My SandBox Report:
General information
File Name:c:\usbcillin.exe
MD5:1FE4FEF9E7CAC62075F79E7C09FF6A7A
SHA-1:896f44a5e117accbb807d4905523337155705cd7
File Size:131072 Bytes
Packed:MS Visual Basic 5.0-6.0 EXE
- Antivirus Detection
Antivir:Found Nothing
AVG:Found Nothing
F-Prot:Found Nothing
Avast:Found Nothing
BitDefender:Found Nothing
ClamAV:Found Nothing
+ File Identifier
86.0% (.EXE) Win32 Executable Microsoft Visual Basic 6 (124082/14/17) 5.9% (.EXE) Win32 Executable Generic (8527/13/3)
5.2% (.DLL) Win32 Dynamic Link Library (generic) (7583/30/2)
1.3% (.EXE) Generic Win/DOS Executable (2002/3)
1.3% (.EXE) DOS Executable Generic (2000/1)
86.0% (.EXE) Win32 Executable Microsoft Visual Basic 6 (124082/14/17) 5.9% (.EXE) Win32 Executable Generic (8527/13/3)
5.2% (.DLL) Win32 Dynamic Link Library (generic) (7583/30/2)
1.3% (.EXE) Generic Win/DOS Executable (2002/3)
1.3% (.EXE) DOS Executable Generic (2000/1)
+ String Found
!This program cannot be run in DOS mode.
Richya
.text
`.data
.rsrc
MSVBVM60.DLL
RsNbQs
Ps'TDs6
Ps$sOs
Rs,EDs
BDs)/Ps
FDs3|Os
Rs|gOs[NDs
fQsNcQs
PsQ$Ps|iPs
cQs=]Qs>
RsSHDs<
Rs^GDsh
USBcillin
Form1
USBcillin v0.1
R8[bliW
59
);AGHJJL`
):>CCGHJLLa
'+:?@CCGGHJJLa
&+/3?@BBCGGHJL^c
-/033?@BBCGHHJLLe
-%//033?@BCCGHHJL^f
"%%./003??@BCCGHJJL^g
"$%%./003??@BCCGHJJL^z
!"$%%./003?@@BCCGHJD
""$%%./033?@BBCCG
""%%../033?@BB=
""$%../033?@
"$$%.//03,
"$$%.//6
"$%%.U
)ZbhfSF
+7=KTi
*39;=K\i
"/239;>L]
#&./33;;=L_
#&./29;;>N`
#../299=>O
#../39;6
&..22
2EHmL?8
"*4CmK>A
&(*5DmJ
#'(*6FmI;@
#'(-9Gk
#'(-p
hssw||
/fhssvw||
jYafhssv|||u}S
Z]afhssstecM
W]aahidUOQ
XaaaTO
>EIA7
4;?BEI@
.8:
,,1::
,,1:2)'
Form1
Timer1
Image2
GIF89a
B#TAY
Image2
GIF89a
B#TAY
Image2
GIF89a
B#TAY
Image2
GIF89a
B#TAY
Label6
Coded By: Rajat
Label5
Malware
MS Sans Serif
Label4
MS Sans Serif
Label3
Registry
MS Sans Serif
Label2
MS Sans Serif
Label1
USBc
illin Protection Enabled For
MS Sans Serif
Image1
R8[bliW
59
);AGHJJL`
):>CCGHJLLa
'+:?@CCGGHJJLa
&+/3?@BBCGGHJL^c
-/033?@BBCGHHJLLe
-%//033?@BCCGHHJL^f
"%%./003??@BCCGHJJL^g
"$%%./003??@BCCGHJJL^z
!"$%%./003?@@BCCGHJD
""$%%./033?@BBCCG
""%%../033?@BB=
""$%../033?@
"$$%.//03,
"$$%.//6
"$%%.U
)ZbhfSF
+7=KTi
*39;=K\i
"/239;>L]
#&./33;;=L_
#&./29;;>N`
#../299=>O
#../39;6
&..22
2EHmL?8
"*4CmK>A
&(*5DmJ
#'(*6FmI;@
#'(-9Gk
#'(-p
hssw||
/fhssvw||
jYafhssv|||u}S
Z]afhssstecM
W]aahidUOQ
XaaaTO
>EIA7
4;?BEI@
.8:
,,1::
,,1:2)'
menu1
Popup
menu11
&Show
menu12
&Scan
menu_sep
menu13
&Exit
USBCillin
USBcillin
USBcillin
Form1
Autorun
basRegistry
Registry
SystemTray
Module1
Module2
USBcillin
menu_sep
rosoft Visual Studio\VB98\VB6.OLB
Image2
Label1
menu12
menu13
menu11
Label2
Label3
Label4
Label5
Label6
Timer1
menu1
Image1
kernel32.dll
OpenProcess
Process32First
Process32Next
CreateToolhelp32Snapshot
TerminateProcess
Cl
oseHandle
shell32.dll
Shell_NotifyIcon
__vbaObjSetAddref
__vbaFreeVarList
VBA6.DLL
__vbaVarTstNe
__vbaNew
__vbaVarMod
__vbaVarTstEq
__vbaVarAdd
__vbaVarMove
__vbaFpI4
__vbaVarCat
__vbaStrVarMove
__vbaLsetFixstr
__vbaLateIdCallLd
__vbaI4Var
__vbaFreeStrList
__vbaStrCat
__vbaStrMove
__vbaObjSet
__vbaEnd
__vbaFreeObj
__vbaRecAnsiToUni
__vbaSetSystemError
__vbaRecUniToAnsi
__vbaI2I4
__vbaHresultCheckObj
__vbaNew2
__vbaOnError
__vbaFreeVar
__vbaVarDup
__vbaFreeStr
__vbaStrCopy
__vbaVarLateMemCallLd
__vbaObjVar
__vbaBoolVarNull
__vbaVarSetObj
__vbaVarForNext
__vbaVarSub
__vbaVarCmpGt
__vbaVarCmpLt
__vbaVarAnd
__vbaStrVarVal
__vbaLenVar
__vbaUbound
__vbaVarForInit
__vbaGenerateBoundsError
__vbaVarCopy
__vbaFileClose
__vbaInputFile
__vbaFileOpen
__vbaFreeObjList
__vbaNextEachCollObj
__vbaForEachCollObj
__vbaCastObj
__vbaErrorOverflow
__vbaLenBstr
__vbaStrCmp
__vbaStrFixstr
__vbaInStrVar
__vbaI2Var
advapi32.dll
