Edit tour

Windows Analysis Report
HDDScan.exe

Overview

General Information

Sample name:	HDDScan.exe
Analysis ID:	1417299
MD5:	6ef8de39a76d481e8c2047a4744d4089
SHA1:	f0068385962b420c2864f9af3f428b5a06b2fc4f
SHA256:	cdd981b92ffa81a9d3b51c4aba50892e3548a2f7e2058a35b4581993591251af
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

One or more processes crash

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries keyboard layouts

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample crashes during execution, try analyze it on another analysis machine

Process Tree

System is w10x64

HDDScan.exe (PID: 6916 cmdline: "C:\Users\user\Desktop\HDDScan.exe" MD5: 6EF8DE39A76D481E8C2047A4744D4089)

WerFault.exe (PID: 6336 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6916 -s 596 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
HDDScan.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1627302543.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.HDDScan.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: HDDScan.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: HDDScan.exe	String found in binary or memory: http://bsalsa.com/
Source: HDDScan.exe	String found in binary or memory: http://hddscan.com/dfgkjdfg435egdvkjdv
Source: HDDScan.exe	String found in binary or memory: http://hddscan.comopen
Source: HDDScan.exe	String found in binary or memory: http://hddscan.ruopenj
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: HDDScan.exe	String found in binary or memory: http://www.bsalsa.com/
Source: HDDScan.exe	String found in binary or memory: http://www.hddscan.com

Source: C:\Users\user\Desktop\HDDScan.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6916 -s 596

Source: HDDScan.exe

Static PE information: Number of sections : 11 > 10

Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: colorui.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: compstui.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: inetres.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Section loaded: wintypes.dll	Jump to behavior

Source: HDDScan.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: clean3.winEXE@2/5@0/0

Source: C:\Users\user\Desktop\HDDScan.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6916
Source: C:\Users\user\Desktop\HDDScan.exe	Mutant created: \Sessions\1\BaseNamedObjects\HDDScanTaskMutex

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\4023aa74-7ca8-4802-b6fc-fa0c9ae4b8a8

Jump to behavior

Source: Yara match	File source: HDDScan.exe, type: SAMPLE
Source: Yara match	File source: 0.0.HDDScan.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1627302543.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\HDDScan.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\HDDScan.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\HDDScan.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HDDScan.exe	String found in binary or memory: /Accumulated start-stop cycles
Source: HDDScan.exe	String found in binary or memory: Fake Start/Stop Count
Source: HDDScan.exe	String found in binary or memory: Fake Start/Stop Count
Source: HDDScan.exe	String found in binary or memory: Start/Stop Count
Source: HDDScan.exe	String found in binary or memory: Start/Stop Count

Source: unknown	Process created: C:\Users\user\Desktop\HDDScan.exe "C:\Users\user\Desktop\HDDScan.exe"
Source: C:\Users\user\Desktop\HDDScan.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6916 -s 596

Source: C:\Users\user\Desktop\HDDScan.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\HDDScan.exe	Automated click: Agree
Source: C:\Users\user\Desktop\HDDScan.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: HDDScan.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: HDDScan.exe

Static file information: File size 7131648 > 1048576

Source: HDDScan.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x480600
Source: HDDScan.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1d9e00

Source: HDDScan.exe

Static PE information: More than 200 imports for user32.dll

Source: HDDScan.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\HDDScan.exe	Code function: 0_3_028A1E7F push 675800CFh; iretd	0_3_028A1EC2
Source: C:\Users\user\Desktop\HDDScan.exe	Code function: 0_2_0019C014 push eax; ret	0_2_0019C015
Source: C:\Users\user\Desktop\HDDScan.exe	Code function: 0_2_0019C324 push eax; ret	0_2_0019C325
Source: C:\Users\user\Desktop\HDDScan.exe	Code function: 0_2_0019B964 push eax; iretd	0_2_0019B965
Source: C:\Users\user\Desktop\HDDScan.exe	Code function: 0_2_0019DCB8 pushad ; ret	0_2_0019DCE8
Source: C:\Users\user\Desktop\HDDScan.exe	Code function: 0_2_0019C0A4 push esp; ret	0_2_0019C0B5
Source: C:\Users\user\Desktop\HDDScan.exe	Code function: 0_2_0019D4DE pushad ; retf	0_2_0019D57F
Source: C:\Users\user\Desktop\HDDScan.exe	Code function: 0_2_0019BFFC pushfd ; retn 0019h	0_2_0019BFFD

