Analyzing...
|
File Name:   HDCleaner.exe
SHA1:   e7de6c9ef0f939cd1b76dd8d9117b44b52bdbfc3
MD5:   86260b9ba333a6f083b582b34574b170
First Seen Date:  2017-01-18 21:09:58.166466 ( )
Number of Clients Seen:   2
Last Analysis Date:  2017-01-18 21:09:58.166466 ( )
Human Expert Analysis Date:  2017-01-27 12:13:26.826098 ( )Human Expert Analysis Result:   Clean
Analysis Summary
Analysis Type | Date | Verdict | |
---|---|---|---|
Signature Based Detection | 2017-01-18 21:09:58.166466 | Clean | |
Static Analysis Overall Verdict | 2017-01-18 21:09:58.166466 | Highly Suspicious | |
Dynamic Analysis Overall Verdict | 2017-01-18 21:09:58.166466 | No Threat Found | help |
Human Expert Analysis Overall Verdict | 2017-01-27 12:13:26.826098 | Clean |
Static Analysis
Static Analysis Overall Verdict | Result |
---|---|
Highly Suspicious |
Detector | Result | |
---|---|---|
Optional Header LoaderFlags field is valued illegal | Clean | |
Non-ascii or empty section names detected | Clean | |
Illegal size of optional Header | Clean | |
Packer detection on signature database | Unknown | help |
Based on the sections entropy check! file is possibly packed | Suspicious | |
Timestamp value suspicious | Clean | |
Header Checksum is zero! | Clean | |
Enrty point is outside the 1st(.code) section! Binary is possibly packed | Clean | |
Optional Header NumberOfRvaAndSizes field is valued illegal | Clean | |
Anti-vm present | Clean | |
The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger | Clean | |
TLS callback functions array detected | Clean |
Packer detection on signature database
Microsoft CAB SFX
Dynamic Analysis
Dynamic Analysis Overall Verdict | Result |
---|---|
No Threat Found | help |
Suspicious Behaviors | |
---|---|
Modifies Windows policies | |
Uses a function clandestinely | |
Modifies Windows Service Keys | |
Opens a file in a system directory | |
Has no visible windows |
Behavioral Information
C:\Users\win7\AppData\Local\Temp\IXP000.TMP\Setup.exe
C:\Users\win7\AppData\Local\Tem
C:\Windows\system32\Riched20.dll
C:\Windows\syswow64\MSCTF.dll
C:\Windows\syswow64\USER32.dll
Disable
DataFilePath
Plane1
Plane2
Plane3
Plane4
Plane5
Plane6
Plane7
Plane8
Plane9
Plane10
Plane11
Plane12
Plane13
Plane14
Plane15
Plane16
FirstRun
LastIndex
SYSTEM\CurrentControlSet\Services\VSS\Diag
SystemRestore
C:\
C:\Users\desktop.ini
C:\Users
C:\Users\win7
C:\Users\win7\AppData
C:\Users\win7\AppData\Local
C:\Users\win7\AppData\Local\Temp
C:\Users\win7\AppData\Local\Temp\IXP000.TMP
C:\Users\win7\Desktop\desktop.ini
C:\Users\win7\Searches\desktop.ini
C:\Users\win7\Videos\desktop.ini
C:\Users\win7\Pictures\desktop.ini
C:\Users\win7\Contacts\desktop.ini
C:\Users\win7\Favorites\desktop.ini
C:\Users\win7\Music\desktop.ini
C:\Users\win7\Downloads\desktop.ini
C:\Users\win7\Documents\desktop.ini
C:\Users\win7\Links\desktop.ini
C:\Users\win7\Saved Games\desktop.ini
C:\Windows\Fonts\staticcache.dat
C:\Windows\system32\rsaenh.dll
SOFTWARE\Microsoft\OLEAUT
Software\Microsoft\Windows\CurrentVersion\Setup
Software\Microsoft\Windows\CurrentVersion
system\CurrentControlSet\control\NetworkProvider\HwOrder
SYSTEM\CurrentControlSet\Services\SPP\Debug\Tracing
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\Setup.exe
Visual Studio .NET 2003
CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
{babe9b11-0f98-11e5-b301-806e6f6e6963}\
Drive\shellex\FolderExtensions
Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
Software\Policies\Microsoft\Windows\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer
<NULL>
Advanced
Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
Directory
CurVer
ShellEx\IconHandler
Folder
AllFilesystemObjects
DocObject
BrowseInPlace
Clsid
Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}
PropertyBag
SessionInfo\1
KnownFolders
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}
