| File name: | WinDirStat-x64.msi |
| Full analysis: | https://app.any.run/tasks/69b81859-f103-4635-937a-d69cf998e290 |
| Verdict: | Malicious activity |
| Analysis date: | May 26, 2025, 08:11:34 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: WinDirStat, Author: WinDirStat Team, Keywords: Installer, Comments: WinDirStat 2.2.2 (x64), Template: x64;1033, Revision Number: {9EBE4D37-CA39-4030-BC42-D113938DEAE5}, Create Time/Date: Fri Jan 17 23:11:20 2025, Last Saved Time/Date: Fri Jan 17 23:11:20 2025, Number of Pages: 500, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2 |
| MD5: | 1CF2DDBA0D045BC053529B2759AAF8C8 |
| SHA1: | EA0A5AF18F008EE7DDE34C2A1CF8F625A3FBF165 |
| SHA256: | 029CC7158D5E2D475243B36AE207921D8205C1296E24C2CAB13F142AEFBA473D |
| SSDEEP: | 98304:VZNtuX4x5tWLbdOHooP5x6ZVyeM+LNFfh4l3kOBXDomY7hQi9VKlJyTFQPLLcdGO:m |
MALICIOUS
Run PowerShell with an invisible window
- powershell.exe (PID: 1168)
Changes powershell execution policy (Bypass)
- msiexec.exe (PID: 5404)
Bypass execution policy to execute commands
- powershell.exe (PID: 1168)
SUSPICIOUS
Executes as Windows Service
- VSSVC.exe (PID: 6192)
Kill processes via PowerShell
- powershell.exe (PID: 1168)
The process bypasses the loading of PowerShell profile settings
- msiexec.exe (PID: 5404)
Hides errors and continues executing the command without stopping
- powershell.exe (PID: 1168)
Starts POWERSHELL.EXE for commands execution
- msiexec.exe (PID: 5404)
The process hides Powershell's copyright startup banner
- msiexec.exe (PID: 5404)
Returns all items found within a container (POWERSHELL)
- powershell.exe (PID: 1168)
Manipulates environment variables
- powershell.exe (PID: 1168)
Get information on the list of running processes
- msiexec.exe (PID: 5404)
The process hide an interactive prompt from the user
- msiexec.exe (PID: 5404)
Removes files via Powershell
- powershell.exe (PID: 1168)
INFO
Reads security settings of Internet Explorer
- msiexec.exe (PID: 4300)
Reads the software policy settings
- msiexec.exe (PID: 4300)
An automatically generated document
- msiexec.exe (PID: 4300)
Creates files or folders in the user directory
- msiexec.exe (PID: 4300)
Checks proxy server information
- msiexec.exe (PID: 4300)
Checks supported languages
- msiexec.exe (PID: 5404)
- msiexec.exe (PID: 5124)
Reads the computer name
- msiexec.exe (PID: 5404)
- msiexec.exe (PID: 5124)
Executable content was dropped or overwritten
- msiexec.exe (PID: 4300)
- msiexec.exe (PID: 5404)
Manages system restore points
- SrTasks.exe (PID: 2852)
Returns all items recursively from all subfolders (POWERSHELL)
- powershell.exe (PID: 1168)
Returns hidden items found within a container (POWERSHELL)
- conhost.exe (PID: 4180)
- powershell.exe (PID: 1168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Windows Installer (98.5) |
|---|---|---|
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| CodePage: | Windows Latin 1 (Western European) |
|---|---|
| Title: | Installation Database |
| Subject: | WinDirStat |
| Author: | WinDirStat Team |
| Keywords: | Installer |
| Comments: | WinDirStat 2.2.2 (x64) |
| Template: | x64;1033 |
| RevisionNumber: | {9EBE4D37-CA39-4030-BC42-D113938DEAE5} |
| CreateDate: | 2025:01:17 23:11:20 |
| ModifyDate: | 2025:01:17 23:11:20 |
| Pages: | 500 |
| Words: | 2 |
| Software: | Windows Installer XML Toolset (3.14.1.8722) |
| Security: | Read-only recommended |
Total processes
139
Monitored processes
9
