File name:

windirstat1_1_2_setup.exe

Full analysis: https://app.any.run/tasks/68f3467d-d940-4e16-ab20-00c76c84d29d
Verdict: Malicious activity
Analysis date: June 21, 2024, 21:35:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

3ABF1C149873E25D4E266225FBF37CBF

SHA1:

6FA92DD2CA691C11DFBFC0A239E34369897A7FAB

SHA256:

370A27A30EE57247FADDEB1F99A83933247E07C8760A07ED82E451E1CB5E5CDD

SSDEEP:

12288:yCjeMsiGVBKvjxTNlZaLlcMj+wXZvQpd9nP2+ZMU2tYspZcMwr/GNd35:yCjeTZa7BTsxewXZUTP2HU2yawjY5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • windirstat1_1_2_setup.exe (PID: 3208)

    • Actions looks like stealing of personal data

      • windirstat.exe (PID: 1504)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • windirstat1_1_2_setup.exe (PID: 3208)

    • The process creates files with name similar to system file names

      • windirstat1_1_2_setup.exe (PID: 3208)

    • Executable content was dropped or overwritten

      • windirstat1_1_2_setup.exe (PID: 3208)

    • Detected use of alternative data streams (AltDS)

      • windirstat.exe (PID: 1504)

    • Creates a software uninstall entry

      • windirstat1_1_2_setup.exe (PID: 3208)

    • Creates file in the systems drive root

      • windirstat.exe (PID: 1504)

  • INFO

    • Reads the computer name

      • windirstat1_1_2_setup.exe (PID: 3208)
      • windirstat.exe (PID: 1504)

    • Checks supported languages

      • windirstat1_1_2_setup.exe (PID: 3208)
      • windirstat.exe (PID: 1504)

    • Creates files in the program directory

      • windirstat1_1_2_setup.exe (PID: 3208)

    • Create files in a temporary directory

      • windirstat1_1_2_setup.exe (PID: 3208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (91.9)
.exe | Win32 Executable MS Visual C++ (generic) (3.3)
.exe | Win64 Executable (generic) (3)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2007:08:25 16:16:04+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 23040
InitializedDataSize: 119808
UninitializedDataSize: 1024
EntryPoint: 0x3265
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.1.2.79
ProductVersionNumber: 1.1.2.79
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: German
CharacterSet: Windows, Latin1
Comments: Diese Datei enthält sowohl die Unicode- als auch die ANSI-Version von WinDirStat
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start windirstat1_1_2_setup.exe windirstat.exe windirstat1_1_2_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1504"C:\Program Files\WinDirStat\windirstat.exe"C:\Program Files\WinDirStat\windirstat.exe
windirstat1_1_2_setup.exe
User:
admin
Company:
Seifert
Integrity Level:
HIGH
Description:
Windows Directory Statistics
Version:
1.1.2.80 (Unicode)
Modules
Images
c:\program files\windirstat\windirstat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3208"C:\Users\admin\AppData\Local\Temp\windirstat1_1_2_setup.exe" C:\Users\admin\AppData\Local\Temp\windirstat1_1_2_setup.exe
explorer.exe
User:
admin
Company:
WDS Team
Integrity Level:
HIGH
Description:
WinDirStat 1.1.2
Exit code:
0
Version:
1.1.2
Modules
Images
c:\users\admin\appdata\local\temp\windirstat1_1_2_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3416"C:\Users\admin\AppData\Local\Temp\windirstat1_1_2_setup.exe" C:\Users\admin\AppData\Local\Temp\windirstat1_1_2_setup.exeexplorer.exe
User:
admin
Company:
WDS Team
Integrity Level:
MEDIUM
Description:
WinDirStat 1.1.2
Exit code:
3221226540
Version:
1.1.2
Modules
Images
c:\users\admin\appdata\local\temp\windirstat1_1_2_setup.exe
c:\windows\system32\ntdll.dll
Total events
5 183
Read events
5 164
Write events
19
Delete events
0

