Analysis Report for HMA-Pro-VPN-2.6.9-install.exe

Comment on this report

Summary:

Description	Risk
Packed Binary: This executable is protected with a packer in order to prevent it from being reverse engineered.
Performs Registry Activities: The executable creates and/or modifies registry entries.

Table of Contents
expand all	collapse all
General information HMA-Pro-VP.exe C:\HMA-Pro-VP.exe Primary Analysis Subject General Information a) Registry Activities b) File Activities

1. General Information

	- Information about Anubis' invocation

Time needed:	292 s
Report created:	10/09/11, 14:52:00 UTC
Termination reason:	Timeout
Program version:	1.75.3394

2. HMA-Pro-VP.exe

	- General information about this executable

Analysis Reason:	Primary Analysis Subject
Filename:	HMA-Pro-VP.exe
MD5:	cf2acd6c9975d4713c11b9575bc476ed
SHA-1:	dafeb9c2d6714d904bd825b4d87265470d48c98a
File Size:	3433503 Bytes
Command Line:	"C:\HMA-Pro-VP.exe"
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000

	- Run-time Dlls

Module Name	Base Address	Size
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\InstallOptions.dll	0x003F0000	0x00009000
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\UserInfo.dll	0x10000000	0x00005000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\RichEd20.dll	0x74E30000	0x0006D000
C:\WINDOWS\system32\comdlg32.dll	0x763B0000	0x00049000
C:\WINDOWS\system32\SHFOLDER.dll	0x76780000	0x00009000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000

	- SigBuster Output

NullSoft_PiMP_SFX vna SN: 1724

	- Popups

Window Name	Window Text	Screenshot	Number of Displayed Times
HMA! Pro VPN 2.6.9 Setup	&Next > Cancel Welcome to the HMA! Pro VPN 2.6.9 Setup Wizard This wizard will guide you through the installation of HMA! Pro VPN. Note that the Windows version of HMA! Pro VPN will only run on Win 2000, XP, or higher.		1
HMA! Pro VPN 2.6.9 Setup	&Yes &No Are you sure you want to quit HMA! Pro VPN 2.6.9 Setup?		4

2.a) HMA-Pro-VP.exe - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1094da8-30a0-11dd-817b-806d6172696f}\	BaseClass	Drive
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1094daa-30a0-11dd-817b-806d6172696f}\	BaseClass	Drive
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Programs	C:\Documents and Settings\Administrator\Start Menu\Programs

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\INPROCSERVER32		%SystemRoot%\system32\SHELL32.dll	1
HKLM\SOFTWARE\CLASSES\DIRECTORY	AlwaysShowExt		1
HKLM\SOFTWARE\CLASSES\DRIVE\SHELLEX\FOLDEREXTENSIONS\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}	DriveMask	32	1
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\	CUAS	0	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion	CurrentVersion	5.1	2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\Setup	OsLoaderPath	\	2
HKLM\SYSTEM\Setup	SystemPartition	\Device\HarddiskVolume1	2
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\Software\Microsoft\Windows\CurrentVersion	DevicePath	%SystemRoot%\inf	1
HKLM\Software\Microsoft\Windows\CurrentVersion	ProgramFilesDir	C:\Program Files	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	DriverCachePath	%SystemRoot%\Driver Cache	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	LogLevel	0	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	ServicePackCachePath	c:\windows\ServicePackFiles\ServicePackCache	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	ServicePackSourcePath	D:\	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	SourcePath	D:\	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	2
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Domain		1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Hostname	pc	1
HKLM\System\Setup	SystemSetupInProgress	0	1
HKLM\System\WPA\PnP	seed	1274198464	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle	Language Hotkey	1	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle	Layout Hotkey	2	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\	ShellState	0x2400000038080000000000000000000000000000010000000d0000000000	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	DontPrettyPath	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Filter	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Hidden	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	HideFileExt	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	HideIcons	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	MapNetDrvBtn	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	NoNetCrawling	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	SeparateProcess	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowCompColor	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowInfoTip	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowSuperHidden	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	WebView	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094da8-30a0-11dd-817b-806d6172696f}\	Data	0x000000005c005c003f005c0049004400450023004300640052006f006d00	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094da8-30a0-11dd-817b-806d6172696f}\	Generation	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094daa-30a0-11dd-817b-806d6172696f}\	Data	0x000000005c005c003f005c00530054004f00520041004700450023005600	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094daa-30a0-11dd-817b-806d6172696f}\	Generation	1	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Programs	%USERPROFILE%\Start Menu\Programs	1

2.b) HMA-Pro-VP.exe - File Activities

	- Files Deleted:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsr1.tmp

	- Files Created:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\InstallOptions.dll

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\System.dll

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\UserInfo.dll

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\ioSpecial.ini

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\modern-header.bmp

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\modern-wizard.bmp

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\options.ini

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsr1.tmp

	- Files Read:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\ioSpecial.ini

C:\HMA-Pro-VP.exe

PIPE\lsarpc

	- Files Modified:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\InstallOptions.dll

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\System.dll

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\UserInfo.dll

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\ioSpecial.ini

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\modern-header.bmp

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\modern-wizard.bmp

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\options.ini

MountPointManager

PIPE\lsarpc

	- Directories Created:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp

	- File System Control Communication:

File	Control Code	Times
C:\Program Files\Common Files\	0x00090028	1
PIPE\lsarpc	0x0011C017	6

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	8
IDE#CdRomQEMU_QEMU_CD-ROM________________________0.9.____#4d51303030302033202020202020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	0x004D0008	1
MountPointManager	0x006D0008	2
STORAGE#Volume#1&30a96598&0&SignatureB15FB15FOffset7E00Length13F291800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	0x004D0008	1
MountPointManager	0x006D0034	4

	- Memory Mapped Files:

File Name

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\InstallOptions.dll

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\System.dll

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\UserInfo.dll

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\modern-header.bmp

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\modern-wizard.bmp

C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\MSCTF.dll

C:\WINDOWS\system32\RichEd20.dll

C:\WINDOWS\system32\SETUPAPI.dll

C:\WINDOWS\system32\SHELL32.dll

C:\WINDOWS\system32\SHFOLDER.dll

C:\WINDOWS\system32\UxTheme.dll

C:\WINDOWS\system32\imm32.dll

C:\WINDOWS\system32\rpcss.dll

Analysis Report for HMA-Pro-VPN-2.6.9-install.exe

Summary:

Table of Contents

1. General Information

2. HMA-Pro-VP.exe

2.a) HMA-Pro-VP.exe - Registry Activities

2.b) HMA-Pro-VP.exe - File Activities