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1168 | POWERSHELL -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& { $ErrorActionPreference = 'SilentlyContinue' Get-Process 'WinDirStat*' | Stop-Process -Force $Keys = @() $Keys += Get-ChildItem 'Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinDirStat' $Keys += Get-ChildItem 'Registry::HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinDirStat' ForEach ($Key in $Keys) { $Path = $Key.GetValue('InstallLocation') If (-not (Test-Path ($Path + '\*'))) { Continue } Remove-Item -Path ($Path + '\wdsh*.chm') -Force Remove-Item -Path ($Path + '\wdsr*.dll') -Force Remove-Item -Path ($Path + '\WinDirStat*.*') -Force Remove-Item -Path ($Path + '\Uninstall.exe') -Force If (-not (Test-Path ($Path + '\*'))) { Remove-Item -Path $Path -Force } Remove-Item -Path $Key.PSPath -Force } Remove-Item -Path ($env:SystemDrive + '\Users\*\Desktop\WinDirStat.lnk') -Force Remove-Item -Path ($env:SystemDrive + '\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinDirStat') -Force -Recurse Remove-Item -Path ($env:ProgramData + '\Microsoft\Windows\Start Menu\Programs\WinDirStat') -Force -Recurse }" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2852 | C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11 | C:\Windows\System32\SrTasks.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Windows System Protection background tasks. Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4180 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4300 | "C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\WinDirStat-x64.msi | C:\Windows\System32\msiexec.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4700 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | powershell.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5124 | C:\Windows\syswow64\MsiExec.exe -Embedding 236C0EFAB58F7C340AABC8FEB618334B C | C:\Windows\SysWOW64\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5404 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6192 | C:\WINDOWS\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6876 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
17 034
Read events
16 757
Write events
260
Delete events
17
Modification events
| (PID) Process: | (5404) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 4800000000000000D2F50EDB15CEDB011C1500001C040000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5404) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Enter) |
Value: 4800000000000000D2F50EDB15CEDB011C1500001C040000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5404) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Leave) |
Value: 4800000000000000544D4FDB15CEDB011C1500001C040000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5404) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Enter) |
Value: 4800000000000000544D4FDB15CEDB011C1500001C040000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5404) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Leave) |
Value: 4800000000000000ADB151DB15CEDB011C1500001C040000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5404) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
| Operation: | write | Name: | LastIndex |
Value: 11 | |||
| (PID) Process: | (5404) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 4800000000000000CB06D0DB15CEDB011C1500001C040000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5404) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4800000000000000F66AD2DB15CEDB011C15000034150000E803000001000000000000000000000096DA17C645771541851E5ADB1701EB2B00000000000000000000000000000000 | |||
| (PID) Process: | (6192) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (6192) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer |
| Operation: | write | Name: | IDENTIFY (Leave) |
Value: 4800000000000000FF5CDEDB15CEDB013018000018100000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
4
Suspicious files
31
Text files
3
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5404 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 4300 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\68FAF71AF355126BCA00CE2E73CC7374_E5F521CA60C5ED8C2B4E2BF399FE2061 | binary | |
MD5:E51732F087007814A988BF8DCC483A4B | SHA256:31019F8EADB4B21F29A058AEE44C1C396820E8F7620919883361F885698B03C4 | |||