Modification events

(PID) Process:(3208) windirstat1_1_2_setup.exeKey:HKEY_CURRENT_USER\Software\Seifert\WinDirStat
Operation:writeName:InstDir
Value:
C:\Program Files\WinDirStat
(PID) Process:(3208) windirstat1_1_2_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinDirStat
Operation:writeName:UninstallString
Value:
"C:\Program Files\WinDirStat\Uninstall.exe"
(PID) Process:(3208) windirstat1_1_2_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinDirStat
Operation:writeName:InstallLocation
Value:
C:\Program Files\WinDirStat
(PID) Process:(3208) windirstat1_1_2_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinDirStat
Operation:writeName:DisplayName
Value:
WinDirStat 1.1.2
(PID) Process:(3208) windirstat1_1_2_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinDirStat
Operation:writeName:DisplayIcon
Value:
C:\Program Files\WinDirStat\windirstat.exe,0
(PID) Process:(3208) windirstat1_1_2_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinDirStat
Operation:writeName:dwVersionMajor
Value:
1
(PID) Process:(3208) windirstat1_1_2_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinDirStat
Operation:writeName:dwVersionMinor
Value:
1
(PID) Process:(3208) windirstat1_1_2_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinDirStat
Operation:writeName:dwVersionRev
Value:
2
(PID) Process:(3208) windirstat1_1_2_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinDirStat
Operation:writeName:dwVersionBuild
Value:
79
(PID) Process:(3208) windirstat1_1_2_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinDirStat
Operation:writeName:URLInfoAbout
Value:
http://windirstat.info/
Executable files
5
Suspicious files
7
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3208windirstat1_1_2_setup.exeC:\Program Files\WinDirStat\windirstat.chmchm
MD5:1BDDB8A0E0F9CD90A5B3936EC2C2C4CF
SHA256:1E87C07744054709D271337D8CE06929429B334D70875605CB68ECC4C6610CD1
3208windirstat1_1_2_setup.exeC:\Users\admin\AppData\Local\Temp\nssE2EC.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
3208windirstat1_1_2_setup.exeC:\Program Files\WinDirStat\Uninstall.exeexecutable
MD5:A127E6118B9DD2F9D5A7CC4D697A0105
SHA256:AFC864CFCE79B2A6ADD491A27EA672D958233ED7A97A2CBBCE60100D2FA1E670
3208windirstat1_1_2_setup.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDirStat\Help (ENG).lnklnk
MD5:DC7E47CEE4BEEF5E17F8F036B42811D2
SHA256:5B8A11A44E69B0691E7FAC99D2A4AA7D850DF2FC76826FF9ECB6EC366C00E27F
3208windirstat1_1_2_setup.exeC:\Users\admin\Desktop\WinDirStat.lnklnk
MD5:256BAE3F9203F90198652752A05E2BD4
SHA256:F04DB7CFE109D9732E3DD80F2B2D163A7A18B8E256082F2F5AD7218A5B54BDB2
3208windirstat1_1_2_setup.exeC:\Users\Administrator\Desktop\WinDirStat.lnkbinary
MD5:256BAE3F9203F90198652752A05E2BD4
SHA256:F04DB7CFE109D9732E3DD80F2B2D163A7A18B8E256082F2F5AD7218A5B54BDB2
3208windirstat1_1_2_setup.exeC:\Users\admin\AppData\Local\Temp\nssE2EC.tmp\ioSpecial.initext
MD5:E2D5070BC28DB1AC745613689FF86067
SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
3208windirstat1_1_2_setup.exeC:\Program Files\WinDirStat\windirstat.exeexecutable
MD5:24CD9A82FCFC658DD3AE7BA25C958FFB
SHA256:CC3EE246F2710DC9BA9E2A88E3192B88F1DB4CAA2EEFB8641642A33DF04E585C
3208windirstat1_1_2_setup.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDirStat\Uninstall WinDirStat.lnklnk
MD5:6A449E58019411E0A2178FFE5BD1EB60
SHA256:600F70815EDE9E3D04FCE8B84BA7182D090383CA8D12CA30493E96CCB74EE377
3208windirstat1_1_2_setup.exeC:\Users\admin\AppData\Local\Temp\nssE2EC.tmp\System.dllexecutable
MD5:4125926391466FDBE8A4730F2374B033
SHA256:6692BD93BCD04146831652780C1170DA79AA3784C3C070D95FB1580E339DE6C5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
12
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1060
svchost.exe
GET
304
217.20.58.98:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75
unknown
unknown
1372
svchost.exe
GET
304
217.20.56.36:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2564
svchost.exe
239.255.255.250:3702
whitelisted
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1060
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
217.20.56.36:80
ctldl.windowsupdate.com
US
unknown
1372
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1060
svchost.exe
217.20.58.98:80
ctldl.windowsupdate.com
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
ctldl.windowsupdate.com
  • 217.20.56.36
  • 217.20.58.99
  • 217.20.58.98
  • 217.20.58.101
  • 217.20.58.100
  • 217.20.56.43
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
windirstat1_1_2_setup.exe