3
Part of subcall function 0040599A: lstrlen.KERNEL32(00000000,?,00000000,004065CB,00000000,[Rename],?,00000000), ref: 004059DC

lstrcpy.KERNEL32(00000000,[Rename]), ref: 004065D8
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045B508,00000000,-0000000A,004089C8,00000000,[Rename],?,00000000), ref: 0040662B
WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 0040663F
GlobalFree.KERNEL32(00000000,?,00000000), ref: 00406646
CloseHandle.KERNEL32(?), ref: 00406650

Strings

[Rename], xrefs: 004065C0, 004065CF
%s=%s, xrefs: 0040653B
NUL, xrefs: 00406496

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 127

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,?), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,NSIS Error,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

NSIS Error, xrefs: 00401159
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 00406200, Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 218

APIs

lstrlenW.KERNEL32(00460520,0043E220,00000000,00000000,00404BE0,0043E220,00401605,?), ref: 00406442

Part of subcall function 00406200: GetVersion.KERNEL32(0043E220,00000000,00000000,00404BE0,0043E220,00401605,?), ref: 004062D1
Part of subcall function 00406200: GetSystemDirectoryW.KERNEL32(00460520,00002004), ref: 00406353
Part of subcall function 00406200: GetWindowsDirectoryW.KERNEL32(00460520,00002004), ref: 00406366
Part of subcall function 00406200: SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004063A2
Part of subcall function 00406200: SHGetPathFromIDListW.SHELL32(?,00460520), ref: 004063B0
Part of subcall function 00406200: CoTaskMemFree.OLE32(?), ref: 004063BB
Part of subcall function 00406200: lstrcatW.KERNEL32(00460520,\Microsoft\Internet Explorer\Quick Launch), ref: 004063E0

Part of subcall function 00405BEE: lstrcpynW.KERNEL32(0040648D,0040648D,00002004,0040648D,?,00460520,00404BE0,0043E220,00401605,?), ref: 00405BFB

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004063DA
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406321
., xrefs: 004062EB

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 00403A88, Relevance: 12.1, APIs: 8, Instructions: 60

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403AA2
GetSysColor.USER32(00000000), ref: 00403ABE
SetTextColor.GDI32(?,00000000), ref: 00403ACA
SetBkMode.GDI32(?,?), ref: 00403AD6
GetSysColor.USER32(?), ref: 00403AE9
SetBkColor.GDI32(?,?), ref: 00403AF9
DeleteObject.GDI32(?), ref: 00403B13
CreateBrushIndirect.GDI32(?), ref: 00403B1D

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 00404BA9, Relevance: 10.6, APIs: 7, Instructions: 73

APIs

lstrlenW.KERNEL32(0043E220,?), ref: 00404BE1
lstrlenW.KERNEL32(?,0043E220,?), ref: 00404BF1
lstrcatW.KERNEL32(0043E220,?), ref: 00404C04
SetWindowTextW.USER32(0043E220,0043E220), ref: 00404C16
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404C3C
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00404C56
SendMessageW.USER32(?,00001013,?,00000000), ref: 00404C64

Part of subcall function 00406200: GetVersion.KERNEL32(0043E220,00000000,00000000,00404BE0,0043E220,00401605,?), ref: 004062D1
Part of subcall function 00406200: GetSystemDirectoryW.KERNEL32(00460520,00002004), ref: 00406353
Part of subcall function 00406200: GetWindowsDirectoryW.KERNEL32(00460520,00002004), ref: 00406366
Part of subcall function 00406200: SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004063A2
Part of subcall function 00406200: SHGetPathFromIDListW.SHELL32(?,00460520), ref: 004063B0
Part of subcall function 00406200: CoTaskMemFree.OLE32(?), ref: 004063BB
Part of subcall function 00406200: lstrcatW.KERNEL32(00460520,\Microsoft\Internet Explorer\Quick Launch), ref: 004063E0
Part of subcall function 00406200: lstrlenW.KERNEL32(00460520,0043E220,00000000,00000000,00404BE0,0043E220,00401605,?), ref: 00406442

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 00405C1D, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71

APIs

Part of subcall function 004058E9: CharNextW.USER32(00000000), ref: 004058F7

CharNextW.USER32( C), ref: 00405C80
CharNextW.USER32( C), ref: 00405C8F
CharNextW.USER32( C), ref: 00405C94
CharPrevW.USER32( C, C), ref: 00405CA8

