File name:

CrystalDiskInfo9_1_1.exe

Full analysis: https://app.any.run/tasks/9a203cb5-aa50-437b-aa50-9d58ca2e8c19
Verdict: Malicious activity
Analysis date: October 18, 2023, 11:30:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

E83262F10F8A81D81E09496CF20C1E6E

SHA1:

ED94394796ED32429C9D81E8684A16DAA0619045

SHA256:

2D71DF1167C44F87A518D77D1487D5B4960BA8E97B75AAFCB6EC3A34FB77D418

SSDEEP:

98304:ckLH6I030IO8jndNP95Jdt3WnnmMXRlzqp5NA1rw4qzELBlokW6NaUqKjcW:bJ60IOiP93WmMXRIpTmrPqo86AG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • DiskInfo32.exe (PID: 3216)

    • Drops the executable file immediately after the start

      • CrystalDiskInfo9_1_1.exe (PID: 2036)
      • CrystalDiskInfo9_1_1.exe (PID: 556)
      • CrystalDiskInfo9_1_1.tmp (PID: 4028)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • CrystalDiskInfo9_1_1.tmp (PID: 4028)

    • Process drops legitimate windows executable

      • CrystalDiskInfo9_1_1.tmp (PID: 4028)

  • INFO

    • Create files in a temporary directory

      • CrystalDiskInfo9_1_1.exe (PID: 556)
      • CrystalDiskInfo9_1_1.exe (PID: 2036)

    • Application was dropped or rewritten from another process

      • CrystalDiskInfo9_1_1.tmp (PID: 3944)
      • CrystalDiskInfo9_1_1.tmp (PID: 4028)

    • Reads the computer name

      • CrystalDiskInfo9_1_1.tmp (PID: 4028)
      • CrystalDiskInfo9_1_1.tmp (PID: 3944)
      • DiskInfo32.exe (PID: 3216)
      • wmpnscfg.exe (PID: 1908)

    • Checks supported languages

      • CrystalDiskInfo9_1_1.tmp (PID: 3944)
      • CrystalDiskInfo9_1_1.exe (PID: 556)
      • DiskInfo32.exe (PID: 3216)
      • CrystalDiskInfo9_1_1.tmp (PID: 4028)
      • CrystalDiskInfo9_1_1.exe (PID: 2036)
      • wmpnscfg.exe (PID: 1908)

    • Creates files in the program directory

      • CrystalDiskInfo9_1_1.tmp (PID: 4028)
      • DiskInfo32.exe (PID: 3216)

    • Reads the machine GUID from the registry

      • DiskInfo32.exe (PID: 3216)
      • wmpnscfg.exe (PID: 1908)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1908)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:04:14 18:10:23+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 114688
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6
ImageVersion: 6
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 9.1.1.0
ProductVersionNumber: 9.1.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Crystal Dew World
FileDescription: CrystalDiskInfo Setup
FileVersion: 9.1.1
LegalCopyright: Crystal Dew World
OriginalFileName:
ProductName: CrystalDiskInfo 9.1.1
ProductVersion: 9.1.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
6
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start crystaldiskinfo9_1_1.exe no specs crystaldiskinfo9_1_1.tmp no specs crystaldiskinfo9_1_1.exe crystaldiskinfo9_1_1.tmp no specs diskinfo32.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
556"C:\Users\admin\AppData\Local\Temp\CrystalDiskInfo9_1_1.exe" C:\Users\admin\AppData\Local\Temp\CrystalDiskInfo9_1_1.exeexplorer.exe
User:
admin
Company:
Crystal Dew World
Integrity Level:
MEDIUM
Description:
CrystalDiskInfo Setup
Exit code:
0
Version:
9.1.1
Modules
Images
c:\users\admin\appdata\local\temp\crystaldiskinfo9_1_1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1908"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\gdi32.dll
2036"C:\Users\admin\AppData\Local\Temp\CrystalDiskInfo9_1_1.exe" /SPAWNWND=$50300 /NOTIFYWND=$5035E C:\Users\admin\AppData\Local\Temp\CrystalDiskInfo9_1_1.exe
CrystalDiskInfo9_1_1.tmp
User:
admin
Company:
Crystal Dew World
Integrity Level:
HIGH
Description:
CrystalDiskInfo Setup
Exit code:
0
Version:
9.1.1
Modules
Images
c:\users\admin\appdata\local\temp\crystaldiskinfo9_1_1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3216"C:\Program Files\CrystalDiskInfo\DiskInfo32.exe"C:\Program Files\CrystalDiskInfo\DiskInfo32.exeCrystalDiskInfo9_1_1.tmp
User:
admin
Company:
Crystal Dew World
Integrity Level:
HIGH
Description:
CrystalDiskInfo
Exit code:
0
Version:
9.1.1.0
Modules
Images
c:\program files\crystaldiskinfo\diskinfo32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winspool.drv
3944"C:\Users\admin\AppData\Local\Temp\is-JU97M.tmp\CrystalDiskInfo9_1_1.tmp" /SL5="$5035E,4681573,857600,C:\Users\admin\AppData\Local\Temp\CrystalDiskInfo9_1_1.exe" C:\Users\admin\AppData\Local\Temp\is-JU97M.tmp\CrystalDiskInfo9_1_1.tmpCrystalDiskInfo9_1_1.exe
User:
admin
Company:
Crystal Dew World
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ju97m.tmp\crystaldiskinfo9_1_1.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
4028"C:\Users\admin\AppData\Local\Temp\is-AR3IH.tmp\CrystalDiskInfo9_1_1.tmp" /SL5="$B01D0,4681573,857600,C:\Users\admin\AppData\Local\Temp\CrystalDiskInfo9_1_1.exe" /SPAWNWND=$50300 /NOTIFYWND=$5035E C:\Users\admin\AppData\Local\Temp\is-AR3IH.tmp\CrystalDiskInfo9_1_1.tmpCrystalDiskInfo9_1_1.exe
User:
admin
Company:
Crystal Dew World
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ar3ih.tmp\crystaldiskinfo9_1_1.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
1 262
Read events
1 253
Write events
0
Delete events
9

