File name:

HDD.Low.Level.Format.Tool.v4.50.exe

Full analysis: https://app.any.run/tasks/c7314d5b-bd4b-43ee-b332-3054454706c3
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 30, 2024, 13:48:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
pastebin
loader
auto
generic
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

6B1B7F0F19AE8B03EF7E37EB8E8BCBAD

SHA1:

17B0096EAC00E82B589B0C00B17955C5DDF8A5AB

SHA256:

56A3AC94D466D4769593C21CD3B38EC3A3862635919041E5342FFA77C0B1AEFA

SSDEEP:

49152:uFSB829poFbaPndy7hTpeMESUDP0jrzH4Zej6DgfwsUOk8syrHAylpCQBVlARAbf:wSB82Ut8d6NRA0rOej6gBUOhnTCgVlAY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GENERIC has been found (auto)

      • HDD.Low.Level.Format.Tool.v4.50.exe (PID: 624)
      • PACK.EXE (PID: 2212)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 5208)
      • powershell.exe (PID: 5992)
      • powershell.exe (PID: 5988)

    • Steals credentials from Web Browsers

      • setup.exe (PID: 2132)
      • setup.exe (PID: 1876)
      • setup.exe (PID: 1328)
      • setup.exe (PID: 4500)

    • Actions looks like stealing of personal data

      • setup.exe (PID: 2132)
      • setup.exe (PID: 1876)
      • setup.exe (PID: 1328)
      • setup.exe (PID: 4500)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • HDD.Low.Level.Format.Tool.v4.50.exe (PID: 624)
      • ya.exe (PID: 3612)

    • The process creates files with name similar to system file names

      • HDD.Low.Level.Format.Tool.v4.50.exe (PID: 624)
      • ya.exe (PID: 3612)

    • Executable content was dropped or overwritten

      • HDD.Low.Level.Format.Tool.v4.50.exe (PID: 624)
      • PACK.EXE (PID: 2212)
      • ya.exe (PID: 3612)
      • OperaSetup.exe (PID: 1520)
      • setup.exe (PID: 1876)
      • setup.exe (PID: 2132)
      • setup.exe (PID: 2280)
      • setup.exe (PID: 1328)
      • setup.exe (PID: 4500)

    • Reads security settings of Internet Explorer

      • HDD.Low.Level.Format.Tool.v4.50.exe (PID: 624)
      • PACK.EXE (PID: 2212)
      • ya.exe (PID: 3612)
      • setup.exe (PID: 2132)
      • HDDLLF.EXE (PID: 5244)

    • Checks Windows Trust Settings

      • HDD.Low.Level.Format.Tool.v4.50.exe (PID: 624)
      • ya.exe (PID: 3612)
      • setup.exe (PID: 2132)

    • Creates a software uninstall entry

      • HDD.Low.Level.Format.Tool.v4.50.exe (PID: 624)

    • Starts CMD.EXE for commands execution

      • HDD.Low.Level.Format.Tool.v4.50.exe (PID: 624)

    • The executable file from the user directory is run by the CMD process

      • PACK.EXE (PID: 2212)

    • The process hide an interactive prompt from the user

      • PACK.EXE (PID: 2212)

    • Starts POWERSHELL.EXE for commands execution

      • PACK.EXE (PID: 2212)

    • The process bypasses the loading of PowerShell profile settings

      • PACK.EXE (PID: 2212)

    • The process hides Powershell's copyright startup banner

      • PACK.EXE (PID: 2212)

    • Script uses the treat ID number to allow Windows Defender to execute it

      • PACK.EXE (PID: 2212)

    • Application launched itself

      • setup.exe (PID: 2132)
      • setup.exe (PID: 4500)

    • Starts itself from another location

      • setup.exe (PID: 2132)

  • INFO

    • Checks supported languages

      • HDD.Low.Level.Format.Tool.v4.50.exe (PID: 624)
      • HDDLLF.EXE (PID: 5244)
      • PACK.EXE (PID: 2212)
      • ya.exe (PID: 3612)
      • OperaSetup.exe (PID: 1520)
      • setup.exe (PID: 1876)
      • setup.exe (PID: 2132)
      • setup.exe (PID: 4500)
      • setup.exe (PID: 1328)