Strings

C, xrefs: 00405C1F, 00405C48, 00405C7F, 00405C87, 00405C88, 00405C8E, 00405C93, 00405CA6, 00405CA7
*?|<>/":, xrefs: 00405C6F

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 00402E4F, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51

APIs

DestroyWindow.USER32(00000000), ref: 00402E6A
GetTickCount.KERNEL32(00000000,00000001,?,00471000,?,004030ED,00000004,00000000,0040A0A8,?,?,?,00401A17,00000000,00000001,00000000), ref: 00402E88
ShowWindow.USER32(00000000,00000005), ref: 00402EE8

Part of subcall function 00402DB4: MulDiv.KERNEL32(00037200,00000064,00037200,00402EAC), ref: 00402DC9

Part of subcall function 00405D2C: DispatchMessageW.USER32(?), ref: 00405D43
Part of subcall function 00405D2C: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00405D53

wsprintfW.USER32 ref: 00402EB6

Part of subcall function 00404BA9: lstrlenW.KERNEL32(0043E220,?), ref: 00404BE1
Part of subcall function 00404BA9: lstrlenW.KERNEL32(?,0043E220,?), ref: 00404BF1
Part of subcall function 00404BA9: lstrcatW.KERNEL32(0043E220,?), ref: 00404C04
Part of subcall function 00404BA9: SetWindowTextW.USER32(0043E220,0043E220), ref: 00404C16
Part of subcall function 00404BA9: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404C3C
Part of subcall function 00404BA9: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00404C56
Part of subcall function 00404BA9: SendMessageW.USER32(?,00001013,?,00000000), ref: 00404C64

CreateDialogParamW.USER32(0000006F,00000000,00402DD0,00000000), ref: 00402EDA

Strings

... %d%%, xrefs: 00402EB0

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 00404485, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004044A0
GetMessagePos.USER32 ref: 004044A8
ScreenToClient.USER32(?,?), ref: 004044C0
SendMessageW.USER32(?,00001111,00000000,?), ref: 004044D2
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004044F8

Strings

f, xrefs: 004044D4

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 00402DD0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DEE

Part of subcall function 00402DB4: MulDiv.KERNEL32(00037200,00000064,00037200,00402EAC), ref: 00402DC9

wsprintfW.USER32 ref: 00402E22
SetWindowTextW.USER32(?,?), ref: 00402E32
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E44

Strings

verifying installer: %d%%, xrefs: 00402E17, 00402E1D
unpacking data: %d%%, xrefs: 00402E10

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 004030B8, Relevance: 7.6, APIs: 5, Instructions: 109

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000000,0040A0A8,?,?,?,00401A17,00000000,00000001,00000000,00000000,000000EA,?,0040A0A8), ref: 004030DE

Part of subcall function 00402F3A: GetTickCount.KERNEL32(00000000,00000004,?,00471000,?,004030ED,00000004,00000000,0040A0A8,?,?,?,00401A17,00000000,00000001,00000000), ref: 00402F4F
Part of subcall function 00402F3A: SetFilePointer.KERNEL32(00000000,00000000,?,00471000,?,004030ED,00000004,00000000,0040A0A8,?,?,?,00401A17,00000000,00000001,00000000), ref: 00402F82
Part of subcall function 00402F3A: WriteFile.KERNEL32(004261C0,00000000,00000000,00000000,0042E1C8), ref: 00403040
Part of subcall function 00402F3A: SetFilePointer.KERNEL32(00000000,00000000,00000000,0042E1C8,00004000,?,00471000,?,004030ED,00000004,00000000,0040A0A8,?,?,?,00401A17), ref: 00403092

ReadFile.KERNEL32(?,00000004,00000000,00000000,00471000), ref: 0040310C
ReadFile.KERNEL32(0042E1C8,00004000,00000000,00000000,?), ref: 00403166
WriteFile.KERNEL32(00000000,0042E1C8,00000000,00000000,00000000), ref: 0040317E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 004031C2

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 00401497, Relevance: 7.6, APIs: 5, Instructions: 67

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000000,00000022,00000000), ref: 004014B9
RegDeleteKeyW.ADVAPI32(00000000,00000000), ref: 00401541

Part of subcall function 00401497: RegCloseKey.ADVAPI32(?), ref: 004014FE

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014F5
RegCloseKey.ADVAPI32(?), ref: 00401523

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 00404049, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73

