Edit tour

Windows Analysis Report
ldiscn32.exe

Overview

General Information

Sample name:	ldiscn32.exe
Analysis ID:	1669160
MD5:	501734f86e298644998701bac1a96862
SHA1:	741b9fe10955f65ab22a7ec25a6af3ac6e71acc1
SHA256:	28ee9437fc0ee951b48d96d5e7ac00fed34b941b79fc6d431950f4f818fd5716
Infos:

Detection

Score:	1
Range:	0 - 100
Confidence:	60%

Signatures

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

ldiscn32.exe (PID: 8332 cmdline: "C:\Users\user\Desktop\ldiscn32.exe" -install MD5: 501734F86E298644998701BAC1A96862)

ldiscn32.exe (PID: 8440 cmdline: "C:\Users\user\Desktop\ldiscn32.exe" /install MD5: 501734F86E298644998701BAC1A96862)

ldiscn32.exe (PID: 8464 cmdline: "C:\Users\user\Desktop\ldiscn32.exe" /load MD5: 501734F86E298644998701BAC1A96862)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Cryptography
• Compliance
• Networking
• System Summary
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Users\user\Desktop\ldiscn32.exe

Code function: 0_2_00578130 CertCloseStore,CryptMsgClose,LocalFree,CertFreeCertificateContext,

0_2_00578130

Source: ldiscn32.exe, 00000000.00000000.1291849781.0000000000891000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN RSA PUBLIC KEY-----

memstr_315610a1-7

Source: ldiscn32.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: ldiscn32.exe

Static PE information: certificate valid

Source: ldiscn32.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\BuildAgent01\_work\189\s\Build\Dev\ManagementSuite\Release\ldlogon\ldiscn32.pdb source: ldiscn32.exe

Source: ldiscn32.exe	String found in binary or memory: HTTPS://%s/ldlogon/ldappl3.ldz
Source: ldiscn32.exe	String found in binary or memory: HTTPS://%s/ldlogon/ldappl3.ldzInventorySettingsBehaviorSOFTWARE
Source: ldiscn32.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ldiscn32.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ldiscn32.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ldiscn32.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ldiscn32.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ldiscn32.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ldiscn32.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ldiscn32.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ldiscn32.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: ldiscn32.exe	String found in binary or memory: http://internal.httpbase.http.bufoverflowProxy-Authorization:
Source: ldiscn32.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: ldiscn32.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: ldiscn32.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: ldiscn32.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: ldiscn32.exe	String found in binary or memory: http://www.digicert.com/CPS0