RegCloseKey
RegCreateKeyA
RegDeleteKeyA
R
egDeleteValueA
RegOpenKeyA
RegQueryValueExA
RegSetValueExA
__vbaVarVargNofree
__vbaI4ErrVar
__vbaStrToUnicode
__vbaStrToAnsi
__vbaExitProc
__vbaVarLateMemSt
__vbaStrVarCopy
} jXh
} jXh
} jDh
} jPh
} j\h
MSVBVM60.DLL
__vbaVarSub
_CIcos
_adj_fptan
__vbaVarMove
__vbaVarVargNofree
__vbaFreeVar
__vbaLenBstr
__vbaStrVarMove
__vbaEnd
__vbaFreeVarList
_adj_fdiv_m64
__vbaFreeObjList
_adj_fprem1
__vbaRecAnsiToUni
__vbaStrCat
__vbaLsetFixstr
__vbaSetSystemError
__vbaHresultCheckObj
__vbaLenVar
_adj_fdiv_m32
__vbaExitProc
__vbaForEachCollObj
__vbaVarForInit
__vbaOnError
__vbaObjSet
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
__vbaStrFixstr
__vbaBoolVarNull
_CIsin
__vbaNextEachCollObj
__vbaVarCmpGt
__vbaChkstk
__vbaFileClose
EVENT_SINK_AddRef
__vbaGenerateBoundsError
__vbaStrCmp
__vbaVarTstEq
__vbaObjVar
__vbaI2I4
DllFunctionCall
__vbaVarLateMemSt
_adj_fpatan
__vbaLateIdCallLd
__vbaRecUniToAnsi
EVENT_SINK_Release
__vbaNew
_CIsqrt
__vbaVarAnd
EVENT_SIN
K_QueryInterface
__vbaExceptHandler
__vbaStrToUnicode
__vbaInputFile
_adj_fprem
_adj_fdivr_m64
__vbaFPException
__vbaInStrVar
__vbaUbound
__vbaStrVarVal
__vbaVarCat
__vbaI2Var
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaVarSetObj
__vbaStrCopy
__vbaVarCmpLt
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaVarTstNe
__vbaI4Var
__vbaVarAdd
__vbaStrToAnsi
__vbaVarDup
__vbaVarMod
__vbaVarCopy
__vbaVarLateMemCallLd
__vbaFpI4
_CIatan
__vbaCastObj
__vbaStrMove
__vbaStrVarCopy
_allmul
_CItan
__vbaVarForNext
_CIexp
__vbaI4ErrVar
__vbaFreeStr
__vbaFreeObj
>EIA7
4;?BEI@
.8:
,,1::
,,1:2)'
2EHmL?8
"*4CmK>A
&(*5DmJ
#'(*6FmI;@
#'(-9Gk
#'(-p
hssw||
/fhssvw||
jYafhssv|||u}S
Z]afhssstecM
W]aahidUOQ
XaaaTO
)ZbhfSF
+7=KTi
*39;=K\i
"/239;>L]
#&./33;;=L_
#&./29;;>N`
#../299=>O
#../39;6
&..22
R8[bliW
59
);AGHJJL`
):>CCGHJLLa
'+:?@CCGGHJJLa
&+/3?@BBCGGHJL^c
-/033?@BBCGHHJLLe
-%//033?@BCCGHHJL^f
"
%%./003??@BCCGHJJL^g
"$%%./003??@BCCGHJJL^z
!"$%%./003?@@BCCGHJD
""$%%./033?@BBCCG
""%%../033?@BB=
""$%../033?@
"$$%.//03,
"$$%.//6
"$%%.U
+ New Process Run
"c:\usbcillin.exe"
- File And Folder Activity
Files Added
C:\WINDOWS\system32\usbcillin.exe
C:\usbcillin.exe
- Registry Changes
Key Added
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall
HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FASTFAT\0000\Control
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Network
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Policies\Microsoft\Windows
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Policies\Microsoft\Windows\System
Value Added