    • The sample compiled with english language support

      • HDD.Low.Level.Format.Tool.v4.50.exe (PID: 624)
      • PACK.EXE (PID: 2212)
      • ya.exe (PID: 3612)
      • setup.exe (PID: 1876)
      • setup.exe (PID: 2132)
      • OperaSetup.exe (PID: 1520)
      • setup.exe (PID: 2280)
      • setup.exe (PID: 4500)
      • setup.exe (PID: 1328)

    • Reads the computer name

      • HDD.Low.Level.Format.Tool.v4.50.exe (PID: 624)
      • HDDLLF.EXE (PID: 5244)
      • PACK.EXE (PID: 2212)
      • ya.exe (PID: 3612)
      • setup.exe (PID: 4500)

    • Creates files or folders in the user directory

      • HDD.Low.Level.Format.Tool.v4.50.exe (PID: 624)
      • setup.exe (PID: 2132)
      • setup.exe (PID: 1876)

    • Creates files in the program directory

      • HDD.Low.Level.Format.Tool.v4.50.exe (PID: 624)

    • Checks proxy server information

      • HDD.Low.Level.Format.Tool.v4.50.exe (PID: 624)
      • ya.exe (PID: 3612)
      • setup.exe (PID: 2132)

    • Reads the machine GUID from the registry

      • HDD.Low.Level.Format.Tool.v4.50.exe (PID: 624)
      • ya.exe (PID: 3612)
      • setup.exe (PID: 2132)

    • Create files in a temporary directory

      • HDD.Low.Level.Format.Tool.v4.50.exe (PID: 624)
      • PACK.EXE (PID: 2212)
      • ya.exe (PID: 3612)
      • OperaSetup.exe (PID: 1520)
      • setup.exe (PID: 2132)

    • Reads the software policy settings

      • HDD.Low.Level.Format.Tool.v4.50.exe (PID: 624)
      • ya.exe (PID: 3612)
      • setup.exe (PID: 2132)

    • The process uses the downloaded file

      • PACK.EXE (PID: 2212)
      • powershell.exe (PID: 5208)
      • powershell.exe (PID: 5992)
      • powershell.exe (PID: 5988)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5208)
      • powershell.exe (PID: 5992)
      • powershell.exe (PID: 5988)

    • Process checks computer location settings

      • PACK.EXE (PID: 2212)
      • ya.exe (PID: 3612)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5208)
      • powershell.exe (PID: 5992)
      • powershell.exe (PID: 5988)

    • Application launched itself

      • msedge.exe (PID: 876)
      • msedge.exe (PID: 3732)

    • Manual execution by a user

      • msedge.exe (PID: 3732)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:30 16:56:02+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 412160
UninitializedDataSize: 16384
EntryPoint: 0x3665
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.50.0.0
ProductVersionNumber: 4.50.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: -
CompanyName: HDDGURU
FileDescription: HDD Low Level Format Tool v4.50
FileVersion: 4.50.0.0
LegalCopyright: © HDDGURU
ProductName: HDD Low Level Format Tool v4.50
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
190
Monitored processes
68
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #GENERIC hdd.low.level.format.tool.v4.50.exe hddllf.exe no specs cmd.exe no specs conhost.exe no specs #GENERIC pack.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs ya.exe operasetup.exe setup.exe setup.exe setup.exe setup.exe setup.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs hdd.low.level.format.tool.v4.50.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
440"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x310,0x314,0x318,0x308,0x320,0x7ff821e55fd8,0x7ff821e55fe4,0x7ff821e55ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
624"C:\Users\admin\Desktop\HDD.Low.Level.Format.Tool.v4.50.exe" C:\Users\admin\Desktop\HDD.Low.Level.Format.Tool.v4.50.exe
explorer.exe
User:
admin
Company:
HDDGURU
Integrity Level:
HIGH
Description:
HDD Low Level Format Tool v4.50
Exit code:
0
Version:
4.50.0.0
Modules
Images
c:\users\admin\desktop\hdd.low.level.format.tool.v4.50.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
876"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://hddguru.com/C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeHDDLLF.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
1
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1016"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=5788 --field-trial-handle=2296,i,12840750857691884773,17701060293008435383,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1328C:\Users\admin\AppData\Local\Temp\7zS0F504954\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.119 --initial-client-data=0x32c,0x330,0x334,0x308,0x338,0x72ba9d44,0x72ba9d50,0x72ba9d5cC:\Users\admin\AppData\Local\Temp\7zS0F504954\setup.exe
setup.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera Installer
Version:
115.0.5322.119
Modules
Images
c:\users\admin\appdata\local\temp\7zs0f504954\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1448\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1520"C:\Users\admin\Downloads\OperaSetup.exe" --silent --allusers=0C:\Users\admin\Downloads\OperaSetup.exe
ya.exe
User:
admin
Integrity Level:
HIGH
Description:
Opera installer SFX
Version:
115.0.5322.119
Modules
Images
c:\users\admin\downloads\operasetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1540"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2436 --field-trial-handle=2440,i,3370805856271755370,14780998518083748488,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1868"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x28c,0x294,0x298,0x290,0x2a0,0x7ff821e55fd8,0x7ff821e55fe4,0x7ff821e55ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1876C:\Users\admin\AppData\Local\Temp\7zS0F504954\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.119 --initial-client-data=0x33c,0x340,0x344,0x318,0x348,0x741f9d44,0x741f9d50,0x741f9d5cC:\Users\admin\AppData\Local\Temp\7zS0F504954\setup.exe
setup.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera Installer
Version:
115.0.5322.119
Modules
Images
c:\users\admin\appdata\local\temp\7zs0f504954\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
Total events
33 125
Read events
33 063
Write events
62
Delete events
0