Source: ldiscn32.exe, 00000000.00000000.1291849781.0000000000891000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Custom Data - ldbios.txt%c:%sExclude FoldersexcludedirExcludeDir1ExcludeDirUsage FilesusagefileIgnored MACsCfgFiles1CfgFiles2CfgFiles3CfgFiles4Invalid data in file.tmp Inflating %sScanning Directory: %s*\Directory Excluded: %sInvalid handle from FindFirstfile!"%s","%s","%s","%s","%s","%s","%s"\StringFileInfo\%04X%04X\\LANDESK\APPVIRT\VD\FS\LANDesk Application Virtualization 2.0FileDescription\VarFileInfo\TranslationProductNameFileVersionCompanyNameThinstallVersionThinAppVersionPackagerSpoonOriginalFilenameInternalNameLegalCopyrightLegalTrademarksProductVersionPrivateBuildComments%02d-%02d-%04d %02d:%02d:%02d %ld"%s","%s","%02d-%02d-%04d","%02d:%02d:%02d","%ld"%02d-%02d-%04d%02d:%02d:%02d%c%I64u KBc:\Program FilesUnable to read ProgramFilesDir. Using Default Program Files folder: %sUnable to open CurrentVersion. Using Default Program Files folder: %sAppXManifest.xmlPackageIdentityProcessorArchitecturePropertiesPublisherDisplayName41Checking for Windows Store AppsWindowsApps\Y@.log.old%-3.3s, %02d %-3.3s %04d %02d:%02d:%02dSunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecRollingLog.dll..\ldlogon\..\ManagementSuite\ldlogon\..\LDClient\GetRollingLogPathSetRollingLogPathGetMaxSizeSetMaxSizeRollLogFilesGetLogOptionsRegetLogOptionsSetLogOptionsKeyLocationSetLogDataRelativePathSOFTWARE\LANDesk\ManagementSuite\SetupLogPathlandesk_rollinglog_%d.%d.%d.%d%03d.%03d.%03d.%03d:5007CONNECT %s HTTP/1.1 vs ldiscn32.exe
Source: ldiscn32.exe, 00000000.00000002.2589750429.0000000000892000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Custom Data - ldbios.txt%c:%sExclude FoldersexcludedirExcludeDir1ExcludeDirUsage FilesusagefileIgnored MACsCfgFiles1CfgFiles2CfgFiles3CfgFiles4Invalid data in file.tmp Inflating %sScanning Directory: %s*\Directory Excluded: %sInvalid handle from FindFirstfile!"%s","%s","%s","%s","%s","%s","%s"\StringFileInfo\%04X%04X\\LANDESK\APPVIRT\VD\FS\LANDesk Application Virtualization 2.0FileDescription\VarFileInfo\TranslationProductNameFileVersionCompanyNameThinstallVersionThinAppVersionPackagerSpoonOriginalFilenameInternalNameLegalCopyrightLegalTrademarksProductVersionPrivateBuildComments%02d-%02d-%04d %02d:%02d:%02d %ld"%s","%s","%02d-%02d-%04d","%02d:%02d:%02d","%ld"%02d-%02d-%04d%02d:%02d:%02d%c%I64u KBc:\Program FilesUnable to read ProgramFilesDir. Using Default Program Files folder: %sUnable to open CurrentVersion. Using Default Program Files folder: %sAppXManifest.xmlPackageIdentityProcessorArchitecturePropertiesPublisherDisplayName41Checking for Windows Store AppsWindowsApps\Y@.log.old%-3.3s, %02d %-3.3s %04d %02d:%02d:%02dSunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecRollingLog.dll..\ldlogon\..\ManagementSuite\ldlogon\..\LDClient\GetRollingLogPathSetRollingLogPathGetMaxSizeSetMaxSizeRollLogFilesGetLogOptionsRegetLogOptionsSetLogOptionsKeyLocationSetLogDataRelativePathSOFTWARE\LANDesk\ManagementSuite\SetupLogPathlandesk_rollinglog_%d.%d.%d.%d%03d.%03d.%03d.%03d:5007CONNECT %s HTTP/1.1 vs ldiscn32.exe
Source: ldiscn32.exe, 00000001.00000002.2589752597.0000000000892000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Custom Data - ldbios.txt%c:%sExclude FoldersexcludedirExcludeDir1ExcludeDirUsage FilesusagefileIgnored MACsCfgFiles1CfgFiles2CfgFiles3CfgFiles4Invalid data in file.tmp Inflating %sScanning Directory: %s*\Directory Excluded: %sInvalid handle from FindFirstfile!"%s","%s","%s","%s","%s","%s","%s"\StringFileInfo\%04X%04X\\LANDESK\APPVIRT\VD\FS\LANDesk Application Virtualization 2.0FileDescription\VarFileInfo\TranslationProductNameFileVersionCompanyNameThinstallVersionThinAppVersionPackagerSpoonOriginalFilenameInternalNameLegalCopyrightLegalTrademarksProductVersionPrivateBuildComments%02d-%02d-%04d %02d:%02d:%02d %ld"%s","%s","%02d-%02d-%04d","%02d:%02d:%02d","%ld"%02d-%02d-%04d%02d:%02d:%02d%c%I64u KBc:\Program FilesUnable to read ProgramFilesDir. Using Default Program Files folder: %sUnable to open CurrentVersion. Using Default Program Files folder: %sAppXManifest.xmlPackageIdentityProcessorArchitecturePropertiesPublisherDisplayName41Checking for Windows Store AppsWindowsApps\Y@.log.old%-3.3s, %02d %-3.3s %04d %02d:%02d:%02dSunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecRollingLog.dll..\ldlogon\..\ManagementSuite\ldlogon\..\LDClient\GetRollingLogPathSetRollingLogPathGetMaxSizeSetMaxSizeRollLogFilesGetLogOptionsRegetLogOptionsSetLogOptionsKeyLocationSetLogDataRelativePathSOFTWARE\LANDesk\ManagementSuite\SetupLogPathlandesk_rollinglog_%d.%d.%d.%d%03d.%03d.%03d.%03d:5007CONNECT %s HTTP/1.1 vs ldiscn32.exe
Source: ldiscn32.exe, 00000001.00000000.1316082347.0000000000891000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Custom Data - ldbios.txt%c:%sExclude FoldersexcludedirExcludeDir1ExcludeDirUsage FilesusagefileIgnored MACsCfgFiles1CfgFiles2CfgFiles3CfgFiles4Invalid data in file.tmp Inflating %sScanning Directory: %s*\Directory Excluded: %sInvalid handle from FindFirstfile!"%s","%s","%s","%s","%s","%s","%s"\StringFileInfo\%04X%04X\\LANDESK\APPVIRT\VD\FS\LANDesk Application Virtualization 2.0FileDescription\VarFileInfo\TranslationProductNameFileVersionCompanyNameThinstallVersionThinAppVersionPackagerSpoonOriginalFilenameInternalNameLegalCopyrightLegalTrademarksProductVersionPrivateBuildComments%02d-%02d-%04d %02d:%02d:%02d %ld"%s","%s","%02d-%02d-%04d","%02d:%02d:%02d","%ld"%02d-%02d-%04d%02d:%02d:%02d%c%I64u KBc:\Program FilesUnable to read ProgramFilesDir. Using Default Program Files folder: %sUnable to open CurrentVersion. Using Default Program Files folder: %sAppXManifest.xmlPackageIdentityProcessorArchitecturePropertiesPublisherDisplayName41Checking for Windows Store AppsWindowsApps\Y@.log.old%-3.3s, %02d %-3.3s %04d %02d:%02d:%02dSunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecRollingLog.dll..\ldlogon\..\ManagementSuite\ldlogon\..\LDClient\GetRollingLogPathSetRollingLogPathGetMaxSizeSetMaxSizeRollLogFilesGetLogOptionsRegetLogOptionsSetLogOptionsKeyLocationSetLogDataRelativePathSOFTWARE\LANDesk\ManagementSuite\SetupLogPathlandesk_rollinglog_%d.%d.%d.%d%03d.%03d.%03d.%03d:5007CONNECT %s HTTP/1.1 vs ldiscn32.exe
Source: ldiscn32.exe, 00000002.00000002.2589730837.0000000000892000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Custom Data - ldbios.txt%c:%sExclude FoldersexcludedirExcludeDir1ExcludeDirUsage FilesusagefileIgnored MACsCfgFiles1CfgFiles2CfgFiles3CfgFiles4Invalid data in file.tmp Inflating %sScanning Directory: %s*\Directory Excluded: %sInvalid handle from FindFirstfile!"%s","%s","%s","%s","%s","%s","%s"\StringFileInfo\%04X%04X\\LANDESK\APPVIRT\VD\FS\LANDesk Application Virtualization 2.0FileDescription\VarFileInfo\TranslationProductNameFileVersionCompanyNameThinstallVersionThinAppVersionPackagerSpoonOriginalFilenameInternalNameLegalCopyrightLegalTrademarksProductVersionPrivateBuildComments%02d-%02d-%04d %02d:%02d:%02d %ld"%s","%s","%02d-%02d-%04d","%02d:%02d:%02d","%ld"%02d-%02d-%04d%02d:%02d:%02d%c%I64u KBc:\Program FilesUnable to read ProgramFilesDir. Using Default Program Files folder: %sUnable to open CurrentVersion. Using Default Program Files folder: %sAppXManifest.xmlPackageIdentityProcessorArchitecturePropertiesPublisherDisplayName41Checking for Windows Store AppsWindowsApps\Y@.log.old%-3.3s, %02d %-3.3s %04d %02d:%02d:%02dSunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecRollingLog.dll..\ldlogon\..\ManagementSuite\ldlogon\..\LDClient\GetRollingLogPathSetRollingLogPathGetMaxSizeSetMaxSizeRollLogFilesGetLogOptionsRegetLogOptionsSetLogOptionsKeyLocationSetLogDataRelativePathSOFTWARE\LANDesk\ManagementSuite\SetupLogPathlandesk_rollinglog_%d.%d.%d.%d%03d.%03d.%03d.%03d:5007CONNECT %s HTTP/1.1 vs ldiscn32.exe
Source: ldiscn32.exe, 00000002.00000000.1339256716.0000000000891000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Custom Data - ldbios.txt%c:%sExclude FoldersexcludedirExcludeDir1ExcludeDirUsage FilesusagefileIgnored MACsCfgFiles1CfgFiles2CfgFiles3CfgFiles4Invalid data in file.tmp Inflating %sScanning Directory: %s*\Directory Excluded: %sInvalid handle from FindFirstfile!"%s","%s","%s","%s","%s","%s","%s"\StringFileInfo\%04X%04X\\LANDESK\APPVIRT\VD\FS\LANDesk Application Virtualization 2.0FileDescription\VarFileInfo\TranslationProductNameFileVersionCompanyNameThinstallVersionThinAppVersionPackagerSpoonOriginalFilenameInternalNameLegalCopyrightLegalTrademarksProductVersionPrivateBuildComments%02d-%02d-%04d %02d:%02d:%02d %ld"%s","%s","%02d-%02d-%04d","%02d:%02d:%02d","%ld"%02d-%02d-%04d%02d:%02d:%02d%c%I64u KBc:\Program FilesUnable to read ProgramFilesDir. Using Default Program Files folder: %sUnable to open CurrentVersion. Using Default Program Files folder: %sAppXManifest.xmlPackageIdentityProcessorArchitecturePropertiesPublisherDisplayName41Checking for Windows Store AppsWindowsApps\Y@.log.old%-3.3s, %02d %-3.3s %04d %02d:%02d:%02dSunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecRollingLog.dll..\ldlogon\..\ManagementSuite\ldlogon\..\LDClient\GetRollingLogPathSetRollingLogPathGetMaxSizeSetMaxSizeRollLogFilesGetLogOptionsRegetLogOptionsSetLogOptionsKeyLocationSetLogDataRelativePathSOFTWARE\LANDesk\ManagementSuite\SetupLogPathlandesk_rollinglog_%d.%d.%d.%d%03d.%03d.%03d.%03d:5007CONNECT %s HTTP/1.1 vs ldiscn32.exe
Source: ldiscn32.exe	Binary or memory string: Custom Data - ldbios.txt%c:%sExclude FoldersexcludedirExcludeDir1ExcludeDirUsage FilesusagefileIgnored MACsCfgFiles1CfgFiles2CfgFiles3CfgFiles4Invalid data in file.tmp Inflating %sScanning Directory: %s*\Directory Excluded: %sInvalid handle from FindFirstfile!"%s","%s","%s","%s","%s","%s","%s"\StringFileInfo\%04X%04X\\LANDESK\APPVIRT\VD\FS\LANDesk Application Virtualization 2.0FileDescription\VarFileInfo\TranslationProductNameFileVersionCompanyNameThinstallVersionThinAppVersionPackagerSpoonOriginalFilenameInternalNameLegalCopyrightLegalTrademarksProductVersionPrivateBuildComments%02d-%02d-%04d %02d:%02d:%02d %ld"%s","%s","%02d-%02d-%04d","%02d:%02d:%02d","%ld"%02d-%02d-%04d%02d:%02d:%02d%c%I64u KBc:\Program FilesUnable to read ProgramFilesDir. Using Default Program Files folder: %sUnable to open CurrentVersion. Using Default Program Files folder: %sAppXManifest.xmlPackageIdentityProcessorArchitecturePropertiesPublisherDisplayName41Checking for Windows Store AppsWindowsApps\Y@.log.old%-3.3s, %02d %-3.3s %04d %02d:%02d:%02dSunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecRollingLog.dll..\ldlogon\..\ManagementSuite\ldlogon\..\LDClient\GetRollingLogPathSetRollingLogPathGetMaxSizeSetMaxSizeRollLogFilesGetLogOptionsRegetLogOptionsSetLogOptionsKeyLocationSetLogDataRelativePathSOFTWARE\LANDesk\ManagementSuite\SetupLogPathlandesk_rollinglog_%d.%d.%d.%d%03d.%03d.%03d.%03d:5007CONNECT %s HTTP/1.1 vs ldiscn32.exe

Source: ldiscn32.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: ldiscn32.exe

Binary string: \Device\

Source: classification engine

Classification label: clean1.winEXE@3/0@0/0

Source: C:\Users\user\Desktop\ldiscn32.exe

Code function: 0_2_0046A770 LoadResource,LockResource,SizeofResource,

0_2_0046A770

Source: ldiscn32.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ldiscn32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ldiscn32.exe	String found in binary or memory: id-cmc-addExtensions
Source: ldiscn32.exe	String found in binary or memory: set-addPolicy

Source: unknown	Process created: C:\Users\user\Desktop\ldiscn32.exe "C:\Users\user\Desktop\ldiscn32.exe" -install
Source: unknown	Process created: C:\Users\user\Desktop\ldiscn32.exe "C:\Users\user\Desktop\ldiscn32.exe" /install
Source: unknown	Process created: C:\Users\user\Desktop\ldiscn32.exe "C:\Users\user\Desktop\ldiscn32.exe" /load

Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: elogapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: loc32vc0.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: elogapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: loc32vc0.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: elogapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: loc32vc0.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\ldiscn32.exe	Section loaded: oleacc.dll	Jump to behavior

Source: ldiscn32.exe

Static PE information: certificate valid

Source: ldiscn32.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ldiscn32.exe

Static file information: File size 6054256 > 1048576

Source: ldiscn32.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x42f800
Source: ldiscn32.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x107000

Source: ldiscn32.exe	Static PE information: More than 200 imports for KERNEL32.dll
Source: ldiscn32.exe	Static PE information: More than 200 imports for USER32.dll

Source: ldiscn32.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ldiscn32.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ldiscn32.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ldiscn32.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ldiscn32.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ldiscn32.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ldiscn32.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: ldiscn32.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\BuildAgent01\_work\189\s\Build\Dev\ManagementSuite\Release\ldlogon\ldiscn32.pdb source: ldiscn32.exe

Source: ldiscn32.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ldiscn32.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ldiscn32.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ldiscn32.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ldiscn32.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: ldiscn32.exe	Binary or memory string: VMware
Source: ldiscn32.exe	Binary or memory string: Hyper-V
Source: ldiscn32.exe	Binary or memory string: Found MAC Addr using FirstValidVMWareNIC.
Source: ldiscn32.exe	Binary or memory string: VMWARE_VM
Source: ldiscn32.exe	Binary or memory string: VirtualMachineID
Source: ldiscn32.exe	Binary or memory string: VirtualMachineName
Source: ldiscn32.exe	Binary or memory string: Cinternal.httpbase.http.basefailedCHTTPSession::StartSession calling StartSessionExTop of CHTTPSession::StartSessionExinternal.httpbase.http.startsessioninternal.httpbase.http.proxyportinternal.httpbase.http.proxyauthbufinternal.httpbase.https.socktimeouterrsocketinternal.httpbase.http.connectaddrProxy-Authenticateinternal.httpbase.http.writeerrorinternal.httpbase.http.readerrorinternal.httpbase.http.requesthttp://internal.httpbase.http.bufoverflowProxy-Authorization: Basic Proxy-Authorizationinternal.httpbase.http.responseheaderinternal.httpbase.http.nocoloninternal.httpbase.http.emptyheaderinternal.httpbase.http.headbuffullinternal.httpbase.http.responseinternal.httpbase.http.responsefailedinternal.httpbase.http.badstatusinternal.httpbase.http.responsefinishedinternal.httpbase.http.startsessionex.notimplemented::ffff:[%s]internal.httpbase.http.getaddrinforesolvedaddressinternal.httpbase.http.getaddrinfo.diagnosticsinternal.httpbase.http.socketfailureportinternal.httpbase.http.tryconnectinternal.httpbase.http.connectfailedIPX AddressLANDesk\|Network\|001IPX Network NumberIPX Node AddressSTRING(16)NIC Addressr+tLANDesk\|System Resources\|002STRING(32)READ-ONLYDMTF\|ComponentID\|1.0MachineNT Domain Controller TypeNETAPI32.DLLNetServerGetInfoVirtual VirtualBox Host-Only Ethernet Adapter000.000.000.000GetIP: failed to resolve host name. iterCount = %d.%02X%02X%02X%02X%02X%02XGetAddress() calledFound MAC Addr using IPConfigData.Found MAC Addr using FirstValidNIC.Found MAC Addr using FirstValidVMWareNIC.Found MAC Addr searching through NICs Found MAC Addr using NetBiosGenerating MAC Addr from device GUID: %sNo NIC addr found. Reporting as Unknown.ldiscnupdateresetdeviceidResetDeviceID: call to LocalExecute returned bVal = %d and result = %dldiscnupdatesetdeviceid=
Source: ldiscn32.exe	Binary or memory string: I000000000000000569000C29001C14005056VMWARE_VMASIC1C:\Inetpub\wwwroot\SMaRT\FlashContentIntel SMaRT Tool detectionIntel SMaRT Tool foundhttp://%s/error: could not load resouce stringinternal.ldms.InvScanner.NoServerResponseinternal.ldms.InvScanner.SecureTransportErrorinternal.ldms.InvScanner.LdApplCorruptinternal.ldms.InvScanner.LocalLdApplMissinginternal.ldms.InvScanner.MasterLdApplMissing
Source: ldiscn32.exe, 00000002.00000000.1339256716.0000000000891000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Iinternal.httpbase.http.basefailedCHTTPSession::StartSession calling StartSessionExTop of CHTTPSession::StartSessionExinternal.httpbase.http.startsessioninternal.httpbase.http.proxyportinternal.httpbase.http.proxyauthbufinternal.httpbase.https.socktimeouterrsocketinternal.httpbase.http.connectaddrProxy-Authenticateinternal.httpbase.http.writeerrorinternal.httpbase.http.readerrorinternal.httpbase.http.requesthttp://internal.httpbase.http.bufoverflowProxy-Authorization: Basic Proxy-Authorizationinternal.httpbase.http.responseheaderinternal.httpbase.http.nocoloninternal.httpbase.http.emptyheaderinternal.httpbase.http.headbuffullinternal.httpbase.http.responseinternal.httpbase.http.responsefailedinternal.httpbase.http.badstatusinternal.httpbase.http.responsefinishedinternal.httpbase.http.startsessionex.notimplemented::ffff:[%s]internal.httpbase.http.getaddrinforesolvedaddressinternal.httpbase.http.getaddrinfo.diagnosticsinternal.httpbase.http.socketfailureportinternal.httpbase.http.tryconnectinternal.httpbase.http.connectfailedIPX AddressLANDesk\|Network\|001IPX Network NumberIPX Node AddressSTRING(16)NIC Addressr+tLANDesk\|System Resources\|002STRING(32)READ-ONLYDMTF\|ComponentID\|1.0MachineNT Domain Controller TypeNETAPI32.DLLNetServerGetInfoVirtual VirtualBox Host-Only Ethernet Adapter000.000.000.000GetIP: failed to resolve host name. iterCount = %d.%02X%02X%02X%02X%02X%02XGetAddress() calledFound MAC Addr using IPConfigData.Found MAC Addr using FirstValidNIC.Found MAC Addr using FirstValidVMWareNIC.Found MAC Addr searching through NICs Found MAC Addr using NetBiosGenerating MAC Addr from device GUID: %sNo NIC addr found. Reporting as Unknown.ldiscnupdateresetdeviceidResetDeviceID: call to LocalExecute returned bVal = %d and result = %dldiscnupdatesetdeviceid=

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: ldiscn32.exe	Binary or memory string: Cannot find 'PROGMAN'
Source: ldiscn32.exe	Binary or memory string: PROGMAN

Source: C:\Users\user\Desktop\ldiscn32.exe

Code function: 0_2_006B2D2E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_006B2D2E

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	2 Process Injection	2 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ldiscn32.exe	0%	Virustotal		Browse
ldiscn32.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://internal.httpbase.http.bufoverflowProxy-Authorization:	0%	Avira URL Cloud	safe
HTTPS://%s/ldlogon/ldappl3.ldzInventorySettingsBehaviorSOFTWARE	0%	Avira URL Cloud	safe
HTTPS://%s/ldlogon/ldappl3.ldz	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://internal.httpbase.http.bufoverflowProxy-Authorization:	ldiscn32.exe	false	Avira URL Cloud: safe	unknown
HTTPS://%s/ldlogon/ldappl3.ldzInventorySettingsBehaviorSOFTWARE	ldiscn32.exe	false	Avira URL Cloud: safe	unknown
HTTPS://%s/ldlogon/ldappl3.ldz	ldiscn32.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1669160
Start date and time:	2025-04-19 14:56:53 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Cmdline fuzzy
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ldiscn32.exe
Detection:	CLEAN
Classification:	clean1.winEXE@3/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 23.76.34.6, 20.109.210.53
Excluded domains from analysis (whitelisted): c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target ldiscn32.exe, PID 8332 because there are no executed function
Not all processes where analyzed, report is missing behavior information

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.637763840025974
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ldiscn32.exe
File size:	6'054'256 bytes
MD5:	501734f86e298644998701bac1a96862
SHA1:	741b9fe10955f65ab22a7ec25a6af3ac6e71acc1
SHA256:	28ee9437fc0ee951b48d96d5e7ac00fed34b941b79fc6d431950f4f818fd5716
SHA512:	b08eac4748180f5a6e72efc5d3c53b0de12b096f4965c0a5afda903474165d66ee75bdb2e9b92e8b60b96d752b0def591934a996f3ffd1cb53858d5ba44ccb48
SSDEEP:	98304:A/Xd5115209EfmGGyFBua5isfWj3/d0jFT5vTWhEFDAENtuopZDKQM2:CXv119EfmGpW7QDDAENtJpZus
TLSH:	D656BE21BB418062E4EB0975526FE3BEA93CAA30073995C3D7C01E5D58B26C1673E76F
File Content Preview:	MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$........"...C...C...C..w1...C..w1...B..^`...C..w1...C...6...@..w1...C...C...C.......C...,...C...6...C...6...C...6..8B..w1...C...C...G.