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\NoDispCPL: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFolderOptions: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoPropertiesMyComputer: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoActiveDesktop: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoControlPanel: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoPrinters: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoSetFolders: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoViewContextMenu: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoNetHood: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDesktop: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFileMenu: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoRun: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFind: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network\NoNetSetup: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\NoAddRemovePrograms: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\NoRemovePage: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\NoAddPage: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\USBcillin: "C:\WINDOWS\system32\USBcillin.exe"
HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory: "C:\WINDOWS\System32\spool\PRINTERS"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FASTFAT\0000\Control\ActiveService: "Fastfat"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF\0000\Control\ActiveService: "NPF"
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Internet Explorer\Main\Window Title: "Windows Internet Explorer"
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions: 0x00000000
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer: 0x00000000
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop: 0x00000000
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel: 0x00000000
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters: 0x00000000
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders: 0x00000000
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu: 0x00000000
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood: 0x00000000
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop: 0x00000000
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu: 0x00000000
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun: 0x00000000
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind: 0x00000000
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoNetSetup: 0x00000000
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools: 0x00000000
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr: 0x00000000
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL: 0x00000000
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms: 0x00000000
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoRemovePage: 0x00000000
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddPage: 0x00000000
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Policies\Microsoft\Windows\System\DisableCMD: 0x00000000
Value Modified
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "explorer.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe,"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe"
HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime: 1C 79 3B 00 90 CF C9 01
HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime: 70 AE A0 7E 92 CF C9 01
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Internet Explorer\Main\Start Page: "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Internet Explorer\Main\Start Page: "about:blank"