Source: C:\Users\user\Desktop\HDDScan.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\HDDScan.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\Desktop\HDDScan.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: HDDScan.exe, 00000000.00000002.1825965942.0000000000D02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}p
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\HDDScan.exe

Process queried: DebugPort

Jump to behavior

Source: HDDScan.exe	Binary or memory string: Shell_TrayWndSVW
Source: HDDScan.exe	Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SVW

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	2 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	11 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HDDScan.exe	6%	ReversingLabs

Source	Detection	Scanner	Label
http://hddscan.ruopenj	0%	Avira URL Cloud	safe
http://bsalsa.com/	0%	Avira URL Cloud	safe
http://www.bsalsa.com/	0%	Avira URL Cloud	safe
http://hddscan.comopen	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://hddscan.com/dfgkjdfg435egdvkjdv	HDDScan.exe	false		high
http://hddscan.comopen	HDDScan.exe	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.3.dr	false		high
http://hddscan.ruopenj	HDDScan.exe	false	Avira URL Cloud: safe	unknown
http://www.bsalsa.com/	HDDScan.exe	false	Avira URL Cloud: safe	unknown
http://www.hddscan.com	HDDScan.exe	false		high
http://bsalsa.com/	HDDScan.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417299
Start date and time:	2024-03-28 22:23:02 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	HDDScan.exe
Detection:	CLEAN
Classification:	clean3.winEXE@2/5@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94, 20.189.173.20
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Execution Graph export aborted for target HDDScan.exe, PID 6916 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: HDDScan.exe