| 4300 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\68FAF71AF355126BCA00CE2E73CC7374_E5F521CA60C5ED8C2B4E2BF399FE2061 | binary | |
MD5:539BE9CEFBED3D9A0096ACFCEA53EAC9 | SHA256:B13034067EBF3C6CB624B035CD079CD75F1C3E4019BA23A7D5A9DBEE70291C45 | |||
| 4300 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4E4160FB650E5091C535216313A4ECD3_9C2BA0D68BBB93342E457B5FC2988A9F | binary | |
MD5:32CE6D580A3301CA502DAA32F09E5F04 | SHA256:ED43D6E85294C9A60AFC9B601DC4D13C86AAF8597F6CE7ACE8F48F6FC1961B10 | |||
| 5404 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:A59208BF750D0555305D86BE28399B38 | SHA256:7A675B2121B319527E2B730D341EFB960A9868D98D83E07DE160290725DF4172 | |||
| 5404 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{c617da96-7745-4115-851e-5adb1701eb2b}_OnDiskSnapshotProp | binary | |
MD5:A59208BF750D0555305D86BE28399B38 | SHA256:7A675B2121B319527E2B730D341EFB960A9868D98D83E07DE160290725DF4172 | |||
| 5404 | msiexec.exe | C:\Windows\Installer\MSI3E5E.tmp | binary | |
MD5:7EE85160433B7396C08A8F3424137577 | SHA256:53F9F3060EF265128E1CBEE23EE1D0BDB968EDCE7E4A4130D0D9B7EA7B935F0A | |||
| 1168 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ru2augsn.tvh.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4300 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30069012ED3CF5DB92F9F4FC78D55E2D_87238437CEFCADF00F1385E31A888EF4 | binary | |
MD5:B04B6AED64FFC10DF5BF1FD870411DEC | SHA256:D1372F59B5D43388DA511FBAC7B8F4DE8C429EB877AF2F9115996FB2007A26B5 | |||
| 5404 | msiexec.exe | C:\Windows\Temp\~DF954CE7985CAD1585.TMP | binary | |
MD5:BF619EAC0CDF3F68D496EA9344137E8B | SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
52
DNS requests
19
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4300 | msiexec.exe | GET | 200 | 2.21.239.9:80 | http://crl.certum.pl/ctnca.crl | unknown | — | — | whitelisted |
4300 | msiexec.exe | GET | 200 | 2.21.239.27:80 | http://subca.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEBu1jyUq3yMASSjJrj1%2B7Sc%3D | unknown | — | — | whitelisted |
4300 | msiexec.exe | GET | 200 | 2.21.239.27:80 | http://subca.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEBu1jyUq3yMASSjJrj1%2B7Sc%3D | unknown | — | — | whitelisted |
4300 | msiexec.exe | GET | 200 | 2.21.239.27:80 | http://subca.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRIH1V64SBkA%2BzJQVQ6VFBAcvLB3wQUtqFUOQLDoD%2BOirz61PgcptE6Dv0CEQCZo4AKJlU7ZavcboSms%2Bo5 | unknown | — | — | whitelisted |
4300 | msiexec.exe | GET | 200 | 2.21.239.21:80 | http://ccsca2021.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRxypYNH69rICCzQBIRXN0YAFa3AAQU3XRdTADbe5%2BgdMqxbvc8wDLAcM0CEAGRWQdNOfHYTFKn1pQEANY%3D | unknown | — | — | unknown |
— | — | GET | 304 | 4.175.87.197:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
5756 | RUXIMICS.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 4.175.87.197:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | compressed | 23.9 Kb | whitelisted |
5756 | RUXIMICS.exe | GET | 200 | 2.20.245.137:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6028 | SIHClient.exe | GET | 200 | 2.16.241.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
5756 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4300 | msiexec.exe | 2.21.239.27:80 | subca.ocsp-certum.com | AKAMAI-AS | TR | suspicious |
4300 | msiexec.exe | 2.21.239.9:80 | crl.certum.pl | AKAMAI-AS | TR | whitelisted |
4300 | msiexec.exe | 2.21.239.21:80 | subca.ocsp-certum.com | AKAMAI-AS | TR | suspicious |
5756 | RUXIMICS.exe | 2.20.245.137:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
3216 | svchost.exe | 172.211.123.249:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
5756 | RUXIMICS.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
subca.ocsp-certum.com |
| whitelisted |
crl.certum.pl |
| whitelisted |
ccsca2021.ocsp-certum.com |
| unknown |
crl.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |