Windows Analysis Report
HDDScan.exe

Overview

General Information

Sample name: HDDScan.exe
Analysis ID: 1417299
MD5: 6ef8de39a76d481e8c2047a4744d4089
SHA1: f0068385962b420c2864f9af3f428b5a06b2fc4f
SHA256: cdd981b92ffa81a9d3b51c4aba50892e3548a2f7e2058a35b4581993591251af
Infos:

Detection

Score: 3
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: HDDScan.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: HDDScan.exe String found in binary or memory: http://bsalsa.com/
Source: HDDScan.exe String found in binary or memory: http://hddscan.com/dfgkjdfg435egdvkjdv
Source: HDDScan.exe String found in binary or memory: http://hddscan.comopen
Source: HDDScan.exe String found in binary or memory: http://hddscan.ruopenj
Source: Amcache.hve.3.dr String found in binary or memory: http://upx.sf.net
Source: HDDScan.exe String found in binary or memory: http://www.bsalsa.com/
Source: HDDScan.exe String found in binary or memory: http://www.hddscan.com
One or more processes crash
Source: C:\Users\user\Desktop\HDDScan.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6916 -s 596
PE file contains more sections than normal
Source: HDDScan.exe Static PE information: Number of sections : 11 > 10
Tries to load missing DLLs
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: colorui.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: compstui.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: inetres.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Section loaded: wintypes.dll Jump to behavior
Uses 32bit PE files
Source: HDDScan.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: clean3.winEXE@2/5@0/0
Source: C:\Users\user\Desktop\HDDScan.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6916
Source: C:\Users\user\Desktop\HDDScan.exe Mutant created: \Sessions\1\BaseNamedObjects\HDDScanTaskMutex
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\4023aa74-7ca8-4802-b6fc-fa0c9ae4b8a8 Jump to behavior
Source: Yara match File source: HDDScan.exe, type: SAMPLE
Source: Yara match File source: 0.0.HDDScan.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1627302543.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: C:\Users\user\Desktop\HDDScan.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: HDDScan.exe String found in binary or memory: /Accumulated start-stop cycles
Source: HDDScan.exe String found in binary or memory: Fake Start/Stop Count
Source: HDDScan.exe String found in binary or memory: Fake Start/Stop Count
Source: HDDScan.exe String found in binary or memory: Start/Stop Count
Source: HDDScan.exe String found in binary or memory: Start/Stop Count
Source: unknown Process created: C:\Users\user\Desktop\HDDScan.exe "C:\Users\user\Desktop\HDDScan.exe"
Source: C:\Users\user\Desktop\HDDScan.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6916 -s 596
Source: C:\Users\user\Desktop\HDDScan.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Automated click: Agree
Source: C:\Users\user\Desktop\HDDScan.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: HDDScan.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: HDDScan.exe Static file information: File size 7131648 > 1048576
Source: HDDScan.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x480600
Source: HDDScan.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1d9e00
Source: HDDScan.exe Static PE information: More than 200 imports for user32.dll
PE file contains sections with non-standard names
Source: HDDScan.exe Static PE information: section name: .didata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\HDDScan.exe Code function: 0_3_028A1E7F push 675800CFh; iretd 0_3_028A1EC2
Source: C:\Users\user\Desktop\HDDScan.exe Code function: 0_2_0019C014 push eax; ret 0_2_0019C015
Source: C:\Users\user\Desktop\HDDScan.exe Code function: 0_2_0019C324 push eax; ret 0_2_0019C325
Source: C:\Users\user\Desktop\HDDScan.exe Code function: 0_2_0019B964 push eax; iretd 0_2_0019B965
Source: C:\Users\user\Desktop\HDDScan.exe Code function: 0_2_0019DCB8 pushad ; ret 0_2_0019DCE8
Source: C:\Users\user\Desktop\HDDScan.exe Code function: 0_2_0019C0A4 push esp; ret 0_2_0019C0B5
Source: C:\Users\user\Desktop\HDDScan.exe Code function: 0_2_0019D4DE pushad ; retf 0_2_0019D57F
Source: C:\Users\user\Desktop\HDDScan.exe Code function: 0_2_0019BFFC pushfd ; retn 0019h 0_2_0019BFFD
Source: C:\Users\user\Desktop\HDDScan.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Queries keyboard layouts
Source: C:\Users\user\Desktop\HDDScan.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Source: Amcache.hve.3.dr Binary or memory string: VMware
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: HDDScan.exe, 00000000.00000002.1825965942.0000000000D02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}p
Source: Amcache.hve.3.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\HDDScan.exe Process queried: DebugPort Jump to behavior
Source: HDDScan.exe Binary or memory string: Shell_TrayWndSVW
Source: HDDScan.exe Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SVW
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.3.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1417299 Sample: HDDScan.exe Startdate: 28/03/2024 Architecture: WINDOWS Score: 3 5 HDDScan.exe 3 2->5         started        process3 7 WerFault.exe 21 16 5->7         started       
No contacted IP infos