General Info

File name

windirstat1_1_2_setup.exe

Full analysis
https://app.any.run/tasks/acc38b90-080c-4e94-8f84-991f46aaa5b0
Verdict
Malicious activity
Analysis date
6/16/2019, 13:31:49
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

installer

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5

3abf1c149873e25d4e266225fbf37cbf

SHA1

6fa92dd2ca691c11dfbfc0a239e34369897a7fab

SHA256

370a27a30ee57247faddeb1f99a83933247e07c8760a07ed82e451e1cb5e5cdd

SSDEEP

12288:yCjeMsiGVBKvjxTNlZaLlcMj+wXZvQpd9nP2+ZMU2tYspZcMwr/GNd35:yCjeTZa7BTsxewXZUTP2HU2yawjY5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • windirstat1_1_2_setup.exe (PID: 2604)
Application was dropped or rewritten from another process
  • windirstat.exe (PID: 3364)
Actions looks like stealing of personal data
  • windirstat.exe (PID: 3364)
Creates files in the program directory
  • windirstat1_1_2_setup.exe (PID: 2604)
Creates a software uninstall entry
  • windirstat1_1_2_setup.exe (PID: 2604)
Executable content was dropped or overwritten
  • windirstat1_1_2_setup.exe (PID: 2604)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   NSIS - Nullsoft Scriptable Install System (91.9%)
.exe
|   Win32 Executable MS Visual C++ (generic) (3.3%)
.exe
|   Win64 Executable (generic) (3%)
.dll
|   Win32 Dynamic Link Library (generic) (0.7%)
.exe
|   Win32 Executable (generic) (0.4%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2007:08:25 18:16:04+02:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
23040
InitializedDataSize:
119808
UninitializedDataSize:
1024
EntryPoint:
0x3265
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
1.1.2.79
ProductVersionNumber:
1.1.2.79
FileFlagsMask:
0x0000
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
German
CharacterSet:
Windows, Latin1
Comments:
Diese Datei enthält sowohl die Unicode- als auch die ANSI-Version von WinDirStat
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
25-Aug-2007 16:16:04
Detected languages
English - United States
German - Germany
Comments:
This release contains both, Unicode and ANSI version of WinDirStat
CompanyName:
WDS Team
FileDescription:
WinDirStat 1.1.2
FileVersion:
1.1.2
InternalName:
WDS Setup
LegalCopyright:
© 2003-2007 WDS Team
OriginalFilename:
WinDirStat1_1_2_setup.exe
ProductName:
WinDirStat
Website:
http://windirstat.info
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000D0
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
25-Aug-2007 16:16:04
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x00005966 0x00005A00 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.45366
.rdata 0x00007000 0x00001190 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.18095
.data 0x00009000 0x0001AFF8 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 5.06588
.ndata 0x00024000 0x0000A000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rsrc 0x0002E000 0x000026F0 0x00002800 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.09872
Resources
1

2

103

104

105

106

107

109

110

111

Imports
    KERNEL32.dll

    USER32.dll

    GDI32.dll

    SHELL32.dll

    ADVAPI32.dll

    COMCTL32.dll

    ole32.dll

    VERSION.dll

Exports

    No exports.

Screenshots

Processes

Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

+
drop and start start windirstat1_1_2_setup.exe no specs windirstat1_1_2_setup.exe windirstat.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3396
CMD
"C:\Users\admin\AppData\Local\Temp\windirstat1_1_2_setup.exe"
Path
C:\Users\admin\AppData\Local\Temp\windirstat1_1_2_setup.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
WDS Team
Description
WinDirStat 1.1.2
Version
1.1.2
Modules
Image
c:\users\admin\appdata\local\temp\windirstat1_1_2_setup.exe
c:\systemroot\system32\ntdll.dll

PID
2604
CMD
"C:\Users\admin\AppData\Local\Temp\windirstat1_1_2_setup.exe"
Path
C:\Users\admin\AppData\Local\Temp\windirstat1_1_2_setup.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
WDS Team
Description
WinDirStat 1.1.2
Version
1.1.2
Modules
Image
c:\users\admin\appdata\local\temp\windirstat1_1_2_setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\temp\nsw41a2.tmp\system.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\program files\windirstat\windirstata.exe
c:\program files\windirstat\windirstat.exe
c:\program files\windirstat\uninstall.exe
c:\users\admin\appdata\local\temp\nsw41a2.tmp\installoptions.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\netutils.dll

PID
3364
CMD
"C:\Program Files\WinDirStat\windirstat.exe"
Path
C:\Program Files\WinDirStat\windirstat.exe
Indicators
Parent process
windirstat1_1_2_setup.exe
User
admin
Integrity Level
HIGH
Version:
Company
Seifert
Description
Windows Directory Statistics
Version
1.1.2.80 (Unicode)
Modules
Image
c:\program files\windirstat\windirstat.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oledlg.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\psapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll

Registry activity

Total events
730
Read events
711
Write events
19
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2604
windirstat1_1_2_setup.exe
write
HKEY_CURRENT_USER\Software\Seifert\WinDirStat
InstDir
C:\Program Files\WinDirStat
2604
windirstat1_1_2_setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinDirStat
UninstallString
"C:\Program Files\WinDirStat\Uninstall.exe"
2604
windirstat1_1_2_setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinDirStat
InstallLocation
C:\Program Files\WinDirStat
2604
windirstat1_1_2_setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinDirStat
DisplayName
WinDirStat 1.1.2
2604
windirstat1_1_2_setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinDirStat
DisplayIcon
C:\Program Files\WinDirStat\windirstat.exe,0
2604
windirstat1_1_2_setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinDirStat
dwVersionMajor
1
2604
windirstat1_1_2_setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinDirStat
dwVersionMinor
1
2604
windirstat1_1_2_setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinDirStat
dwVersionRev
2
2604
windirstat1_1_2_setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinDirStat
dwVersionBuild
79
2604
windirstat1_1_2_setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinDirStat
URLInfoAbout
http://windirstat.info/
2604
windirstat1_1_2_setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinDirStat
NoModify
1
2604
windirstat1_1_2_setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinDirStat
NoRepair
1
2604
windirstat1_1_2_setup.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-500\Software\Seifert\WinDirStat
InstDir
C:\Program Files\WinDirStat
3364
windirstat.exe
write
HKEY_CURRENT_USER\Software\Seifert\WinDirStat\persistence
selectDrivesRadio
1
3364
windirstat.exe
write
HKEY_CURRENT_USER\Software\Seifert\WinDirStat\persistence
selectDrivesFolder
3364
windirstat.exe
write
HKEY_CURRENT_USER\Software\Seifert\WinDirStat\persistence
selectDrivesDrives
C:
3364
windirstat.exe
write
HKEY_CURRENT_USER\Software\Seifert\WinDirStat\persistence
sddlg-rectangle
313,133,735,456
3364
windirstat.exe
write
HKEY_CURRENT_USER\Software\Seifert\WinDirStat\persistence
drives-columnOrder
0,1,2,3,4
3364
windirstat.exe
write
HKEY_CURRENT_USER\Software\Seifert\WinDirStat\persistence
drives-columnWidths
120,55,55,100,55