{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}
{5E6C858F-0E22-4760-9AFE-EA3317B67173}
Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3979321414-2393373014-2172761192-1000
{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}
CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
Software\Microsoft\Rpc
Software\Policies\Microsoft\Windows NT\Rpc
{babe9b14-0f98-11e5-b301-806e6f6e6963}\
{babe9b10-0f98-11e5-b301-806e6f6e6963}\
{7D1D3A04-DEBB-4115-95CF-2F29DA2920DA}
{F38BF404-1D43-42F2-9305-67DE0B28FC23}
{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}
{2112AB0A-C86A-4FFE-A368-0DE96E47012E}
{48DAF80B-E6CF-4F4E-B800-0E69D84EE384}
{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}
{9E52AB10-F80D-49DF-ACB8-4330F5687855}
{98EC0E18-2098-4D44-8644-66979315A281}
{A4115719-D62E-491D-AA7C-E74B8BE3B067}
{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}
{18989B1D-99B5-455B-841C-AB7C74E4DDFC}
{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}
{DE974D24-D9C6-4D3E-BF91-F4455120B917}
{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}
{76FC4E2D-D6AD-4519-A663-37BD56068185}
{A75D362E-50FC-4FB7-AC2C-A8BEAA314493}
{491E922F-5643-4AF4-A7EB-4E7A138D8174}
{33E28130-4E1E-4676-835A-98395C3BC3BB}
{8AD10C31-2ADB-4296-A8F7-E4701232C972}
{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}
{DEBF2536-E1A8-4C59-B6A2-414586476AEA}
{0F214138-B1D3-4A90-BBA9-27CBC0C5389A}
{2400183A-6185-49FB-A2D8-4A392A602BA3}
{D9DC8A3B-B784-432E-A781-5A1130A75963}
{C4900540-2379-4C75-844B-64E6FAF8716B}
{289A9A43-BE44-4057-A41B-587A76D7E7F9}
{4BFEFB45-347D-4006-A5BE-AC0CB0567192}
{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}
{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}
{C870044B-F49E-4126-A9C3-B52A1FF411E8}
{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}
{C5ABBF53-E17F-4121-8900-86626FC2C973}
{56784854-C6CB-462B-8169-88E350ACB882}
{7B396E54-9EC5-4300-BE0A-2482EBAE1A26}
{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}
{A302545D-DEFF-464B-ABE8-61C8648D939B}
{2B0F765D-C0E9-4171-908E-08A611B84FF6}
{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}
{E555AB60-153B-4D17-9F04-A5FE99FC15EC}
{054FAE61-4DD8-4787-80B6-090220C4B700}
{1777F761-68AD-4D8A-87BD-30B759FA33DD}
{B250C668-F57D-4EE1-A63C-290EE7D1AA1F}
{52528A6B-B9E3-4ADD-B60D-588C2DBA842D}
{8983036C-27C0-404B-8F08-102D10DCFD74}
{BCB5256F-79F6-4CEE-B725-DC34E402FD46}
{724EF170-A42D-4FEF-9F26-B60E846FBA4F}
{4BD8D571-6D19-48D3-BE97-422220080E43}
{DE61D971-5EBC-4F02-A3A9-6C82895E5C04}
{0762D272-C50A-4BB0-A382-697DCD729B80}
{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}
{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}
{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}
{0AC0837C-BBF8-452A-850D-79D08E667CA7}
{D0384E7D-BAC3-4797-8F14-CBA229B392B5}
{7B0DB17D-9CD2-4A93-9733-46CC89022E7C}
{AE50C081-EBD2-438A-8655-8A092E34987A}
{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}
{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}
{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}
{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}
{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}
{374DE290-123F-4565-9164-39C4925E467B}
{859EAD94-2E85-48AD-A71A-0969CB56A6CD}
{A305CE99-F527-492B-8B1A-7E76FA98D6E4}
{3D644C9B-1FB8-4F30-9B45-F670235F79C0}
{A990AE9F-A03B-4E80-94BC-9912D7504104}
{DFDF76A2-C82A-4D63-906A-5644AC457385}
{1A6FDBA2-F42D-4358-A798-B74D745926C5}
{A520A1A4-1780-4FF6-BD18-167343C5AF16}
{B88F4DAA-E7BD-49A9-B74D-02885A5DC765}
{2C36C0AA-5812-4B87-BFD0-4CD0DFB19B39}
{9E3995AB-1F9C-4F13-B827-48B24B6C7174}
{DF7266AC-9274-4867-8D55-3BD661DE872D}
{ED4824AF-DCE4-45A8-81E2-FC7965083634}
{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}
{15CA69B3-30EE-49C1-ACE1-6B5EC372AFB5}
{3214FAB5-9757-4298-BB61-92A9DEAA44FF}
{905E63B6-C1BF-494E-B29C-65B732D3D21A}
{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}