File Icon


Icon Hash:	0f8d3674e54b3e30

Static PE Info

General

Entrypoint:	0x6525e6
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A77AE0 [Mon Jul 29 11:20:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	77b288d4ce0e05000d0fc64bed64e449

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	23/03/2023 01:00:00 30/04/2026 01:59:59
Subject Chain	CN="Ivanti, Inc.", O="Ivanti, Inc.", L=South Jordan, S=Utah, C=US
Version:	3
Thumbprint MD5:	63F62742282F8B36CDC84F3FEBE550F7
Thumbprint SHA-1:	B310DCA4816C8E3E41E6C72BBB67A255AD8E0363
Thumbprint SHA-256:	A90444AD651A3388953C6258FF98A575837454DB2482E8E75DDC361EB2E715A8
Serial:	06CC8DD2D708B90732838E67977B307F

Entrypoint Preview

Instruction
call 00007F1F20FBF165h
jmp 00007F1F20FBE84Fh
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F1F20FBDBF4h
jmp 00007F1F20FBE9B2h
mov ecx, dword ptr [ebp-14h]
xor ecx, ebp
call 00007F1F20FBDBE5h
jmp 00007F1F20FBE9A3h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00940F14h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00940F14h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00940F14h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x533610	0x160	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x533770	0x26c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x56b000	0x27330	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5b6a00	0xf770	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x593000	0x45c1c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x50c624	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x50c680	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x50c568	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x431000	0xd24	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x5329bc	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x42f65c	0x42f800	38ea13b8f16b7a19f1e8a97812c8519f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x431000	0x106eaa	0x107000	bda6a3783650fe2351c87442f2db16f2	False	0.3768008852186312	data	5.827314573743319	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x538000	0x32894	0x12c00	4f8ab1814f19d96cca3c3fcb9fbc244e	False	0.27782552083333334	data	4.2949549616040885	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x56b000	0x27330	0x27400	401972554a280b912fd6303340a2ea6f	False	0.21404757165605096	data	4.0197611164171105	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x593000	0x45c1c	0x45e00	a47b8e629c72f9b57aeb7a802c675db3	False	0.5342058922182469	data	6.63237519498338	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x572580	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4805194805194805
RT_CURSOR	0x5726b8	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	English	United States	0.7
RT_CURSOR	0x572798	0x134	AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.36363636363636365
RT_CURSOR	0x5728e8	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.35714285714285715
RT_CURSOR	0x572a38	0x134	data	English	United States	0.37337662337662336
RT_CURSOR	0x572b88	0x134	data	English	United States	0.37662337662337664
RT_CURSOR	0x572cd8	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States	0.36688311688311687
RT_CURSOR	0x572e28	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States	0.37662337662337664
RT_CURSOR	0x572f78	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.36688311688311687
RT_CURSOR	0x5730c8	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x573218	0x134	data	English	United States	0.44155844155844154
RT_CURSOR	0x573368	0x134	data	English	United States	0.4155844155844156
RT_CURSOR	0x5734b8	0x134	AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.5422077922077922
RT_CURSOR	0x573608	0x134	data	English	United States	0.2662337662337662
RT_CURSOR	0x573758	0x134	data	English	United States	0.2824675324675325
RT_CURSOR	0x5738a8	0x134	data	English	United States	0.3246753246753247
RT_BITMAP	0x573b18	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	English	United States	0.44565217391304346
RT_BITMAP	0x573bd0	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	English	United States	0.37962962962962965
RT_ICON	0x56d9f0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.5676972281449894
RT_ICON	0x56e898	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6409574468085106
RT_ICON	0x56ed00	0x580	Device independent bitmap graphic, 18 x 36 x 32, image size 1368	English	United States	0.6235795454545454
RT_ICON	0x56f280	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.5901639344262295
RT_ICON	0x56fc08	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.5532363977485929
RT_DIALOG	0x570d00	0x180	data	English	United States	0.5625
RT_DIALOG	0x570e80	0x1ec	data	English	United States	0.4796747967479675
RT_DIALOG	0x571070	0x38a	data	English	United States	0.42935982339955847
RT_DIALOG	0x5739f8	0xe8	data	English	United States	0.6336206896551724
RT_DIALOG	0x573ae0	0x34	data	English	United States	0.9038461538461539
RT_STRING	0x573d18	0x28e	data	English	United States	0.42201834862385323
RT_STRING	0x574258	0x220	Targa image data - RGB - RLE 101 x 114 x 32 +110 +116 "D"	English	United States	0.4852941176470588
RT_STRING	0x577dc8	0x1b2	data	English	United States	0.42857142857142855
RT_STRING	0x57a288	0x17a	data	English	United States	0.5714285714285714
RT_STRING	0x574478	0x11c	data	English	United States	0.6126760563380281
RT_STRING	0x57ac08	0x354	data	English	United States	0.3039906103286385
RT_STRING	0x57b518	0x16e	data	English	United States	0.48633879781420764
RT_STRING	0x57ba50	0xd4	data	English	United States	0.6698113207547169
RT_STRING	0x57bd20	0x3fa	data	English	United States	0.22593320235756384
RT_STRING	0x57c2b8	0x228	data	English	United States	0.391304347826087
RT_STRING	0x57c8c0	0x256	data	English	United States	0.411371237458194
RT_STRING	0x57d9f8	0x33a	data	English	United States	0.2397094430992736
RT_STRING	0x578e58	0x170	data	English	United States	0.5489130434782609
RT_STRING	0x579860	0x286	data	English	United States	0.3188854489164087
RT_STRING	0x579ae8	0x6e	data	English	United States	0.5181818181818182
RT_STRING	0x5758f8	0xa4	data	English	United States	0.5853658536585366
RT_STRING	0x5748d0	0x50c	data	English	United States	0.2886996904024768
RT_STRING	0x575008	0x358	data	English	United States	0.397196261682243
RT_STRING	0x57e8d8	0x20a	data	English	United States	0.4827586206896552
RT_STRING	0x57ece8	0x230	data	English	United States	0.46964285714285714
RT_STRING	0x575360	0x596	data	English	United States	0.38461538461538464
RT_STRING	0x57f760	0x492	data	English	United States	0.21196581196581196
RT_STRING	0x580648	0x300	data	English	United States	0.2578125
RT_STRING	0x580948	0x296	Matlab v4 mat-file (little endian) e, numeric, rows 0, columns 0	English	United States	0.2809667673716012
RT_STRING	0x580be0	0x282	data	English	United States	0.440809968847352
RT_STRING	0x581718	0x29a	data	English	United States	0.34534534534534533
RT_STRING	0x5819b8	0x180	data	English	United States	0.5572916666666666
RT_STRING	0x581b38	0x17e	data	English	United States	0.5418848167539267
RT_STRING	0x581cb8	0x158	data	English	United States	0.5290697674418605
RT_STRING	0x581e10	0x11c	data	English	United States	0.5950704225352113
RT_STRING	0x581f30	0x1e0	data	English	United States	0.55625
RT_STRING	0x582110	0x1a8	data	English	United States	0.5235849056603774
RT_STRING	0x5822b8	0x1e6	data	English	United States	0.49382716049382713
RT_STRING	0x5824a0	0x254	data	English	United States	0.39429530201342283
RT_STRING	0x5826f8	0x258	StarOffice Gallery theme 0, 805319936 objects, 1st s	English	United States	0.35
RT_STRING	0x582950	0x1b6	data	English	United States	0.5205479452054794
RT_STRING	0x582b08	0x182	AmigaOS bitmap font "B", fc_YSize 19456, 17408 elements, 2nd "A", 3rd	English	United States	0.48186528497409326
RT_STRING	0x582c90	0x238	data	English	United States	0.4295774647887324
RT_STRING	0x5830e0	0x1e0	data	English	United States	0.44375
RT_STRING	0x5832c0	0xca	data	English	United States	0.6039603960396039
RT_STRING	0x583c00	0x2e	data	English	United States	0.6086956521739131
RT_STRING	0x583c30	0x166	StarOffice Gallery theme v, 1677750016 objects, 1st t	English	United States	0.4888268156424581
RT_STRING	0x574de0	0x226	data	English	United States	0.36
RT_STRING	0x578fc8	0x218	data	English	United States	0.4496268656716418
RT_STRING	0x578920	0x31a	data	English	United States	0.3904282115869018
RT_STRING	0x57a8a8	0x35e	data	English	United States	0.3619489559164733
RT_STRING	0x573fa8	0x2aa	StarOffice Gallery theme S, 1694518784 objects, 1st o	English	United States	0.47214076246334313
RT_STRING	0x5779b8	0x40e	data	English	United States	0.34104046242774566
RT_STRING	0x579f48	0x33a	data	English	United States	0.32929782082324455
RT_STRING	0x57a408	0x256	data	English	United States	0.48494983277591974
RT_STRING	0x57a660	0x248	data	English	United States	0.5
RT_STRING	0x583390	0x2dc	data	English	United States	0.2773224043715847
RT_STRING	0x583670	0x2b2	data	English	United States	0.2768115942028985