Files activity

Executable files
16
Suspicious files
0
Text files
30
Unknown types
17

Dropped files

PID
Process
Filename
Type
2604
windirstat1_1_2_setup.exe
C:\Users\admin\AppData\Local\Temp\nsw41A2.tmp\System.dll
executable
MD5: 4125926391466fdbe8a4730f2374b033
SHA256: 6692bd93bcd04146831652780c1170da79aa3784c3c070d95fb1580e339de6c5
2604
windirstat1_1_2_setup.exe
C:\Program Files\WinDirStat\wdsr040a.dll
executable
MD5: cf69ec4f622ab3efc0d59c94c7861d3c
SHA256: 75ca96992380e5b8e323310a01c8a68805ad76223197d2bdaecc03817d233dea
2604
windirstat1_1_2_setup.exe
C:\Program Files\WinDirStat\wdsr0419.dll
executable
MD5: 4b8486682deabddcffbb4bea3e38c4ff
SHA256: 43b0d07767c8fb8aadcaa976bec7f748bbc2591085feb500eb1a453ccd4b982f
2604
windirstat1_1_2_setup.exe
C:\Program Files\WinDirStat\wdsr040c.dll
executable
MD5: ed8a32ce3b4edbd63b6ed2b6d5ff5d5a
SHA256: acd0c6b92acb5793a94e820c4d418bd6114c97fe2b9788de73879b8bf220a717
2604
windirstat1_1_2_setup.exe
C:\Program Files\WinDirStat\wdsr0415.dll
executable
MD5: b42cd5ebbc8170865a6d1375044aaaac
SHA256: f47cdc2d1ff1c77e3f4e008862d2cf632dc3db5145fa6d2886a0d066c0811eb9
2604
windirstat1_1_2_setup.exe
C:\Program Files\WinDirStat\windirstat.exe
executable
MD5: 24cd9a82fcfc658dd3ae7ba25c958ffb
SHA256: cc3ee246f2710dc9ba9e2a88e3192b88f1db4caa2eefb8641642a33df04e585c
2604
windirstat1_1_2_setup.exe
C:\Program Files\WinDirStat\windirstatA.exe
executable
MD5: 3f3dd4476249ae664e3365e5bb651601
SHA256: f12d0929055567eee4b5842b7e59c34585a03191447de682dc729ad19aa2314f
2604
windirstat1_1_2_setup.exe
C:\Program Files\WinDirStat\wdsr0410.dll
executable
MD5: fc6f4868c21cc2b2c58882b3956462c5
SHA256: e9c30274fcdeaa43acaeba3eac86628107ef60dbea723ececa97008b80f40fba
2604
windirstat1_1_2_setup.exe
C:\Program Files\WinDirStat\Uninstall.exe
executable
MD5: a127e6118b9dd2f9d5a7cc4d697a0105
SHA256: afc864cfce79b2a6add491a27ea672d958233ed7a97a2cbbce60100d2fa1e670
2604
windirstat1_1_2_setup.exe
C:\Program Files\WinDirStat\wdsr040e.dll
executable
MD5: 08b9dbd8b49783f4d04f9ed4b1ecefa7
SHA256: 3bb682f3088fac19c4d53b3766a3793630ea19d2be33cb0f26f7f9e5972dc221
2604
windirstat1_1_2_setup.exe
C:\Program Files\WinDirStat\wdsr0425.dll
executable
MD5: d8e5d81fdaa2524ecf7d1233e2f7b4af
SHA256: 7ff8234e53b3c7328b179fd6a7223eebea8f73802afaf7fb06ee9ca2b279b8e7
2604
windirstat1_1_2_setup.exe
C:\Users\admin\AppData\Local\Temp\nsw41A2.tmp\InstallOptions.dll
executable
MD5: 9b2ad0546fd834c01a3bdcbfbc95da7d
SHA256: 7e08cb4ff81dbb0573c672301681e31b2042682e9a2204673f811455f823dd37
2604
windirstat1_1_2_setup.exe
C:\Program Files\WinDirStat\wdsr040b.dll
executable
MD5: 4a5a97171af49b09f1c68ba7a9bdae34
SHA256: d7fb9404282ca467e0f3e80734a388885c219269d3e9ee78bb66ee9201803ae4
2604
windirstat1_1_2_setup.exe
C:\Program Files\WinDirStat\wdsr0407.dll
executable
MD5: 619767bb217f6d1754e018926753e89f
SHA256: 7867b69c5deff7f949e58eb3ff1b266e66ad3fd252c52334927114e7c53ce27b
2604
windirstat1_1_2_setup.exe
C:\Program Files\WinDirStat\wdsr0405.dll
executable
MD5: 8eee4f1cde4b0cfd0365456040e05364
SHA256: 7463df064c98cdb501b2310dcac878f9210a303d50d79431152e3031ae1a224a
2604
windirstat1_1_2_setup.exe
C:\Program Files\WinDirStat\wdsr0413.dll
executable
MD5: 7d7e18f5cdeb3502e9e7aefb49b2aec2
SHA256: b76f0d27ee66d4bdeb0b12ca7ef8773a563d57a0167ecf151c74837209a86e0c
2604
windirstat1_1_2_setup.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDirStat\Help (ENG).lnk
lnk
MD5: bd5ba197bc9118e1537ea9d30dc5b237
SHA256: fcc8644dc09ebe64b6a87f0c7634d69830e4af5cb8d5db97185bb27a32081b2b
2604
windirstat1_1_2_setup.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDirStat\Help (PLK).lnk
lnk
MD5: 078bccc83004cfb5448e84eba9e5eb15
SHA256: 8cbc9b879beb4c63ea770a731656ca75e3426bbcff34fa7cd37f8468171923fa
2604
windirstat1_1_2_setup.exe
C:\Program Files\WinDirStat\wdsh040e.chm
chm