APIs

Part of subcall function 00406200: GetVersion.KERNEL32(0043E220,00000000,00000000,00404BE0,0043E220,00401605,?), ref: 004062D1
Part of subcall function 00406200: GetSystemDirectoryW.KERNEL32(00460520,00002004), ref: 00406353
Part of subcall function 00406200: GetWindowsDirectoryW.KERNEL32(00460520,00002004), ref: 00406366
Part of subcall function 00406200: SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004063A2
Part of subcall function 00406200: SHGetPathFromIDListW.SHELL32(?,00460520), ref: 004063B0
Part of subcall function 00406200: CoTaskMemFree.OLE32(?), ref: 004063BB
Part of subcall function 00406200: lstrcatW.KERNEL32(00460520,\Microsoft\Internet Explorer\Quick Launch), ref: 004063E0
Part of subcall function 00406200: lstrlenW.KERNEL32(00460520,0043E220,00000000,00000000,00404BE0,0043E220,00401605,?), ref: 00406442

lstrlenW.KERNEL32(00446230,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00446230,?), ref: 004040E6
wsprintfW.USER32 ref: 004040F3
SetDlgItemTextW.USER32(?,00446230,000000DF), ref: 00404106

Strings

%u.%u%s%s, xrefs: 004040E0

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 00402F3A, Relevance: 6.1, APIs: 4, Instructions: 107

APIs

GetTickCount.KERNEL32(00000000,00000004,?,00471000,?,004030ED,00000004,00000000,0040A0A8,?,?,?,00401A17,00000000,00000001,00000000), ref: 00402F4F
SetFilePointer.KERNEL32(00000000,00000000,?,00471000,?,004030ED,00000004,00000000,0040A0A8,?,?,?,00401A17,00000000,00000001,00000000), ref: 00402F82

Part of subcall function 00402EF1: ReadFile.KERNEL32(?,00000000,00000000,00000000,0042E1C8), ref: 00402F08

Part of subcall function 00406900: GlobalFree.KERNEL32(00000000,00000000,00004000,0042E1C8,?,004261C0,00403020,0042E1C8,00004000,?,00471000,?,004030ED,00000004,00000000,0040A0A8), ref: 004069B3
Part of subcall function 00406900: GlobalAlloc.KERNEL32(00000040,00470FF0,00000000,00004000,0042E1C8,?,004261C0,00403020,0042E1C8,00004000,?,00471000,?,004030ED,00000004,00000000), ref: 004069BC
Part of subcall function 00406900: GlobalFree.KERNEL32(00000000,00000000,00004000,0042E1C8,?,004261C0,00403020,0042E1C8,00004000,?,00471000,?,004030ED,00000004,00000000,0040A0A8), ref: 00406A2B
Part of subcall function 00406900: GlobalAlloc.KERNEL32(00000040,00000000,00000000,00004000,0042E1C8,?,004261C0,00403020,0042E1C8,00004000,?,00471000,?,004030ED,00000004,00000000), ref: 00406A36

WriteFile.KERNEL32(004261C0,00000000,00000000,00000000,0042E1C8), ref: 00403040
SetFilePointer.KERNEL32(00000000,00000000,00000000,0042E1C8,00004000,?,00471000,?,004030ED,00000004,00000000,0040A0A8,?,?,?,00401A17), ref: 00403092

Part of subcall function 00402E4F: DestroyWindow.USER32(00000000), ref: 00402E6A
Part of subcall function 00402E4F: GetTickCount.KERNEL32(00000000,00000001,?,00471000,?,004030ED,00000004,00000000,0040A0A8,?,?,?,00401A17,00000000,00000001,00000000), ref: 00402E88
Part of subcall function 00402E4F: wsprintfW.USER32 ref: 00402EB6
Part of subcall function 00402E4F: CreateDialogParamW.USER32(0000006F,00000000,00402DD0,00000000), ref: 00402EDA
Part of subcall function 00402E4F: ShowWindow.USER32(00000000,00000005), ref: 00402EE8

Part of subcall function 00402F23: SetFilePointer.KERNEL32(00000000,00000000,00000000,00402F74,?,00471000,?,004030ED,00000004,00000000,0040A0A8,?,?,?,00401A17,00000000), ref: 00402F31

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 00405D5F, Relevance: 6.0, APIs: 4, Instructions: 31

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,00000000,00000000,0040219A,00000000,00000003), ref: 00405D6A
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000), ref: 00405D80
GetProcAddress.KERNEL32(?,00000000), ref: 00405D8F
GlobalFree.KERNEL32(00000000), ref: 00405D98

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 00403B32, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71

