File name:

HideVolumeOSD-1.0.exe

Full analysis: https://app.any.run/tasks/0269d574-79ae-403d-b07e-47b1dd75d816
Verdict: Malicious activity
Analysis date: November 10, 2023, 17:13:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

FD87C1FDFB5D0C3B088BF8525E59B5C0

SHA1:

C5C7796B43A11D59021B8A4B2FB976201965FD73

SHA256:

8FD9DF87F403EC5F78EF18FF19377EC519F6B03E274C362337FB691F99C673D1

SSDEEP:

12288:erdgbchKeIH8/qQBbsaj0R/zh5iA2Wm+U8e9YzVWFzOlp:eBgwhKeIH8/V5hj0dl5iA2Wmr8OYzVWg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • HideVolumeOSD-1.0.exe (PID: 3472)
      • HideVolumeOSD-1.0.exe (PID: 3416)
      • HideVolumeOSD-1.0.tmp (PID: 3524)

    • Create files in the Startup directory

      • HideVolumeOSD-1.0.tmp (PID: 3524)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • HideVolumeOSD-1.0.tmp (PID: 3524)

    • Process drops legitimate windows executable

      • HideVolumeOSD-1.0.tmp (PID: 3524)

    • Reads the Internet Settings

      • HideVolumeOSD.exe (PID: 3404)

  • INFO

    • Checks supported languages

      • HideVolumeOSD-1.0.exe (PID: 3416)
      • HideVolumeOSD.exe (PID: 3404)
      • HideVolumeOSD-1.0.tmp (PID: 3524)
      • HideVolumeOSD-1.0.tmp (PID: 3128)
      • HideVolumeOSD-1.0.exe (PID: 3472)

    • Reads the computer name

      • HideVolumeOSD-1.0.tmp (PID: 3128)
      • HideVolumeOSD-1.0.tmp (PID: 3524)
      • HideVolumeOSD.exe (PID: 3404)

    • Create files in a temporary directory

      • HideVolumeOSD-1.0.exe (PID: 3472)
      • HideVolumeOSD-1.0.tmp (PID: 3524)
      • HideVolumeOSD-1.0.exe (PID: 3416)

    • Reads the machine GUID from the registry

      • HideVolumeOSD.exe (PID: 3404)

    • Creates files in the program directory

      • HideVolumeOSD-1.0.tmp (PID: 3524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (71.1)
.exe | Win32 Executable Delphi generic (9.1)
.scr | Windows screen saver (8.4)
.dll | Win32 Dynamic Link Library (generic) (4.2)
.exe | Win32 Executable (generic) (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:20 00:22:17+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 40448
InitializedDataSize: 17920
UninitializedDataSize: -
EntryPoint: 0xa5f8
OSVersion: 1
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Venturi
FileDescription: HideVolumeOSD Setup
FileVersion: 1.0
LegalCopyright: Copyright © 2015 by Marcus Venturi
ProductName: HideVolumeOSD
ProductVersion: 1.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start hidevolumeosd-1.0.exe no specs hidevolumeosd-1.0.tmp no specs hidevolumeosd-1.0.exe hidevolumeosd-1.0.tmp hidevolumeosd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3128"C:\Users\admin\AppData\Local\Temp\is-06GQJ.tmp\HideVolumeOSD-1.0.tmp" /SL5="$60134,71775,56832,C:\Users\admin\AppData\Local\Temp\HideVolumeOSD-1.0.exe" C:\Users\admin\AppData\Local\Temp\is-06GQJ.tmp\HideVolumeOSD-1.0.tmpHideVolumeOSD-1.0.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-06gqj.tmp\hidevolumeosd-1.0.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3404"C:\Program Files\HideVolumeOSD\HideVolumeOSD.exe"C:\Program Files\HideVolumeOSD\HideVolumeOSD.exeHideVolumeOSD-1.0.tmp
User:
admin
Company:
Venturi
Integrity Level:
HIGH
Description:
HideVolumeOSD
Exit code:
0
Version:
1.1.0.0
Modules
Images
c:\program files\hidevolumeosd\hidevolumeosd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3416"C:\Users\admin\AppData\Local\Temp\HideVolumeOSD-1.0.exe" C:\Users\admin\AppData\Local\Temp\HideVolumeOSD-1.0.exeexplorer.exe
User:
admin
Company:
Venturi
Integrity Level:
MEDIUM
Description:
HideVolumeOSD Setup
Exit code:
0
Version:
1.0
Modules
Images
c:\users\admin\appdata\local\temp\hidevolumeosd-1.0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3472"C:\Users\admin\AppData\Local\Temp\HideVolumeOSD-1.0.exe" /SPAWNWND=$401F4 /NOTIFYWND=$60134 C:\Users\admin\AppData\Local\Temp\HideVolumeOSD-1.0.exe
HideVolumeOSD-1.0.tmp
User:
admin
Company:
Venturi
Integrity Level:
HIGH
Description:
HideVolumeOSD Setup
Exit code:
0
Version:
1.0
Modules
Images
c:\users\admin\appdata\local\temp\hidevolumeosd-1.0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3524"C:\Users\admin\AppData\Local\Temp\is-QG5H7.tmp\HideVolumeOSD-1.0.tmp" /SL5="$601F6,71775,56832,C:\Users\admin\AppData\Local\Temp\HideVolumeOSD-1.0.exe" /SPAWNWND=$401F4 /NOTIFYWND=$60134 C:\Users\admin\AppData\Local\Temp\is-QG5H7.tmp\HideVolumeOSD-1.0.tmp
HideVolumeOSD-1.0.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-qg5h7.tmp\hidevolumeosd-1.0.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
Total events
1 183
Read events
1 169
Write events
8
Delete events
6