{B97D20BB-F46A-4C97-BA10-5E3608430854}
{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}
{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}
{DE92C1C7-837F-4F69-A3BB-86E631204A23}
{10C07CD0-EF91-4567-B850-448B77CB37F9}
{FDD39AD0-238F-46AF-ADB4-6C85480369C7}
{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}
{190337D1-B8CA-4121-A639-6D472D16972A}
{54EED2E0-E7CA-4FDB-9148-0F4247291CFA}
{BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968}
{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}
{B94237E7-57AC-4347-9151-B08C6C32D1F7}
{352481E8-33BE-4251-BA85-6007CAEDCF9D}
{A63293E8-664E-48DB-A079-DF759E0509F7}
{5CE4A5E9-E4EB-479D-B89F-130C02886155}
{82A74AEB-AEB4-465C-A014-D097EE346D63}
{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}
{43668BF8-C14E-49B2-97C9-747784D784B7}
{915221FB-9EFE-4BDA-8FD7-F78DCA774F87}
{4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4}
Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders
CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InProcServer32
Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\ShellFolder
Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace
DelegateFolders
{DFFACDC5-679F-4156-8947-C5C76BC0B67F}
UsersFiles\NameSpace
UsersFiles\NameSpace\DelegateFolders
.exe
.exe\OpenWithProgids
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
UserChoice
exefile
SystemFileAssociations\.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
EnhancedStorageShell
SharingPrivate
CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\InProcServer32
CLSID\{08244EE6-92F0-47F2-9FC9-929BAA2E7235}\InProcServer32
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons
DefaultIcon
SOFTWARE\Microsoft\CTF\Compatibility\Setup.exe
Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
SOFTWARE\Microsoft\CTF\TIP\
{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
Keyboard Layout\Toggle
Software\Microsoft\CTF\DirectSwitchHotkeys
SOFTWARE\Microsoft\CTF\
SOFTWARE\Microsoft\CTF\KnownClasses
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
Tahoma
Software\Microsoft\CTF\LayoutIcon\0409\0000041f
Software\Microsoft\COM3
Software\Microsoft\OLE
CLSID\{4B966436-6781-4906-8035-9AF94B32C3F7}
AppID\Setup.exe
Software\Microsoft\OLE\AppCompat
SOFTWARE\Microsoft\OLE
SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider
Software\Policies\Microsoft\Cryptography
Software\Microsoft\Cryptography
Software\Microsoft\Cryptography\Offload
Interface\{00000134-0000-0000-C000-000000000046}
ProxyStubClsid32
SYSTEM\CurrentControlSet\Services\BFE
Interface\{ADCF3F49-521F-48A6-BABA-8E20D5D3E861}
CLSID\{23CF860E-9D2C-451A-8E83-C79C848D85A6}
InprocServer32
TreatAs
Software\Policies\Microsoft\Windows NT\SystemRestore
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
<NULL>
Local\MSCTF.Asm.MutexDefault1
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
Advapi32.dll
srclient.dll
Shell32.dll
comctl32.dll
UxTheme.dll
IMM32.dll
Riched20.dll
ole32.dll
ADVAPI32.dll
SHELL32.dll
propsys.dll
C:\Windows\System32\shdocvw.dll
WindowsCodecs.dll
C:\Windows\system32\EhStorShell.dll
C:\Windows\system32\ntshrui.dll
c:\windows\system32\imageres.dll
C:\Users\win7\AppData\Local\Temp\IXP000.TMP\Setup.exe
C:\Windows\system32\ole32.dll
C:\Windows\syswow64\MSCTF.dll
OLEAUT32.DLL
API-MS-Win-Security-LSALookup-L1-1-0.dll
CRYPTBASE.dll
Precise Detectors Analysis Results
No Detector Result Received
Advance Heuristics
No Advanced Heuristic Analysis Result Received
Human Expert Analysis Results
Analysis Start Date:   2017-01-27 07:52:51.308334 ( )
Analysis End Date:  2017-01-27 12:13:26.826098 ( )
File Upload Date:  2017-01-18 21:09:58.325969 ( )
Update Date:  2017-01-27 12:13:26.831392 ( )
Human Expert Analyst Feedback:   None
Verdict:   Clean
Additional File Information
Property | Value |
---|
Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |
---|