RT_STRING	0x583d98	0x226	data	English	United States	0.4309090909090909
RT_STRING	0x574598	0x338	data	English	United States	0.42839805825242716
RT_STRING	0x57e2c8	0x2b4	data	English	United States	0.39739884393063585
RT_STRING	0x57df30	0x392	data	English	United States	0.34573304157549234
RT_STRING	0x57eae8	0x200	data	English	United States	0.533203125
RT_STRING	0x583928	0x2d2	data	English	United States	0.3988919667590028
RT_STRING	0x584de0	0x1b8	data	English	United States	0.48409090909090907
RT_STRING	0x57b688	0x25a	data	English	United States	0.4219269102990033
RT_STRING	0x57fbf8	0x274	data	English	United States	0.339171974522293
RT_STRING	0x584f98	0xfc	data	English	United States	0.6031746031746031
RT_STRING	0x57fe70	0x362	StarOffice Gallery theme M, 1979723008 objects, 1st a	English	United States	0.25635103926096997
RT_STRING	0x5801d8	0x470	data	English	United States	0.23327464788732394
RT_STRING	0x5759a0	0x15c	data	English	United States	0.5258620689655172
RT_STRING	0x575b00	0x3ae	data	English	United States	0.3492569002123142
RT_STRING	0x575eb0	0x3c6	data	English	United States	0.3581780538302277
RT_STRING	0x5791e0	0x680	data	English	United States	0.20673076923076922
RT_STRING	0x576278	0x218	data	English	United States	0.35074626865671643
RT_STRING	0x5766b8	0x2e4	data	English	United States	0.4851351351351351
RT_STRING	0x57cb18	0x1ca	data	English	United States	0.5698689956331878
RT_STRING	0x57c4e0	0x3de	data	English	United States	0.30606060606060603
RT_STRING	0x577f80	0x176	data	English	United States	0.5454545454545454
RT_STRING	0x57e580	0x21a	data	English	United States	0.4795539033457249
RT_STRING	0x57c120	0x196	data	English	United States	0.5467980295566502
RT_STRING	0x578c40	0x216	data	English	United States	0.5037453183520599
RT_STRING	0x585210	0x20e	data	English	United States	0.48098859315589354
RT_STRING	0x585420	0x366	data	English	United States	0.335632183908046
RT_STRING	0x58fac8	0x250	data	English	United States	0.3581081081081081
RT_STRING	0x58fd18	0x2ae	data	English	United States	0.36443148688046645
RT_STRING	0x582ec8	0x214	data	English	United States	0.4116541353383459
RT_STRING	0x583fc0	0x1a8	data	English	United States	0.4528301886792453
RT_STRING	0x585788	0x1f4	data	English	United States	0.38
RT_STRING	0x585980	0x1b0	data	English	United States	0.44675925925925924
RT_STRING	0x578310	0x228	data	English	United States	0.45108695652173914
RT_STRING	0x585b30	0xe6	data	English	United States	0.5695652173913044
RT_STRING	0x57b8e8	0x168	data	English	United States	0.5277777777777778
RT_STRING	0x584670	0x1b4	data	English	United States	0.43119266055045874
RT_STRING	0x57f590	0x1ca	data	English	United States	0.5131004366812227
RT_STRING	0x580e68	0x8b0	data	English	United States	0.1366906474820144
RT_STRING	0x576f08	0x474	data	English	United States	0.306140350877193
RT_STRING	0x584168	0x504	data	English	United States	0.2764797507788162
RT_STRING	0x584890	0x312	data	English	United States	0.3244274809160305
RT_STRING	0x584ba8	0x234	data	English	United States	0.32978723404255317
RT_STRING	0x579b58	0x3ea	data	English	United States	0.3283433133732535
RT_STRING	0x585c18	0x438	data	English	United States	0.2722222222222222
RT_STRING	0x58d8a8	0x90	data	English	United States	0.5625
RT_STRING	0x58d938	0x3ca	data	English	United States	0.28969072164948456
RT_STRING	0x5769a0	0x562	data	English	United States	0.36502177068214803
RT_STRING	0x57cce8	0x25e	data	English	United States	0.33003300330033003
RT_STRING	0x578538	0x3e4	data	English	United States	0.36646586345381527
RT_STRING	0x57cf48	0x872	data	English	United States	0.1244218316373728
RT_STRING	0x57af60	0x5b2	data	English	United States	0.24828532235939643
RT_STRING	0x57bb28	0x1f8	data	English	United States	0.5079365079365079
RT_STRING	0x576490	0x226	data	English	United States	0.5109090909090909
RT_STRING	0x57d7c0	0x234	data	English	United States	0.4645390070921986
RT_STRING	0x57ef18	0x678	data	English	United States	0.20893719806763286
RT_STRING	0x57e7a0	0x138	data	English	United States	0.5705128205128205
RT_STRING	0x584828	0x62	Matlab v4 mat-file (little endian) S, numeric, rows 0, columns 0	English	United States	0.6632653061224489
RT_STRING	0x586050	0x33a	Matlab v4 mat-file (little endian) L, numeric, rows 0, columns 0	English	United States	0.1973365617433414
RT_STRING	0x586390	0x44a	data	English	United States	0.16302367941712204
RT_STRING	0x5867e0	0x1f4	data	English	United States	0.392
RT_STRING	0x5869d8	0x97a	data	English	United States	0.1380873866446826
RT_STRING	0x58cf38	0x96a	data	English	United States	0.09211618257261411
RT_STRING	0x587c20	0x91e	data	English	United States	0.1520994001713796
RT_STRING	0x588540	0x9a2	data	English	United States	0.13138686131386862
RT_STRING	0x5894f8	0xa58	data	English	United States	0.13255287009063443
RT_STRING	0x589f50	0x616	data	English	United States	0.21566110397946084
RT_STRING	0x587358	0x8c2	data	English	United States	0.17395182872435325
RT_STRING	0x58a568	0x6d0	data	English	United States	0.1743119266055046
RT_STRING	0x58ac38	0x3ea	data	English	United States	0.3093812375249501
RT_STRING	0x588ee8	0x60a	data	English	United States	0.22639068564036222
RT_STRING	0x58b870	0x6c6	data	English	United States	0.22087658592848905
RT_STRING	0x58c7f0	0x742	data	English	United States	0.15984930032292788
RT_STRING	0x58bf38	0x8b8	data	English	United States	0.15367383512544802
RT_STRING	0x58b028	0x842	data	English	United States	0.1456953642384106
RT_STRING	0x57dd38	0x1f2	data	English	United States	0.3333333333333333
RT_STRING	0x585098	0x176	data	English	United States	0.35294117647058826
RT_STRING	0x58dd08	0x3c4	data	English	United States	0.2095435684647303
RT_STRING	0x58e0d0	0x19a	data	English	United States	0.35609756097560974
RT_STRING	0x58e270	0x182	data	English	United States	0.38860103626943004
RT_STRING	0x58e3f8	0xb32	data	English	United States	0.11653872993719469
RT_STRING	0x58ef30	0x4ba	data	English	United States	0.21570247933884298
RT_STRING	0x577380	0x4fc	data	English	United States	0.21473354231974923
RT_STRING	0x577880	0x134	data	English	United States	0.461038961038961
RT_STRING	0x58f3f0	0xfc	data	English	United States	0.5198412698412699
RT_STRING	0x58f688	0x43c	Matlab v4 mat-file (little endian) L, numeric, rows 0, columns 0	English	United States	0.23247232472324722
RT_STRING	0x58f4f0	0x198	data	English	United States	0.44607843137254904
RT_STRING	0x5780f8	0x216	data	English	United States	0.2546816479400749
RT_STRING	0x58ffc8	0x11e	data	English	United States	0.5874125874125874
RT_STRING	0x5900e8	0xae	Matlab v4 mat-file (little endian) I, numeric, rows 0, columns 0	English	United States	0.5344827586206896
RT_STRING	0x590198	0x82	StarOffice Gallery theme p, 536899072 objects, 1st n	English	United States	0.7153846153846154
RT_STRING	0x590220	0x2a	data	English	United States	0.5476190476190477
RT_STRING	0x590250	0x184	data	English	United States	0.48711340206185566
RT_STRING	0x5903d8	0x4ee	data	English	United States	0.375594294770206
RT_STRING	0x590c58	0x264	data	English	United States	0.3333333333333333
RT_STRING	0x590978	0x2da	data	English	United States	0.3698630136986301
RT_STRING	0x5916a0	0x8a	data	English	United States	0.6594202898550725
RT_STRING	0x5908c8	0xac	data	English	United States	0.45348837209302323
RT_STRING	0x591590	0xde	data	English	United States	0.536036036036036
RT_STRING	0x590ec0	0x4a8	data	English	United States	0.3221476510067114
RT_STRING	0x591368	0x228	data	English	United States	0.4003623188405797
RT_STRING	0x591670	0x2c	data	English	United States	0.5227272727272727
RT_STRING	0x591730	0x53e	data	English	United States	0.2965722801788376
RT_MESSAGETABLE	0x571400	0x117c	Matlab v4 mat-file (little endian) %, text, rows 1, columns 45, imaginary	English	United States	0.265638963360143
RT_GROUP_CURSOR	0x572770	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0294117647058822
RT_GROUP_CURSOR	0x572f60	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x5728d0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x572e10	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x572cc0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x5735f0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x572b70	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x573200	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x572a20	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x5730b0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x573350	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x5734a0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x573740	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x573890	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x5739e0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x570cb0	0x4c	data	English	United States	0.8421052631578947
RT_VERSION	0x56d6e0	0x30c	data	English	United States	0.47692307692307695
RT_MANIFEST	0x591c70	0x6be	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1666), with CRLF line terminators	English	United States	0.3006952491309386