Simulations

Behavior and APIs

Time	Type	Description
22:24:08	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_HDDScan.exe_ea76cdead1d43b14caecbb56706fddae3cce72_2ee009fe_89fc0316-4654-4def-96d8-ca5193bfe192\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9752450921726032
Encrypted:	false
SSDEEP:	192:y0Mswcq0PsAP55jBzPJ8zuiFEZ24IO8B2:FicxPBP55jIzuiFEY4IO8B
MD5:	6876E802241209621B78BD688AA1C78D
SHA1:	2874AA32E7C7E79D853A68D5C95B315B4335CA5C
SHA-256:	0294B746C997E229B803434643C2956876C81C0962B9F502978C299765AD2F2F
SHA-512:	4748417C191032A9130636330C27F46CE1AF493D7FCB45E2AB6E4AED9B38943405D404788A92567B4692B28CCD1447E340F01B24F79A9F3BF788CDFE59A95CDE
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.6.1.3.4.6.3.7.1.6.7.5.2.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.6.1.3.4.6.3.7.6.6.7.5.2.9.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.9.f.c.0.3.1.6.-.4.6.5.4.-.4.d.e.f.-.9.6.d.8.-.c.a.5.1.9.3.b.f.e.1.9.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.8.e.d.3.9.d.5.-.8.7.b.b.-.4.4.6.f.-.8.6.e.e.-.1.c.6.8.f.a.a.d.c.0.f.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.H.D.D.S.c.a.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.0.4.-.0.0.0.1.-.0.0.1.4.-.f.6.5.f.-.1.a.3.9.5.6.8.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.e.d.d.4.b.4.0.8.d.2.8.9.f.4.e.1.a.7.0.2.e.2.7.d.5.6.c.0.1.f.8.0.0.0.0.0.9.0.4.!.0.0.0.0.f.0.0.6.8.3.8.5.9.6.2.b.4.2.0.c.2.8.6.4.f.9.a.f.3.f.4.2.8.b.5.a.0.6.b.2.f.c.4.f.!.H.D.D.S.c.a.n...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA724.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Mar 28 21:23:57 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	62640
Entropy (8bit):	2.0027326969246797
Encrypted:	false
SSDEEP:	384:JPPloeVGQCm0K/b/QO3lH2UyC8NfvQDj1kB0:JnlRVGu0K/boOVByC8NADjqy
MD5:	717BADE1A63266EF7803B6423120C7E5
SHA1:	F75E8F60D541E0B11986B138B375CD3555D4B023
SHA-256:	67DD871AA2F2CEDAA8F3416BC2BB8B8A97898B468E9F64565347A74C20B24168
SHA-512:	4E9D518F3DED218B3A9982E5539EFB865BA41AD20CBED9609C6B843C48C917624514C994C416E82B721E6DFE4DD4DBCEABAFAE02CB3F97299E6185DC0858FD41
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f........................`...........,...h............:..........`.......8...........T............)...........................!..............................................................................eJ......."......GenuineIntel............T..............f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA800.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8306
Entropy (8bit):	3.7001124387704056
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+U6d6Y9sSU9U7Rgmf+YoprP89bHVsfntm:R6lXJd6d6Y2SU9U9gmf+4Hufw