Modification events

(PID) Process:(3404) HideVolumeOSD.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3404) HideVolumeOSD.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3404) HideVolumeOSD.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3404) HideVolumeOSD.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3524) HideVolumeOSD-1.0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
F6B891AD4ECE97D0A343E3AA8E5535A6B4C61F596568FA016248AF2DA1C85E45
(PID) Process:(3524) HideVolumeOSD-1.0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFiles0000
Value:
C:\Program Files\HideVolumeOSD\HideVolumeOSD.exe
(PID) Process:(3524) HideVolumeOSD-1.0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:
1
(PID) Process:(3524) HideVolumeOSD-1.0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
42A1AA1A540CBE5ABA3233CF658E05F640C1750CF056C46CAA3D1EDFED064B4D
(PID) Process:(3524) HideVolumeOSD-1.0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Owner
Value:
C40D0000E068D336F913DA01
(PID) Process:(3524) HideVolumeOSD-1.0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete keyName:(default)
Value:
Executable files
7
Suspicious files
5
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3524HideVolumeOSD-1.0.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\HideVolumeOSD\HideVolumeOSD (Hide).lnkbinary
MD5:34F4841D8CBA7E081C5D7B7AFA6FAE6E
SHA256:D5AC1DF4730CC95986953A89A2CF572A95529AD50422345C67572295F7661D12
3524HideVolumeOSD-1.0.tmpC:\Program Files\HideVolumeOSD\is-G7VMT.tmpexecutable
MD5:4669F964161534806760FDF58CEE3EC7
SHA256:3DFDD73EF7B5E2479BEE0DD7E4B41293A32368528E1103BF4729928337FB5208
3524HideVolumeOSD-1.0.tmpC:\Users\admin\AppData\Local\Temp\is-NSHGJ.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
3524HideVolumeOSD-1.0.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\HideVolumeOSD\HideVolumeOSD.lnkbinary
MD5:DA3993F23959E696616F2E57446135C8
SHA256:BE3735634B8142A82516305E585D452D8E32022AD484CBE15C04EBB5EA694336
3524HideVolumeOSD-1.0.tmpC:\Program Files\HideVolumeOSD\unins000.datbinary
MD5:0737215E41D742997D7DE04D010D7BC4
SHA256:5A5613302CBF6BED5477A24EFCDE386B7BD18D5E0A4EB08DC4ABD255895154B9
3524HideVolumeOSD-1.0.tmpC:\Program Files\HideVolumeOSD\unins000.exeexecutable
MD5:382F475855A0669AF4DB0A85EAC29516
SHA256:9E782B86480037A876BFCF5CCAEE77F30B0E0F10AB2D239FF425FC50DA202D98
3524HideVolumeOSD-1.0.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HideVolumeOSD.lnkbinary
MD5:DA3993F23959E696616F2E57446135C8
SHA256:BE3735634B8142A82516305E585D452D8E32022AD484CBE15C04EBB5EA694336
3416HideVolumeOSD-1.0.exeC:\Users\admin\AppData\Local\Temp\is-06GQJ.tmp\HideVolumeOSD-1.0.tmpexecutable
MD5:2C10DB017057DCE22651243244E4FEE6
SHA256:E442E83C27E94BC37EB6C02411A88EDD8CB83777D50312B9EF7BFC214C4CC7B2
3524HideVolumeOSD-1.0.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\HideVolumeOSD\HideVolumeOSD (Show).lnkbinary
MD5:00145D2B61580FA2535D007FF281DC8C
SHA256:B408F8566C91ABC9F77E8A3494DAFDAC2F95DB2B7B676B3000391F9530D76782
3524HideVolumeOSD-1.0.tmpC:\Program Files\HideVolumeOSD\is-FJ0U3.tmpexecutable
MD5:382F475855A0669AF4DB0A85EAC29516
SHA256:9E782B86480037A876BFCF5CCAEE77F30B0E0F10AB2D239FF425FC50DA202D98
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HideVolumeOSD-1.0.exe