Imports

DLL	Import
WTSAPI32.dll	WTSQuerySessionInformationA, WTSEnumerateSessionsA, WTSFreeMemory
NETAPI32.dll	NetLocalGroupGetMembers, NetApiBufferFree
RPCRT4.dll	UuidCreate, UuidFromStringA
IPHLPAPI.DLL	SendARP, GetAdaptersAddresses, GetBestInterface, GetAdaptersInfo
WINTRUST.dll	WinVerifyTrust
elogapi.dll	EnableUI, ReportAnEventEx2, RegisterEventApplicationEx
WINMM.dll	waveOutGetNumDevs, waveOutGetDevCapsA, waveInGetNumDevs, waveInGetDevCapsA, PlaySoundA
WS2_32.dll	WSAAddressToStringA, getsockopt, getsockname, bind, gethostbyname, connect, closesocket, WSAGetLastError, setsockopt, recvfrom, select, inet_addr, getnameinfo, recv, freeaddrinfo, getaddrinfo, WSASetLastError, gethostbyaddr, getservbyport, getservbyname, gethostname, send, htons, ntohs, shutdown, ioctlsocket, WSACleanup, WSAStartup, htonl, socket, inet_ntoa
loc32vc0.dll	_LDatoi@4, LDSPRINTF, LDWSPRINTF, _LDNumChars@4, _LDitoa@8, _LDCharVal@4, _LDCharType@4, LDGETFORMATTEDSTRING, _II_LOADLANGUAGELIBRARY@8, _LDstrncpy@12, _LDCharIncrement@8
MPR.dll	WNetGetUniversalNameA
VERSION.dll	GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueA
PSAPI.DLL	GetPerformanceInfo
CFGMGR32.dll	CM_Get_Device_IDA
SHLWAPI.dll	PathFindFileNameA, PathFindExtensionA, PathStripToRootA, StrFormatKBSizeA, PathRemoveFileSpecW, PathIsUNCA
KERNEL32.dll	GetTimeZoneInformation, IsBadStringPtrW, QueryPerformanceFrequency, CreateThread, GetCurrentThread, SetThreadPriority, GetThreadPriority, ResumeThread, SetThreadAffinityMask, lstrcmpiA, lstrcpyA, GetSystemDirectoryA, GetPrivateProfileSectionA, FileTimeToSystemTime, SystemTimeToFileTime, SetFilePointer, GetWindowsDirectoryA, lstrcatA, GetTickCount, GetComputerNameExW, lstrcmpA, GetComputerNameW, GetEnvironmentStrings, GetEnvironmentVariableA, CompareFileTime, FindNextFileA, GetDiskFreeSpaceA, GetDriveTypeA, GetTempPathA, GetVolumeInformationA, GetTempFileNameA, OutputDebugStringA, OpenProcess, GetVersion, GlobalMemoryStatus, GetShortPathNameA, GetLogicalDriveStringsA, GetStartupInfoA, GetFirmwareEnvironmentVariableA, GetPrivateProfileStringA, SystemTimeToTzSpecificLocalTime, SetLastError, OpenMutexA, SetEvent, EnumResourceLanguagesA, GetSystemDefaultLCID, GetCommandLineA, CreateEventA, GetPriorityClass, GetPrivateProfileIntA, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetUserDefaultLCID, MoveFileA, GetFileAttributesA, GetFullPathNameA, AreFileApisANSI, lstrcpynA, PeekNamedPipe, ResetEvent, GetEnvironmentVariableW, GetProcessAffinityMask, SetProcessAffinityMask, DefineDosDeviceA, QueryDosDeviceA, ExitThread, WritePrivateProfileStringA, GetLocalTime, IsBadWritePtr, SetPriorityClass, FileTimeToLocalFileTime, LoadLibraryExA, FileTimeToDosDateTime, GetUserDefaultLangID, OpenThread, SuspendThread, IsDBCSLeadByte, SetThreadLocale, GetSystemTime, GetDateFormatA, GetTimeFormatA, GetCurrentDirectoryA, CallNamedPipeA, GlobalAlloc, GlobalSize, GlobalUnlock, GlobalLock, GlobalFree, MulDiv, LockFile, SetEndOfFile, UnlockFile, GetModuleFileNameW, GetModuleHandleW, LoadLibraryW, FindResourceA, GetVersionExA, LoadLibraryExW, GlobalDeleteAtom, CompareStringA, GlobalAddAtomA, EncodePointer, GetSystemDirectoryW, lstrcmpW, GlobalFindAtomA, GlobalGetAtomNameA, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GlobalReAlloc, GlobalHandle, LocalReAlloc, GetFileAttributesExA, GetFileSizeEx, SetErrorMode, GlobalFlags, GetLocaleInfoW, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, VirtualProtect, GetOEMCP, GetCPInfo, GetProfileIntA, SearchPathA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, WaitForSingleObjectEx, CreateEventW, IsDebuggerPresent, GetStartupInfoW, InitializeSListHead, InitializeSRWLock, ReleaseSRWLockExclusive, SetFileAttributesA, AcquireSRWLockExclusive, AcquireSRWLockShared, VirtualAlloc, VirtualFree, SwitchToFiber, DeleteFiber, CreateFiberEx, GetStdHandle, GetFileType, ConvertFiberToThread, ConvertThreadToFiberEx, GetConsoleMode, SetConsoleMode, ReadConsoleA, ReadConsoleW, TryEnterCriticalSection, LCMapStringEx, GetStringTypeW, OutputDebugStringW, TerminateThread, ReleaseMutex, LocalFree, LocalAlloc, LoadLibraryA, GetProcAddress, FreeLibrary, GetModuleFileNameA, InitializeCriticalSectionAndSpinCount, GetThreadLocale, GetLocaleInfoA, GetACP, VerifyVersionInfoA, CreateProcessA, GetExitCodeProcess, WaitForSingleObject, FindFirstFileA, ExpandEnvironmentStringsA, VerSetConditionMask, MoveFileExW, WriteFile, SetFileTime, SetFilePointerEx, ReadFile, GetFileTime, GetFileSize, GetFileInformationByHandle, FlushFileBuffers, FindNextFileW, FindFirstFileW, FindClose, DeleteFileW, DeleteFileA, CreateFileW, CreateFileA, CreateDirectoryW, CreateDirectoryA, WideCharToMultiByte, MultiByteToWideChar, FindResourceW, SizeofResource, LockResource, LoadResource, FindResourceExW, DeleteCriticalSection, InitializeCriticalSectionEx, GetProcessHeap, HeapSize, HeapFree, HeapReAlloc, WriteConsoleW, HeapAlloc, HeapDestroy, GetLastError, RaiseException, DecodePointer, Sleep, GetComputerNameA, GetSystemTimeAsFileTime, GetSystemInfo, GetCurrentThreadId, GetCurrentProcessId, CreateMutexA, QueryPerformanceCounter, CloseHandle, DeviceIoControl, CreatePipe, DuplicateHandle, FormatMessageA, GetCurrentProcess, RtlUnwind, GetDriveTypeW, FreeLibraryAndExitThread, GetModuleHandleExW, SetCurrentDirectoryW, GetCurrentDirectoryW, FindFirstFileExW, HeapCompact, VirtualQuery, SetStdHandle, GetFullPathNameW, GetCommandLineW, HeapQueryInformation, ExitProcess, SetConsoleCtrlHandler, SetEnvironmentVariableW, GetConsoleOutputCP, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, IsValidLocale, EnumSystemLocalesW, GetFileAttributesExW, IsValidCodePage, lstrlenA, CopyFileA, GetModuleHandleExA, ReleaseSRWLockShared, GetModuleHandleA, GetEnvironmentStringsW, FreeEnvironmentStringsW, IsBadReadPtr
USER32.dll	SetLayeredWindowAttributes, EnumDisplayMonitors, OpenClipboard, CloseClipboard, SetClipboardData, EmptyClipboard, DrawStateA, SetClassLongA, SetWindowRgn, SetParent, DrawEdge, DrawFrameControl, IsZoomed, LoadMenuW, BringWindowToTop, SetCursorPos, CopyIcon, FrameRect, UnionRect, UpdateLayeredWindow, MonitorFromPoint, LoadAcceleratorsA, TranslateAcceleratorA, LoadMenuA, InsertMenuItemA, UnpackDDElParam, ReuseDDElParam, GetComboBoxInfo, WaitMessage, GetKeyboardLayout, IsCharLowerA, MapVirtualKeyExA, GetKeyboardState, ToAsciiEx, LoadAcceleratorsW, CreateAcceleratorTableA, DestroyAcceleratorTable, CopyAcceleratorTableA, SetRect, LockWindowUpdate, SetMenuDefaultItem, GetDoubleClickTime, ModifyMenuA, RegisterClipboardFormatA, CharUpperBuffA, IsClipboardFormatAvailable, GetUpdateRect, DrawMenuBar, DefFrameProcA, DefMDIChildProcA, TranslateMDISysAccel, SubtractRect, CreateMenu, GetWindowRgn, DestroyCursor, GetUserObjectInformationW, MessageBoxW, GetWindowDC, GetDC, TabbedTextOutA, GrayStringA, DrawTextExA, DrawTextA, GetLastActivePopup, SetCursor, ShowOwnedPopups, CallNextHookEx, SetWindowsHookExA, GetCursorPos, ValidateRect, GetKeyState, IsWindowVisible, PeekMessageA, DispatchMessageA, TranslateMessage, GetMessageA, SetActiveWindow, DestroyMenu, GetNextDlgTabItem, EndDialog, DeleteMenu, DestroyWindow, IsDialogMessageA, GetWindow, SetWindowLongA, GetWindowLongA, GetWindowTextLengthA, GetWindowTextA, SetWindowTextA, IsWindowEnabled, SetFocus, GetDlgCtrlID, SendDlgItemMessageA, CheckDlgButton, SetDlgItemTextA, LoadCursorW, GetDlgItem, SetWindowPos, MoveWindow, ShowWindow, LoadBitmapW, GetParent, SetMenuItemInfoA, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, EnableMenuItem, CheckMenuItem, UnhookWindowsHookEx, RemoveMenu, InsertMenuA, GetMenuItemCount, GetMenuItemID, GetSubMenu, GetMenuState, GetMenuStringA, OpenInputDesktop, EnumThreadWindows, IsCharAlphaNumericA, LoadStringW, CharUpperA, MessageBoxA, wvsprintfA, LoadStringA, GetUserObjectSecurity, SetUserObjectSecurity, LoadIconW, GetClientRect, DrawIcon, AppendMenuA, GetSystemMenu, EnableWindow, KillTimer, InvertRect, HideCaret, EnableScrollBar, MessageBeep, GetIconInfo, DrawIconEx, LoadImageA, IsRectEmpty, DrawFocusRect, WindowFromPoint, ReleaseCapture, SetCapture, GetNextDlgGroupItem, GetMenuDefaultItem, CreatePopupMenu, CopyImage, RealChildWindowFromPoint, LoadCursorA, GetSysColorBrush, MapVirtualKeyA, GetKeyNameTextA, GetMonitorInfoA, MonitorFromWindow, WinHelpA, GetScrollInfo, SetScrollInfo, LoadIconA, GetTopWindow, GetClassNameA, GetClassLongA, PtInRect, EqualRect, MapWindowPoints, AdjustWindowRectEx, GetWindowRect, RemovePropA, GetPropA, SetPropA, ShowScrollBar, GetScrollRange, SetScrollRange, GetScrollPos, SetScrollPos, ScrollWindow, RedrawWindow, SetForegroundWindow, GetForegroundWindow, UpdateWindow, TrackPopupMenu, SetMenu, GetMenu, GetCapture, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, SetWindowPlacement, GetWindowPlacement, IsChild, IsMenu, SetTimer, IsIconic, IsWindow, PostThreadMessageA, PostMessageA, PostQuitMessage, SendMessageA, GetWindowThreadProcessId, FindWindowA, GetKeyboardType, GetKBCodePage, GetProcessWindowStation, SetProcessWindowStation, CloseWindowStation, OpenWindowStationA, GetThreadDesktop, CloseDesktop, SetThreadDesktop, OpenDesktopA, GetSystemMetrics, GetDesktopWindow, wsprintfA, WaitForInputIdle, CharPrevA, CharNextA, UnregisterClassA, FillRect, NotifyWinEvent, MapDialogRect, GetAsyncKeyState, LoadImageW, TrackMouseEvent, IntersectRect, DestroyIcon, CreateWindowExA, GetClassInfoExA, GetSysColor, ScreenToClient, ClientToScreen, EndPaint, BeginPaint, GetClassInfoA, RegisterClassA, CallWindowProcA, DefWindowProcA, GetMessageTime, GetMessagePos, RegisterWindowMessageA, OffsetRect, SetRectEmpty, SystemParametersInfoA, InflateRect, InvalidateRect, CopyRect, CreateDialogIndirectParamA, GetMenuItemInfoA, GetActiveWindow, ReleaseDC, GetFocus
ole32.dll	OleLockRunning, CoLockObjectExternal, OleGetClipboard, RevokeDragDrop, CreateStreamOnHGlobal, CoDisconnectObject, CoInitialize, ReleaseStgMedium, OleDuplicateData, CoTaskMemFree, CoTaskMemAlloc, CoCreateGuid, StringFromGUID2, DoDragDrop, OleCreateMenuDescriptor, OleDestroyMenuDescriptor, OleTranslateAccelerator, IsAccelerator, CLSIDFromProgID, CLSIDFromString, CoInitializeEx, CoUninitialize, OleRun, CoCreateInstance, RegisterDragDrop
SHELL32.dll	SHGetMalloc, SHGetPathFromIDListA, SHGetDesktopFolder, SHGetFileInfoA, SHGetSpecialFolderLocation, SHAppBarMessage, DragFinish, DragQueryFileA, SHBrowseForFolderA, ShellExecuteA, SHGetFolderPathA
OLEAUT32.dll	SysAllocStringLen, SysFreeString, SysStringLen, SysStringByteLen, SysAllocStringByteLen, VariantInit, VariantClear, VariantCopy, SafeArrayPtrOfIndex, VariantTimeToSystemTime, SafeArrayDestroy, GetErrorInfo, VarBstrFromDate, SystemTimeToVariantTime, LoadTypeLib, VarDateFromStr, VariantChangeType, SafeArrayGetVartype, SafeArrayUnlock, SafeArrayLock, SafeArrayGetLBound, SafeArrayGetUBound, SafeArrayGetElemsize, SafeArrayGetDim, SysAllocString
GDI32.dll	GetViewportOrgEx, GetWindowOrgEx, SetPixelV, SetPaletteEntries, ExtFloodFill, PtInRegion, GetBoundsRect, FrameRgn, FillRgn, RoundRect, GetRgnBox, Rectangle, LPtoDP, CreateRoundRectRgn, Polyline, Polygon, CreatePolygonRgn, GetTextColor, SetTextAlign, SetTextColor, SetROP2, SetPolyFillMode, GetLayout, SetLayout, OffsetRgn, SetMapMode, Ellipse, GetTextFaceA, SetBkMode, SetBkColor, EnumFontFamiliesExA, SelectPalette, SelectObject, ExtSelectClipRgn, SelectClipRgn, SaveDC, RestoreDC, RectVisible, PtVisible, CreateEllipticRgn, SetDIBColorTable, CreateDIBSection, StretchBlt, SetPixel, GetTextCharsetInfo, EnumFontFamiliesA, CreateDIBitmap, CreateCompatibleBitmap, GetBkColor, RealizePalette, GetSystemPaletteEntries, GetPaletteEntries, GetNearestPaletteIndex, CreatePalette, DPtoLP, SetRectRgn, CombineRgn, GetTextMetricsA, PatBlt, CreateRectRgnIndirect, GetTextExtentPoint32A, CreateFontIndirectA, ScaleWindowExtEx, ScaleViewportExtEx, OffsetWindowOrgEx, OffsetViewportOrgEx, SetWindowOrgEx, SetWindowExtEx, SetViewportOrgEx, SetViewportExtEx, ExtTextOutA, TextOutA, MoveToEx, GetObjectA, CreateCompatibleDC, DeleteDC, GetDeviceCaps, CopyMetaFileA, CreateDCA, CreateBitmap, BitBlt, CreateHatchBrush, CreatePen, CreatePatternBrush, CreateRectRgn, CreateSolidBrush, DeleteObject, Escape, ExcludeClipRect, GetClipBox, GetObjectType, GetPixel, GetStockObject, GetViewportExtEx, GetWindowExtEx, IntersectClipRect, LineTo
MSIMG32.dll	TransparentBlt, AlphaBlend
WINSPOOL.DRV	DocumentPropertiesA, EnumPrintersA, OpenPrinterA, EnumPrinterDriversA, ClosePrinter
UxTheme.dll	GetWindowTheme, GetCurrentThemeName, IsThemeBackgroundPartiallyTransparent, GetThemeSysColor, GetThemeColor, DrawThemeBackground, CloseThemeData, OpenThemeData, DrawThemeParentBackground, DrawThemeText, IsAppThemed, GetThemePartSize
USERENV.dll	DestroyEnvironmentBlock, CreateEnvironmentBlock, UnloadUserProfile, LoadUserProfileA, GetProfilesDirectoryA, ExpandEnvironmentStringsForUserA
CRYPT32.dll	CryptMsgClose, CertCloseStore, CertFindCertificateInStore, CertFreeCertificateContext, CertGetNameStringA, CryptQueryObject, CertOpenStore, CertEnumCertificatesInStore, CertDuplicateCertificateContext, CertGetCertificateContextProperty, CryptMsgGetParam
POWRPROF.dll	CallNtPowerInformation
gdiplus.dll	GdipDrawImageRectI, GdipSetInterpolationMode, GdipCreateFromHDC, GdipCreateBitmapFromHBITMAP, GdipDrawImageI, GdipDeleteGraphics, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStream, GdipGetImagePaletteSize, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipGetImageGraphicsContext, GdipDisposeImage, GdipCloneImage, GdiplusStartup, GdipFree, GdipAlloc, GdiplusShutdown, GdipGetImagePalette
OLEACC.dll	AccessibleObjectFromWindow, CreateStdAccessibleObject, LresultFromObject
IMM32.dll	ImmReleaseContext, ImmGetOpenStatus, ImmGetContext
bcrypt.dll	BCryptGenRandom