MD5:	63CAC989F0C148A4162F10C582900389
SHA1:	BB76D9F9534E3E314715E6A9063B6BE4188B53B8
SHA-256:	BAE64DEF8DB0E5B23988EBE61CD8880C944D6D6055BEC4197AC05961DA36B5F3
SHA-512:	C9911DACF82D80395F546EE81CA864FCD47846CE0404AAB04ACA93BBB1AA1D802A2D4720FF7F432A0C72FE3D536D05DA4C4DA5522A01CF80B1B72DBD0F7D8BA7
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA820.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4562
Entropy (8bit):	4.450229117864001
Encrypted:	false
SSDEEP:	48:cvIwWl8zsMtJg77aI98fWpW8VY7IYm8M4JWFrgF7T8+q8ipbxSXLfouInhdd:uIjfMHI7aO7V4JW9WT87p9SXLfo9nhdd
MD5:	01BF7738BA859EAE1421A27AE60AD70D
SHA1:	3E884E1AC4B9E0235FCA322E2AAD92B9523587E3
SHA-256:	F1918436EE230732DB712B2F6C94D0B197D48133B68923333D3DB8FD1CB7D3CB
SHA-512:	5AC3CBC9BE63DDFC26947B5E63AD859CF6F1AAED888055F5C8BE1882FF308248B124C610C8A2E75946ECF5786607079638FCF89EFB251A77FD5E763419D730CE
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="255626" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4654160667501746
Encrypted:	false
SSDEEP:	6144:TIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNpdwBCswSbv:EXD94+WlLZMM6YFHz+v
MD5:	6157D9C6EDFBC71DCD8C2CF7D414CE16
SHA1:	C2006840F68837DA88E316CCD51816326373C1E5
SHA-256:	7FFF1364645D466F5CE242AB4E07B5401E13D88452CB61C8ED3A93163ED13CDA
SHA-512:	5079367E76F1DA42EC53D4C388CDDA047BE09ECBAF224DB28CD5D2DB1F0A33D24325695BA0C158434D82FADF7909BE6275D2E853018D811C95809FDF9A2BEA36
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.s#>V...............................................................................................................................................................................................................................................................................................................................................^h5.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.778900610955359
TrID:	Win32 Executable (generic) a (10002005/4) 98.04% Inno Setup installer (109748/4) 1.08% InstallShield setup (43055/19) 0.42% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	HDDScan.exe
File size:	7'131'648 bytes
MD5:	6ef8de39a76d481e8c2047a4744d4089
SHA1:	f0068385962b420c2864f9af3f428b5a06b2fc4f
SHA256:	cdd981b92ffa81a9d3b51c4aba50892e3548a2f7e2058a35b4581993591251af
SHA512:	02051a1710b71a420d4ac1f5d6efaddb4e31aba139846541114ee85caf8e57c1da75dd31db95a8a7512091b6ee508bd17ec96743397c87e548b49d0dd5768423
SSDEEP:	98304:L0MiKIR1tX+DvVx1T/QUU/HA/tmB4EmJsHSeThD:AFfuJTzQJHvV
TLSH:	11768E9372C4942AD6670735843F9AE0583FBE217E16889B2BA43E0CDF75542393AF17
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	31717179686cf871