MD5: bc90b966e06c5c20486815809606c77d
SHA256: 8e54bc2dd576d4bfe241e37305a525d80fd9839ed0de2e34abedf49c7f23f5cf
2604
windirstat1_1_2_setup.exe
C:\Users\Administrator\NTUSER.DAT
hiv
MD5: bd9eb1f9a4d02fa65bd317b97766b60b
SHA256: d3e1714c1c9835ef67ed89419aa7c41995f8d766d552c02f8acc790d6f421659
2604
windirstat1_1_2_setup.exe
C:\Program Files\WinDirStat\wdsh0407.chm
chm
MD5: 64aa305e920630d0f813691f4187c496
SHA256: 181a23a56b7649d5e1c882786de531fedfb9e80a58c96ad92871f72a626eac14
2604
windirstat1_1_2_setup.exe
C:\Program Files\WinDirStat\wdsh0415.chm
chm
MD5: de97a75cfa6d6cbf91ba68c0c90695c1
SHA256: bab7db85927f846a6ac584d5fc3fb522e812fc1e505e333728f85efd16b50238
2604
windirstat1_1_2_setup.exe
C:\Users\admin\AppData\Local\Temp\nsw41A2.tmp\ioSpecial.ini
text
MD5: e41bfefc98d09e6377423f3fe05499ee
SHA256: 479916b0dd82445afed2715cbbbce7209b2a62d56e2d1885f8b4892c262d6685
2604
windirstat1_1_2_setup.exe
C:\Users\admin\AppData\Local\Temp\nsw41A2.tmp\ioSpecial.ini
––
MD5:  ––
SHA256:  ––
2604
windirstat1_1_2_setup.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDirStat\Help (DEU).lnk
lnk
MD5: 6b41764096484927b0fcf8336619a006
SHA256: 4d8fdf39a704a3171f57f4a8c6a4b87817f00de3d9dac6ed1eb02b32d0ee49a1
2604
windirstat1_1_2_setup.exe
C:\Users\admin\Desktop\WinDirStat.lnk
lnk
MD5: 71e9a75517b84819590c172951c73944
SHA256: 3b04a716a741826012a2c7ece3a97636766e4465797d5a2ed54e293b34dcdbb7
2604
windirstat1_1_2_setup.exe
C:\Users\Administrator\Desktop\WinDirStat.lnk
lnk
MD5: 71e9a75517b84819590c172951c73944
SHA256: 3b04a716a741826012a2c7ece3a97636766e4465797d5a2ed54e293b34dcdbb7
2604
windirstat1_1_2_setup.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDirStat\Help (HUN).lnk
lnk
MD5: accfdca9e5d88d9fd29bab45ba34453b
SHA256: 144324a7ec9525e73fce8e135088d9a5d2e1cf7d370b47fd6de26c38318f4144
2604
windirstat1_1_2_setup.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDirStat\WinDirStat (Unicode).lnk
lnk
MD5: f4305deaec28a02b68c7c707ee7e4b4c
SHA256: 989642c051e255f80bb758e03b86cebdf25eb99dea7a8aff6d354dcba8495214
2604
windirstat1_1_2_setup.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDirStat\Uninstall WinDirStat.lnk
lnk
MD5: 8c644bf918dcecef4db88931f663cf27
SHA256: 3129b42f61c38f8107d957fe47868278b69527a6709f0a784d615c5398ba7619
2604
windirstat1_1_2_setup.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDirStat\WinDirStat (ANSI).lnk
lnk
MD5: 5bff01377b48dc4518a1de8f2c31d4c4
SHA256: ca8fdbe1d5a342e27fdc15af7e4579a927a80c7fe4b6520dc1df5632669fa5de
2604
windirstat1_1_2_setup.exe
C:\Users\admin\AppData\Local\Temp\nsg4191.tmp
––
MD5:  ––
SHA256:  ––
2604
windirstat1_1_2_setup.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
log
MD5: 5c954eb2d68044ac1a37e40472ef7058
SHA256: 227ae9efbf96353f54d84e76fe19ce058eec1ef1f406c14628e6c80bdacd3b82
2604
windirstat1_1_2_setup.exe
C:\Program Files\WinDirStat\windirstat.chm
chm
MD5: 1bddb8a0e0f9cd90a5b3936ec2c2c4cf
SHA256: 1e87c07744054709d271337d8ce06929429b334d70875605cb68ecc4c6610cd1
2604
windirstat1_1_2_setup.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat
hiv
MD5: ec25839b000b887496fffd93c7a1d763
SHA256: 0331fe4ba1f9a683cbb3461035c463aa190bfb80d557165962954e3638f28b1f
2604
windirstat1_1_2_setup.exe
C:\Users\admin\AppData\Local\Temp\nsw41A2.tmp\ioSpecial.ini
text
MD5: 7d0c7ba194ff51f0173757271aa94549
SHA256: fe0ab5ef855c59849cdb8b1e6254c114f519199b04a8caa87bf42f396cbed17e
2604
windirstat1_1_2_setup.exe
C:\Users\admin\AppData\Local\Temp\nsw41A2.tmp\modern-wizard.bmp
image
MD5: cbe40fd2b1ec96daedc65da172d90022
SHA256: 3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2
2604
windirstat1_1_2_setup.exe
C:\Users\Administrator\NTUSER.DAT.LOG1
log
MD5: d187232196098fcd2b6cc9b1d99b1e86
SHA256: 248b4c8a9b1d9e058a1516cd73f23bc86aefc58646b91b88474e9a8b34f0807d

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.