Exports

Name	Ordinal	Address
ApplyPatch	1	0x436100
CreatePatch	2	0x436190
IsIvantiSignedFile_lib	3	0x5170e0
IsIvantiSignedFile_libW	4	0x5171d0
IsIvantiSignedFile_lib_GetCompanyName	5	0x5172b0
IsIvantiSignedFile_lib_GetCompanyNameW	6	0x5173e0
IsProcessSigned	7	0x516fd0
IsSignedFileByCompany_lib	8	0x517520
VerifyPDSignature	9	0x516db0

Version Infos

Description	Data
CompanyName	Ivanti
FileDescription	Inventory Scanner for Windows
FileVersion	11.0.5.2696
InternalName	LDISCN32
LegalCopyright	Copyright 2022 Ivanti. All rights reserved.
OriginalFilename	LDISCN32.EXE
ProductName	Ivanti
ProductVersion	11.0.5.2696
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• ldiscn32.exe
• ldiscn32.exe
• ldiscn32.exe

Click to jump to process

Click to jump to process

Target ID:	0
Start time:	08:57:46
Start date:	19/04/2025
Path:	C:\Users\user\Desktop\ldiscn32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ldiscn32.exe" -install
Imagebase:	0x460000
File size:	6'054'256 bytes
MD5 hash:	501734F86E298644998701BAC1A96862
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	08:57:48
Start date:	19/04/2025
Path:	C:\Users\user\Desktop\ldiscn32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ldiscn32.exe" /install
Imagebase:	0x460000
File size:	6'054'256 bytes
MD5 hash:	501734F86E298644998701BAC1A96862
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	08:57:51
Start date:	19/04/2025
Path:	C:\Users\user\Desktop\ldiscn32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ldiscn32.exe" /load
Imagebase:	0x460000
File size:	6'054'256 bytes
MD5 hash:	501734F86E298644998701BAC1A96862
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00578130 Relevance: 6.0, APIs: 4, Instructions: 39encryptionCOMMON

Download Yara Rule

APIs

CertCloseStore.CRYPT32(00000000,00000000), ref: 00578149
CryptMsgClose.CRYPT32(00000000), ref: 0057815F
LocalFree.KERNEL32(00000000,821CD027,?,00577379,?,821CD027), ref: 00578175
CertFreeCertificateContext.CRYPT32(00000000,821CD027,?,00577379,?,821CD027), ref: 0057818B

Memory Dump Source

Source File: 00000000.00000002.2589466817.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2589412976.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2589728198.0000000000891000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2589750429.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2589847299.0000000000998000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2589869960.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2589885253.00000000009A1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2589905370.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_ldiscn32.jbxd

Similarity

API ID: CertCloseFree$CertificateContextCryptLocalStore
String ID:
API String ID: 4159689761-0
Opcode ID: 43396d9193d1e6f7e0d4c2dd9d8b1f95b8a3d9c1a8990aaf5f7725724a42075c
Instruction ID: 00d9999065426d4075ccb33a281d987f9b49adc7937ee69d65eac71689472fa9
Opcode Fuzzy Hash: 43396d9193d1e6f7e0d4c2dd9d8b1f95b8a3d9c1a8990aaf5f7725724a42075c
Instruction Fuzzy Hash: 57010C34604208EFCB08DF94D99CBA9B7B6FB44705F648089E50957351CB35EE42EB50

Function 0046A770 Relevance: 4.6, APIs: 3, Instructions: 62COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000001,?,00000000,00000000,?,00000001,00000000), ref: 0046A77E
LockResource.KERNEL32(00000000), ref: 0046A798

Memory Dump Source

Source File: 00000000.00000002.2589466817.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2589412976.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2589728198.0000000000891000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2589750429.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2589847299.0000000000998000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2589869960.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2589885253.00000000009A1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2589905370.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_ldiscn32.jbxd

Similarity

API ID: Resource$LoadLock
String ID:
API String ID: 1037334470-0
Opcode ID: f5c8bfcbcd70cb4b6236b279cf49a26b23811c86c962defd7df1e3e6ace02de7
Instruction ID: ec8876addd26d312dd6efacaa34ef898bd65b654d5546717f3b2191f67ce8d87
Opcode Fuzzy Hash: f5c8bfcbcd70cb4b6236b279cf49a26b23811c86c962defd7df1e3e6ace02de7
Instruction Fuzzy Hash: 2F21CC74D0050AEFCF44DFA4C9889AEB7B5BF48305F20859AE416A7300E3389E51DF66

Function 0083C690 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0083C6C7
___except_validate_context_record.LIBVCRUNTIME ref: 0083C6CF
_ValidateLocalCookies.LIBCMT ref: 0083C758
__IsNonwritableInCurrentImage.LIBCMT ref: 0083C783
_ValidateLocalCookies.LIBCMT ref: 0083C7D8
std::exception::exception.LIBCMTD ref: 0083C7F7

Strings

csm, xrefs: 0083C76D

Memory Dump Source

Source File: 00000000.00000002.2589466817.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2589412976.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2589728198.0000000000891000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2589750429.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2589847299.0000000000998000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2589869960.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2589885253.00000000009A1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2589905370.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_ldiscn32.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_recordstd::exception::exception
String ID: csm
API String ID: 1059346599-1018135373
Opcode ID: 48adfbaa9e2380f256b5da7a3eeb1771c104491adf82b2213cccb988b90daa3f
Instruction ID: d702c74ff130dc2adce7265928884d81cd51042c094f0baffa9d29a0c62f0dff
Opcode Fuzzy Hash: 48adfbaa9e2380f256b5da7a3eeb1771c104491adf82b2213cccb988b90daa3f
Instruction Fuzzy Hash: D1416B34A00218ABCF10DF6CC885A9EBBA5FF85324F148059ED18AB352D775EA15CFD1

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ldiscn32.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Networking

System Summary

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: ldiscn32.exePID: 8332, Parent PID: 3084

General

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Section Activities

Sections loaded by Windows

Windows Analysis Report
ldiscn32.exe