Static PE Info

General

Entrypoint:	0x885d64
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x5D6AACAB [Sat Aug 31 17:21:47 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	2d642067629684caa72978192daa3f17

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFE8h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-18h], eax
mov eax, 00874130h
call 00007FB73808E1FAh
xor eax, eax
push ebp
push 00885F13h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
mov eax, dword ptr [00893100h]
mov eax, dword ptr [eax]
call 00007FB73826300Ch
xor ecx, ecx
mov dl, 01h
mov eax, dword ptr [00873E60h]
call 00007FB7382586B6h
mov edx, dword ptr [008929F8h]
mov dword ptr [edx], eax
mov eax, dword ptr [00893100h]
mov eax, dword ptr [eax]
mov edx, 00885F30h
call 00007FB738262A15h
xor eax, eax
push ebp
push 00885E80h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
call 00007FB738086E6Ah
test eax, eax
jnle 00007FB7385079DDh
mov eax, dword ptr [008929F8h]
mov eax, dword ptr [eax]
call 00007FB73825E40Ah
mov eax, dword ptr [008929F8h]
mov eax, dword ptr [eax]
mov edx, dword ptr [eax]
call dword ptr [edx+000000B0h]
mov ecx, dword ptr [00892E54h]
mov eax, dword ptr [00893100h]
mov eax, dword ptr [eax]
mov edx, dword ptr [0086C45Ch]
call 00007FB738262FB3h
mov ecx, dword ptr [00892A9Ch]
mov eax, dword ptr [00893100h]
mov eax, dword ptr [eax]
mov edx, dword ptr [0086B3C0h]
call 00007FB738262F9Bh
mov ecx, dword ptr [00892BD0h]
mov eax, dword ptr [00893100h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4a3000	0x5e	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x49c000	0x458e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x501000	0x1d9e00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4a6000	0x5a93c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4a5000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x49ccb4	0xa98	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x4a1000	0x1d60	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4805d0	0x480600	4e7b074513682e6413f6093a5381f115	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x482000	0x3f78	0x4000	b36deb5fd7fae212b63a7c0f97ce6800	False	0.49267578125	data	6.116806989939226	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x486000	0xd634	0xd800	91f4dd5894bab875207a8a36351b329d	False	0.43849464699074076	data	6.197194788584571	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x494000	0x7674	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x49c000	0x458e	0x4600	596c80b79e53e8f8d8e3a6b75bb05d0e	False	0.30747767857142855	data	5.235726068826933	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x4a1000	0x1d60	0x1e00	3354bffe50a2072a50cd6f6713503ba2	False	0.29140625	data	4.74051788361583	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x4a3000	0x5e	0x200	9f6defa4d5233d9e1d18938896699bde	False	0.1640625	data	1.1072615392411285	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x4a4000	0x48	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x4a5000	0x5d	0x200	6b8c1ecfb6541db717540a1f0fc5543b	False	0.189453125	data	1.3760818752217987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4a6000	0x5a93c	0x5aa00	1131c2715b07d01c36f76ddd9d6e211a	False	0.5639628232758621	data	6.724379605647983	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x501000	0x1d9e00	0x1d9e00	43dd88efdd82fc6d3942ec806c154315	False	0.5078398056251648	data	6.980809714478211	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x502f94	0x134	data	English	United States	0.2922077922077922
RT_CURSOR	0x5030c8	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x5031fc	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x503330	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x503464	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x503598	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x5036cc	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_CURSOR	0x503800	0x134	data	English	United States	0.38636363636363635
RT_CURSOR	0x503934	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_BITMAP	0x503a68	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x503c38	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x503e1c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x503fec	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x5041bc	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x50438c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x50455c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x50472c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x5048fc	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x504acc	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x504c9c	0x488	data	Russian	Russia	0.8836206896551724