APIs

Part of subcall function 00405B35: wsprintfW.USER32 ref: 00405B42

Part of subcall function 00406200: GetVersion.KERNEL32(0043E220,00000000,00000000,00404BE0,0043E220,00401605,?), ref: 004062D1
Part of subcall function 00406200: GetSystemDirectoryW.KERNEL32(00460520,00002004), ref: 00406353
Part of subcall function 00406200: GetWindowsDirectoryW.KERNEL32(00460520,00002004), ref: 00406366
Part of subcall function 00406200: SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004063A2
Part of subcall function 00406200: SHGetPathFromIDListW.SHELL32(?,00460520), ref: 004063B0
Part of subcall function 00406200: CoTaskMemFree.OLE32(?), ref: 004063BB
Part of subcall function 00406200: lstrcatW.KERNEL32(00460520,\Microsoft\Internet Explorer\Quick Launch), ref: 004063E0
Part of subcall function 00406200: lstrlenW.KERNEL32(00460520,0043E220,00000000,00000000,00404BE0,0043E220,00401605,?), ref: 00406442

SetWindowTextW.USER32(00000000,NSIS Error), ref: 00403BCD

Strings

NSIS Error, xrefs: 00403BBC
C:\Users\admin\AppData\Local\Temp\nso5566.tmp, xrefs: 00403B36, 00403B3B, 00403BB4

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 00404503, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58

APIs

IsWindowVisible.USER32(?), ref: 00404539

Part of subcall function 00404485: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004044A0
Part of subcall function 00404485: GetMessagePos.USER32 ref: 004044A8
Part of subcall function 00404485: ScreenToClient.USER32(?,?), ref: 004044C0
Part of subcall function 00404485: SendMessageW.USER32(?,00001111,00000000,?), ref: 004044D2
Part of subcall function 00404485: SendMessageW.USER32(?,0000113E,00000000,?), ref: 004044F8

CallWindowProcW.USER32(?,00000200,?,?), ref: 004045A7

Part of subcall function 00405BEE: lstrcpynW.KERNEL32(0040648D,0040648D,00002004,0040648D,?,00460520,00404BE0,0043E220,00401605,?), ref: 00405BFB

Part of subcall function 00405B35: wsprintfW.USER32 ref: 00405B42

Part of subcall function 00403A6D: SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00403A7F

Strings

, xrefs: 00404511

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Function 0040599A, Relevance: 5.0, APIs: 4, Instructions: 37

APIs

lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,004065CB,00000000,[Rename],?,00000000), ref: 004059AA
lstrcmpi.KERNEL32(00000000,?,?,00000000,004065CB,00000000,[Rename],?,00000000), ref: 004059C2
CharNextA.USER32(00000000), ref: 004059D3
lstrlen.KERNEL32(00000000,?,00000000,004065CB,00000000,[Rename],?,00000000), ref: 004059DC

Memory Dump Source

Source File: 00000001.00000002.4324751431.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4324740198.00400000.00000002.sdmp
Associated: 00000001.00000002.4324825794.005D3000.00000080.sdmp
Associated: 00000001.00000002.4324834724.005D4000.00000008.sdmp
Associated: 00000001.00000002.4324844408.005F7000.00000004.sdmp
Associated: 00000001.00000002.4324852324.005F8000.00000080.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_virussign.jbxd

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Loading ...

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Signature Overview

AV Detection:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Networking:

Boot Survival:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Lowering of HIPS / PFW / Operating System Security Settings:

Language, Device and Operating System Detection:

Yara Overview

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Hooks - Code Manipulation Behavior

SSDT

IRP Handler

New Device

Kernel Modules

Module: ntoskrnl.exe

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe PID: 2632 Parent PID: 3792

General

Analysis Process: 5dac7ebf.exe PID: 2764 Parent PID: 2632

General

Analysis Process: reg.exe PID: 2792 Parent PID: 868

General

Analysis Process: reg.exe PID: 2260 Parent PID: 868

General

Analysis Process: reg.exe PID: 3188 Parent PID: 868

General

Analysis Process: 3AAA263B.sys PID: 4 Parent PID: -1

General

Analysis Process: reg.exe PID: 2828 Parent PID: 868

General

Analysis Process: iexplore.exe PID: 2552 Parent PID: 868

General

Analysis Process: ie4uinit.exe PID: 2568 Parent PID: 2552

General

Disassembly

Code Analysis

Analysis Process: virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe PID: 2632 Parent PID: 3792