Modification events

(PID) Process:(624) HDD.Low.Level.Format.Tool.v4.50.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\HDD Low Level Format Tool
Operation:writeName:Publisher
Value:
HDDGURU
(PID) Process:(624) HDD.Low.Level.Format.Tool.v4.50.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\HDD Low Level Format Tool
Operation:writeName:DisplayName
Value:
HDD Low Level Format Tool
(PID) Process:(624) HDD.Low.Level.Format.Tool.v4.50.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\HDD Low Level Format Tool
Operation:writeName:UninstallString
Value:
C:\Program Files (x86)\HDDGURU LLF Tool\Uninstall.exe
(PID) Process:(624) HDD.Low.Level.Format.Tool.v4.50.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\HDD Low Level Format Tool
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\HDDGURU LLF Tool\HDDLLF.exe
(PID) Process:(624) HDD.Low.Level.Format.Tool.v4.50.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\HDD Low Level Format Tool
Operation:writeName:DisplayVersion
Value:
4.50
(PID) Process:(624) HDD.Low.Level.Format.Tool.v4.50.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\HDD Low Level Format Tool
Operation:writeName:EstimatedSize
Value:
2152
(PID) Process:(624) HDD.Low.Level.Format.Tool.v4.50.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(624) HDD.Low.Level.Format.Tool.v4.50.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(624) HDD.Low.Level.Format.Tool.v4.50.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3612) ya.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
Executable files
27
Suspicious files
394
Text files
71
Unknown types
0