RT_BITMAP	0x505124	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5208333333333334
RT_BITMAP	0x5051e4	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42857142857142855
RT_BITMAP	0x5052c4	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.4955357142857143
RT_BITMAP	0x5053a4	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.38392857142857145
RT_BITMAP	0x505484	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4947916666666667
RT_BITMAP	0x505544	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.484375
RT_BITMAP	0x505604	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42410714285714285
RT_BITMAP	0x5056e4	0xc58	Device independent bitmap graphic, 51 x 20 x 24, image size 3120	English	United States	0.45126582278481014
RT_BITMAP	0x50633c	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 3780 x 3780 px/m	English	United States	0.14975247524752475
RT_BITMAP	0x506664	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5104166666666666
RT_BITMAP	0x506724	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.5
RT_BITMAP	0x506804	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.4870689655172414
RT_BITMAP	0x5068ec	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 3780 x 3780 px/m	English	United States	0.12995049504950495
RT_BITMAP	0x506c14	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4895833333333333
RT_BITMAP	0x506cd4	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 3780 x 3780 px/m	English	United States	0.12128712871287128
RT_BITMAP	0x506ffc	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, 256 important colors	English	United States	0.3829268292682927
RT_BITMAP	0x507664	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, 256 important colors	English	United States	0.39146341463414636
RT_BITMAP	0x507ccc	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, 256 important colors	English	United States	0.3853658536585366
RT_BITMAP	0x508334	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, 256 important colors	English	United States	0.39207317073170733
RT_BITMAP	0x50899c	0x110	Device independent bitmap graphic, 24 x 14 x 4, image size 168	English	United States	0.40808823529411764
RT_BITMAP	0x508aac	0x110	Device independent bitmap graphic, 24 x 14 x 4, image size 168	English	United States	0.4117647058823529
RT_BITMAP	0x508bbc	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, 256 important colors	English	United States	0.35548780487804876
RT_BITMAP	0x509224	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, 256 important colors	English	United States	0.3853658536585366
RT_BITMAP	0x50988c	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, 256 important colors	English	United States	0.43902439024390244
RT_BITMAP	0x509ef4	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 3780 x 3780 px/m	English	United States	0.13861386138613863
RT_BITMAP	0x50a21c	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 3780 x 3780 px/m	English	United States	0.07054455445544554
RT_BITMAP	0x50a544	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.3794642857142857
RT_ICON	0x50a624	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States	0.32247426949012187
RT_ICON	0x51ae4c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.5320539419087137
RT_ICON	0x51d3f4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.6104596622889306
RT_ICON	0x51e49c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.7819148936170213
RT_DIALOG	0x51e904	0x52	data			0.7682926829268293
RT_DIALOG	0x51e958	0x52	data			0.7560975609756098
RT_STRING	0x51e9ac	0x4c	data			0.618421052631579
RT_STRING	0x51e9f8	0xaa	data			0.6647058823529411
RT_STRING	0x51eaa4	0x186	data			0.5743589743589743
RT_STRING	0x51ec2c	0x1ce	data			0.5303030303030303
RT_STRING	0x51edfc	0x146	data			0.5460122699386503
RT_STRING	0x51ef44	0x7e	data			0.6666666666666666
RT_STRING	0x51efc4	0x24	data			0.4166666666666667
RT_STRING	0x51efe8	0x20c	data			0.4732824427480916
RT_STRING	0x51f1f4	0x4f0	data			0.3647151898734177
RT_STRING	0x51f6e4	0x190	data			0.49
RT_STRING	0x51f874	0x250	AmigaOS bitmap font "p", fc_YSize 19712, 16640 elements, 2nd " ", 3rd "T"			0.42736486486486486
RT_STRING	0x51fac4	0x31c	data			0.4158291457286432
RT_STRING	0x51fde0	0x3c8	data			0.41838842975206614
RT_STRING	0x5201a8	0x298	data			0.4382530120481928
RT_STRING	0x520440	0x380	Targa image data - Color 110 x 103 x 32 +121 +105 "t"			0.34486607142857145
RT_STRING	0x5207c0	0x33c	AmigaOS bitmap font "P", fc_YSize 29696, 18944 elements, 2nd "i", 3rd "p"			0.4251207729468599
RT_STRING	0x520afc	0xa24	data			0.2862095531587057
RT_STRING	0x521520	0x81c	data			0.31165703275529866
RT_STRING	0x521d3c	0x444	data			0.3305860805860806