Modification events

(PID) Process:(4028) CrystalDiskInfo9_1_1.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
960051266607C2EFAD63B9F84CB4C2A78920B7D4EEBA740EFE785A03760B7FE0
(PID) Process:(4028) CrystalDiskInfo9_1_1.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFiles0000
Value:
C:\Program Files\CrystalDiskInfo\CdiResource\opus\opusdec.exe
(PID) Process:(4028) CrystalDiskInfo9_1_1.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:
1
(PID) Process:(4028) CrystalDiskInfo9_1_1.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
5A20D7EAC21169DEF82F579DBE9B3F65209695F4A643C766C326F990731CE2BB
(PID) Process:(4028) CrystalDiskInfo9_1_1.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Owner
Value:
BC0F00001215BF8FB601DA01
(PID) Process:(4028) CrystalDiskInfo9_1_1.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete keyName:(default)
Value:
(PID) Process:(1908) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{4B4A120E-D175-454B-A355-F534552DE234}\{A247907C-7E92-4D63-B7A0-624C73F7CDB9}
Operation:delete keyName:(default)
Value:
(PID) Process:(1908) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{4B4A120E-D175-454B-A355-F534552DE234}
Operation:delete keyName:(default)
Value:
(PID) Process:(1908) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{64F1DA71-C2DE-4651-8899-3F2D6CB2DC8B}
Operation:delete keyName:(default)
Value:
Executable files
28
Suspicious files
4
Text files
1 162
Unknown types
0

Dropped files

PID
Process
Filename
Type
4028CrystalDiskInfo9_1_1.tmpC:\Program Files\CrystalDiskInfo\CdiResource\dialog\is-JIVHI.tmptext
MD5:92D30E5381370231C4888B57D29D27C6
SHA256:5D6EDF2D14B16C1C47E85609346874593B4E989214AFDBFEF4D849A30F9F719F
2036CrystalDiskInfo9_1_1.exeC:\Users\admin\AppData\Local\Temp\is-AR3IH.tmp\CrystalDiskInfo9_1_1.tmpexecutable
MD5:DCC25A5111E81A4A5AC22BA565AAA5EF
SHA256:46F2FEB0F3417FC4BAC94C5E7DAF71745CDF0BCFD3245FD095548E57653D087E
4028CrystalDiskInfo9_1_1.tmpC:\Program Files\CrystalDiskInfo\CdiResource\dialog\Graph.csstext
MD5:92D30E5381370231C4888B57D29D27C6
SHA256:5D6EDF2D14B16C1C47E85609346874593B4E989214AFDBFEF4D849A30F9F719F
4028CrystalDiskInfo9_1_1.tmpC:\Program Files\CrystalDiskInfo\unins000.exeexecutable
MD5:DCC25A5111E81A4A5AC22BA565AAA5EF
SHA256:46F2FEB0F3417FC4BAC94C5E7DAF71745CDF0BCFD3245FD095548E57653D087E
4028CrystalDiskInfo9_1_1.tmpC:\Program Files\CrystalDiskInfo\CdiResource\dialog\Graph.htmlhtml
MD5:8F1697EE6EC9064C8F34E987E1492B23
SHA256:93ABE1DEDCEC0CC9CEE33562D2E9B4990E67186A171E9EB7AD0354818C071F06
4028CrystalDiskInfo9_1_1.tmpC:\Program Files\CrystalDiskInfo\CdiResource\dialog\Option.htmlhtml
MD5:E4F31017BB12BBF3F2E3B5A95EC03345
SHA256:C73F0476F15499D6ECC8AA2A0655421BC7DA6B5EFE483C5071D6920BE8D05BEC
4028CrystalDiskInfo9_1_1.tmpC:\Program Files\CrystalDiskInfo\CdiResource\dialog\is-81UMQ.tmphtml
MD5:8F1697EE6EC9064C8F34E987E1492B23
SHA256:93ABE1DEDCEC0CC9CEE33562D2E9B4990E67186A171E9EB7AD0354818C071F06
556CrystalDiskInfo9_1_1.exeC:\Users\admin\AppData\Local\Temp\is-JU97M.tmp\CrystalDiskInfo9_1_1.tmpexecutable
MD5:DCC25A5111E81A4A5AC22BA565AAA5EF
SHA256:46F2FEB0F3417FC4BAC94C5E7DAF71745CDF0BCFD3245FD095548E57653D087E
4028CrystalDiskInfo9_1_1.tmpC:\Program Files\CrystalDiskInfo\CdiResource\dialog\is-NO2LA.tmphtml
MD5:107A3C70789A69471E35C53F609AE24E
SHA256:81A84F5D9B69EFD3F9181D17606E378C343C60453A6197E61D57BB8CE572F27D
4028CrystalDiskInfo9_1_1.tmpC:\Program Files\CrystalDiskInfo\CdiResource\dialog\Graph8.htmlhtml
MD5:107A3C70789A69471E35C53F609AE24E
SHA256:81A84F5D9B69EFD3F9181D17606E378C343C60453A6197E61D57BB8CE572F27D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2656
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CrystalDiskInfo9_1_1.exe