Dropped files

PID
Process
Filename
Type
624HDD.Low.Level.Format.Tool.v4.50.exeC:\Users\admin\AppData\Local\Temp\nsz620B.tmp\ru.bmpimage
MD5:ACBA4CB0FEE2EA0560DCE560D8BB1D00
SHA256:A134FDAFE45A29C94295C6164C118B0166870807BFAFA94DB211BF61802EE432
624HDD.Low.Level.Format.Tool.v4.50.exeC:\Users\admin\AppData\Local\Temp\nsz620B.tmp\LangDLL.dllexecutable
MD5:549EE11198143574F4D9953198A09FE8
SHA256:131AA0DF90C08DCE2EECEE46CCE8759E9AFFF04BF15B7B0002C2A53AE5E92C36
624HDD.Low.Level.Format.Tool.v4.50.exeC:\Program Files (x86)\HDDGURU LLF Tool\HDDLLF_RU.EXEexecutable
MD5:E043F2DC1D605127AB3B8AFC48E0D611
SHA256:C9DEC5A56DA798C154B2C0E2E99FF43280911C848FC32F442057A80F3A95B868
624HDD.Low.Level.Format.Tool.v4.50.exeC:\Users\admin\AppData\Local\Temp\nsz620B.tmp\nsDialogs.dllexecutable
MD5:B7D61F3F56ABF7B7FF0D4E7DA3AD783D
SHA256:89A82C4849C21DFE765052681E1FAD02D2D7B13C8B5075880C52423DCA72A912
624HDD.Low.Level.Format.Tool.v4.50.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HDD Low Level Format Tool\Uninstall HDD Low Level Format Tool.lnkbinary
MD5:001404C47462AC4CD967A7602CBF4494
SHA256:AA6C4D3717E8F4BEE7910257980C240B1DBB07429896F5DAD13EB7CD88EB6702
624HDD.Low.Level.Format.Tool.v4.50.exeC:\Users\admin\AppData\Local\llftool.4.50.agreementbinary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
624HDD.Low.Level.Format.Tool.v4.50.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HDD Low Level Format Tool\HDD Low Level Format Tool.lnkbinary
MD5:9C1BB929E2DED273BD63BA90A725D718
SHA256:1B8EFD9C11E200AD3FD1CEC349B4C76A6AAD12375094B90E62AC421999CC0C97
624HDD.Low.Level.Format.Tool.v4.50.exeC:\Program Files (x86)\HDDGURU LLF Tool\HDDLLF_EN.EXEexecutable
MD5:B1302014E77467EE71ACE4671C435812
SHA256:3C5EF6834BEB306D0A61F9FAF41586B94D1A22D66CC1CD3B62D04CA8DD50FDDD
624HDD.Low.Level.Format.Tool.v4.50.exeC:\Users\admin\Desktop\HDD Low Level Format Tool.lnkbinary
MD5:83452AAC0C14B6B368E8CFFEB82BAB52
SHA256:255607CFDBAC71D9EBA7200673302827EFF905AB59EB4BF8660A6EF3FFC197A6
624HDD.Low.Level.Format.Tool.v4.50.exeC:\Program Files (x86)\HDDGURU LLF Tool\Uninstall.exeexecutable
MD5:507143CDFD73CE733E019CB624CD8654
SHA256:DF2DEE4875C98AAAA4C2EE480AC2A4DC47E06F98CF51E335DEFC469E5FEDB6EE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
172
TCP/UDP connections
202
DNS requests
179
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
302
35.158.41.56:443
https://download.opera.com/download/get/?id=69300&autoupdate=1&ni=1&stream=stable&utm_campaign=r10&utm_medium=apb&utm_source=DWNLST&niuid=d2f1d117-edab-447d-9d96-d73eefce5cd1
unknown
GET
401
13.107.6.158:443
https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox
unknown
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=44&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1
unknown
binary
768 b
whitelisted
GET
200
13.107.21.239:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
unknown
binary
830 b
whitelisted
GET
200
104.20.3.235:443
https://pastebin.com/raw/vkwZzU9B
unknown
text
35 b
shared
GET
200
194.87.189.43:443
https://mail.repack.me/tsjtmfdm.pkg
unknown
executable
410 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.110.203:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2040
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
624
HDD.Low.Level.Format.Tool.v4.50.exe
104.20.3.235:443
pastebin.com
CLOUDFLARENET
shared
624
HDD.Low.Level.Format.Tool.v4.50.exe
194.87.189.43:443
mail.repack.me
LLC Baxet
CZ
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
www.bing.com
  • 2.16.110.203
  • 2.16.110.193
  • 2.16.110.122
  • 2.16.110.200
  • 2.16.110.194
  • 2.16.110.131
  • 2.16.110.130
  • 2.16.110.138
  • 2.16.110.139
  • 2.16.110.137
  • 2.16.110.121
  • 2.16.110.128
  • 2.16.110.202
  • 2.16.110.201
  • 2.16.110.120
  • 2.16.110.136
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.164
  • 23.48.23.167
  • 23.48.23.156
  • 23.48.23.145
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
pastebin.com
  • 104.20.3.235
  • 104.20.4.235
  • 172.67.19.24
shared
mail.repack.me
  • 194.87.189.43
whitelisted
net.geo.opera.com
  • 185.26.182.112
  • 185.26.182.111
whitelisted
autoupdate.opera.com
  • 185.26.182.123
  • 185.26.182.124
whitelisted
autoupdate.geo.opera.com
  • 82.145.216.19
  • 82.145.216.20
  • 82.145.216.47
  • 82.145.216.46
whitelisted

Threats

PID
Process
Class
Message
3620
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
3620
msedge.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
3620
msedge.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HDD.Low.Level.Format.Tool.v4.50.exe