RT_STRING	0x522180	0x274	data			0.5095541401273885
RT_STRING	0x5223f4	0x3e0	data			0.41935483870967744
RT_STRING	0x5227d4	0xd8	data			0.6666666666666666
RT_STRING	0x5228ac	0xd0	data			0.6634615384615384
RT_STRING	0x52297c	0x2c8	data			0.425561797752809
RT_STRING	0x522c44	0x284	data			0.4829192546583851
RT_STRING	0x522ec8	0x410	data			0.36538461538461536
RT_STRING	0x5232d8	0x37c	data			0.3901345291479821
RT_STRING	0x523654	0x464	data			0.297153024911032
RT_STRING	0x523ab8	0x374	data			0.4287330316742081
RT_STRING	0x523e2c	0x3b0	data			0.3707627118644068
RT_STRING	0x5241dc	0x3cc	data			0.3713991769547325
RT_STRING	0x5245a8	0x384	data			0.35444444444444445
RT_STRING	0x52492c	0x470	data			0.3890845070422535
RT_STRING	0x524d9c	0x1d0	data			0.40301724137931033
RT_STRING	0x524f6c	0xcc	data			0.6225490196078431
RT_STRING	0x525038	0x17c	data			0.55
RT_STRING	0x5251b4	0x384	data			0.3811111111111111
RT_STRING	0x525538	0x358	data			0.37616822429906543
RT_STRING	0x525890	0x310	data			0.37755102040816324
RT_STRING	0x525ba0	0x334	data			0.33414634146341465
RT_RCDATA	0x525ed4	0xcbf	PNG image data, 60 x 20, 8-bit/color RGBA, non-interlaced	English	United States	1.0033711308611708
RT_RCDATA	0x526b94	0x3a5	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	English	United States	1.0117899249732047
RT_RCDATA	0x526f3c	0xd58	PNG image data, 33 x 33, 8-bit/color RGBA, non-interlaced	Russian	Russia	1.0032201405152226
RT_RCDATA	0x527c94	0xd0d	PNG image data, 33 x 33, 8-bit/color RGBA, non-interlaced	Russian	Russia	1.003292427416941
RT_RCDATA	0x5289a4	0x10	data			1.5
RT_RCDATA	0x5289b4	0x10a4	data			0.5328638497652582
RT_RCDATA	0x529a58	0x2	data	English	United States	5.0
RT_RCDATA	0x529a5c	0x5ea	PNG image data, 48 x 24, 8-bit/color RGBA, non-interlaced	English	United States	1.0072655217965654
RT_RCDATA	0x52a048	0x5c9	PNG image data, 48 x 24, 8-bit/color RGBA, non-interlaced	English	United States	1.0074274139095205
RT_RCDATA	0x52a614	0x314	PNG image data, 48 x 24, 8-bit/color RGBA, non-interlaced	English	United States	1.013959390862944
RT_RCDATA	0x52a928	0xb88	PNG image data, 48 x 24, 8-bit/color RGBA, non-interlaced	English	United States	0.9088753387533876
RT_RCDATA	0x52b4b0	0xabc	PNG image data, 48 x 24, 8-bit/color RGBA, non-interlaced	English	United States	0.8966521106259098
RT_RCDATA	0x52bf6c	0x415c8	TrueType Font data, 19 tables, 1st "GPOS", 16 names, Macintosh, $g$\252 fonts 1999\251ElektraMediumTransType 3 MAC;Elektra;001.000;18/07/06 23:22:47ElektraVer	English	United States	0.10237935156133274
RT_RCDATA	0x56d534	0x5f80	TrueType Font data, 15 tables, 1st "OS/2", 21 names, Unicode	English	United States	0.3445271596858639
RT_RCDATA	0x5734b4	0x60d	Delphi compiled form 'TfmAbout'			0.3983214977404777
RT_RCDATA	0x573ac4	0x13dcf	Delphi compiled form 'TfmBootUp'			0.31331506041126367
RT_RCDATA	0x587894	0x556	Delphi compiled form 'TfmError'			0.4128843338213763
RT_RCDATA	0x587dec	0x457	Delphi compiled form 'TfmLicense'			0.48874887488748875
RT_RCDATA	0x588244	0x10e1d0	Delphi compiled form 'TfmMain'			0.5643234252929688
RT_RCDATA	0x696414	0x106ce	Delphi compiled form 'TfmPopupTests'			0.8994916614643718
RT_RCDATA	0x6a6ae4	0x14933	Delphi compiled form 'TfmPopupTools'			0.9558825274399289
RT_RCDATA	0x6bb418	0x3f74	Delphi compiled form 'TfmSMARTForm'			0.9453952228515144
RT_RCDATA	0x6bf38c	0x699	Delphi compiled form 'TfmSmartMonForm'			0.38188277087033745
RT_RCDATA	0x6bfa28	0x3467	Delphi compiled form 'TfmSmartTest'			0.9279910547894148
RT_RCDATA	0x6c2e90	0x135a2	Delphi compiled form 'TfmTestForm'			0.6492443166048495
RT_RCDATA	0x6d6434	0x665	Delphi compiled form 'TPathDialogForm'			0.4935858277336591
RT_RCDATA	0x6d6a9c	0x19a7	Delphi compiled form 'TsCalcForm'			0.19400030455306838
RT_RCDATA	0x6d8444	0x1e35	Delphi compiled form 'TsColorDialogForm'			0.2595370490107332
RT_RCDATA	0x6da27c	0x2d7	Delphi compiled form 'TsPopupCalendar'			0.594222833562586
RT_GROUP_CURSOR	0x6da554	0x14	data	English	United States	1.3
RT_GROUP_CURSOR	0x6da568	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x6da57c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x6da590	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x6da5a4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x6da5b8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x6da5cc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x6da5e0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x6da5f4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x6da608	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0x6da648	0x19c	data	English	United States	0.529126213592233
RT_MANIFEST	0x6da7e4	0x452	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4674502712477396

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	MessageBoxA, CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsDBCSLeadByteEx, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetConsoleOutputCP, GetConsoleCP, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, SetCurrentDirectoryW, GetCurrentDirectoryW, WriteFile, SetFilePointer, SetEndOfFile, ReadFile, GetFileType, GetFileSize, CreateFileW, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary
user32.dll	SetClassLongW, GetClassLongW, SetWindowLongW, GetWindowLongW, CreateWindowExW, WindowFromPoint, WindowFromDC, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenuEx, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetDlgItemTextW, SetCursorPos, SetCursor, SetClipboardData, SetCaretPos, SetCapture, SetActiveWindow, SendMessageA, SendMessageW, SendDlgItemMessageW, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PtInRect, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, OffsetRect, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MoveWindow, MessageBoxIndirectW, MessageBoxA, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadMenuW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, IsCharAlphaNumericW, IsCharAlphaW, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextLengthW, GetWindowTextW, GetWindowRgn, GetWindowRect, GetWindowPlacement, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMessageExtraInfo, GetMenuStringW, GetMenuState, GetMenuItemRect, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDlgItem, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCaretPos, GetCapture, GetAsyncKeyState, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EndMenu, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextA, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DestroyCaret, DeleteMenu, DeferWindowPos, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIconIndirect, CreateIconFromResource, CreateIcon, CreateCaret, CountClipboardFormats, CopyRect, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BeginPaint, BeginDeferWindowPos, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	WidenPath, UnrealizeObject, TextOutW, StrokePath, StrokeAndFillPath, StretchDIBits, StretchBlt, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextCharacterExtra, SetTextColor, SetTextAlign, SetStretchBltMode, SetROP2, SetPixelV, SetPixel, SetMapMode, SetGraphicsMode, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetBitmapBits, SetArcDirection, SelectPalette, SelectObject, SelectClipRgn, SelectClipPath, SaveDC, RoundRect, RestoreDC, ResizePalette, Rectangle, RectVisible, RealizePalette, PtVisible, PolylineTo, Polyline, Polygon, PolyPolyline, PolyBezierTo, PolyBezier, PlgBlt, PlayEnhMetaFile, Pie, PathToRegion, PatBlt, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetViewportOrgEx, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetTextCharacterExtra, GetTextAlign, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetNearestPaletteIndex, GetMapMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetClipRgn, GetClipBox, GetBrushOrgEx, GetBkMode, GetBkColor, GetBitmapDimensionEx, GetBitmapBits, GdiFlush, FrameRgn, FillPath, ExtTextOutW, ExtSelectClipRgn, ExtFloodFill, ExtCreatePen, ExcludeClipRect, EnumFontFamiliesExW, EndPath, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRoundRectRgn, CreateRectRgn, CreatePolygonRgn, CreatePenIndirect, CreatePen, CreatePalette, CreateHalftonePalette, CreateFontIndirectW, CreateEnhMetaFileW, CreateEllipticRgnIndirect, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, CombineRgn, CloseFigure, CloseEnhMetaFile, Chord, BitBlt, BeginPath, ArcTo, Arc, AngleArc
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
kernel32.dll	lstrlenW, lstrcmpW, WriteProcessMemory, WritePrivateProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFreeEx, VirtualFree, VirtualAllocEx, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetPriorityClass, SetLastError, SetFilePointerEx, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryW, ReleaseMutex, ReadProcessMemory, ReadFile, QueryPerformanceFrequency, QueryPerformanceCounter, OpenProcess, MulDiv, LockResource, LocalFree, LocalAlloc, LoadResource, LoadLibraryW, LeaveCriticalSection, IsValidLocale, InitializeCriticalSection, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetVersionExW, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadPriority, GetThreadLocale, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetProcAddress, GetPrivateProfileStringW, GetPriorityClass, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetComputerNameW, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoW, EnterCriticalSection, DeviceIoControl, DeleteFileW, DeleteCriticalSection, CreateThread, CreateProcessW, CreateMutexW, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringW, CloseHandle
advapi32.dll	RegSetValueExW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteKeyW, RegCreateKeyExW, RegCloseKey, OpenThreadToken, OpenProcessToken, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
oleaut32.dll	CreateErrorInfo, GetErrorInfo, SetErrorInfo, GetActiveObject, SafeArrayPutElement, SafeArrayCreate, SysFreeString, SysAllocString
ole32.dll	CreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, RevokeDragDrop, RegisterDragDrop, OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
user32.dll	EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromWindow
msvcrt.dll	memset, memcpy
shell32.dll	ShellExecuteW, Shell_NotifyIconW
wininet.dll	InternetSetOptionW, InternetOpenW, InternetConnectW, InternetCloseHandle
URLMON.DLL	CoInternetCreateZoneManager, CoInternetCreateSecurityManager, URLDownloadToFileW
shell32.dll	SHGetSpecialFolderLocation, SHGetMalloc, SHGetDesktopFolder
comdlg32.dll	GetSaveFileNameW, GetOpenFileNameW
kernel32.dll	MulDiv
SetupApi.dll	SetupDiGetDeviceRegistryPropertyW, SetupDiGetDeviceRegistryPropertyA, SetupDiGetClassDevsW, SetupDiGetDeviceInterfaceDetailW, SetupDiEnumDeviceInterfaces, SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo
kernel32.dll	SetThreadExecutionState
cfgmgr32.dll	CM_Get_DevNode_Registry_PropertyA, CM_Get_Parent

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	1	0x458640

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Russian	Russia

Target ID:	0
Start time:	22:23:48
Start date:	28/03/2024
Path:	C:\Users\user\Desktop\HDDScan.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HDDScan.exe"
Imagebase:	0x400000
File size:	7'131'648 bytes
MD5 hash:	6EF8DE39A76D481E8C2047A4744D4089
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.1627302543.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	22:23:57
Start date:	28/03/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6916 -s 596
Imagebase:	0x850000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HDDScan.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_HDDScan.exe_ea76cdead1d43b14caecbb56706fddae3cce72_2ee009fe_89fc0316-4654-4def-96d8-ca5193bfe192\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA724.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA800.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA820.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
HDDScan.exe