ID: 358426 Sample Name: FolderSize-2.6- x86.msi Cookbook: defaultwindowsofficecookbook.jbs Time: 15:49:20 Date: 25/02/2021 Version: 31.0.0 Emerald Table of Contents
Table of Contents 2 Analysis Report FolderSize-2.6-x86.msi 5 Overview 5 General Information 5 Detection 5 Signatures 5 Classification 5 Analysis Advice 5 Startup 5 Malware Configuration 5 Yara Overview 5 Sigma Overview 6 Signature Overview 6 Compliance: 6 Mitre Att&ck Matrix 6 Behavior Graph 7 Screenshots 7 Thumbnails 7 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Domains and IPs 9 Contacted Domains 9 URLs from Memory and Binaries 9 Contacted IPs 10 General Information 10 Simulations 11 Behavior and APIs 11 Joe Sandbox View / Context 11 IPs 11 Domains 11 ASN 11 JA3 Fingerprints 11 Dropped Files 11 Created / dropped Files 11 Static File Info 12 General 12 File Icon 12 Static OLE Info 12 General 12 OLE File "FolderSize-2.6-x86.msi" 12 Indicators 12 Summary 12 Streams 13 Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 468 13 General 13 Stream Path: \x16786\x17522\x15358\x17394\x16935\x16181\x18284\x18344\x16812\x18482, File Type: MS Windows icon resource - 9 icons, 48x48, 16 colors, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel, Stream Size: 25214 13 General 13 Stream Path: \x17163\x16689\x18229\x15870\x18088, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318 13 General 13 Stream Path: \x17163\x16689\x18229\x16318\x18483, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318 13 General 13 Stream Path: \x17163\x16689\x18229\x16958\x16827\x16687\x17200\x18470, File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors, Stream Size: 766 14 General 14 Stream Path: \x17163\x16689\x18229\x17214\x17009\x18482, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors, Stream Size: 1078 14 General 14 Stream Path: \x17163\x16689\x18229\x17214\x17841\x17207\x17574\x18481, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32, Stream Size: 2998 14 Copyright null 2021 Page 2 of 25 General 14 Stream Path: \x17163\x16689\x18229\x17790\x17448\x18034\x16812\x18482, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32, Stream Size: 2998 14 General 14 Stream Path: \x17163\x16689\x18229\x17790\x17640\x17188\x17205\x18470, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32, Stream Size: 2998 15 General 15 Stream Path: \x17551\x16879\x17768\x17180\x16957\x16830\x16740, File Type: Microsoft Cabinet archive data, 156085 bytes, 4 files, Stream Size: 156085 15 General 15 Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 1096 15 General 15 Stream Path: \x18496\x15518\x16925\x17915, File Type: data, Stream Size: 200 15 General 15 Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ASCII text, with very long lines, with no line terminators, Stream Size: 31387 16 General 16 Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 3588 16 General 16 Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 52 16 General 16 Stream Path: \x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481, File Type: data, Stream Size: 4 16 General 16 Stream Path: \x18496\x16778\x17207\x17522\x16925\x17915, File Type: data, Stream Size: 420 17 General 17 Stream Path: \x18496\x16786\x17522, File Type: data, Stream Size: 4 17 General 17 Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 16 17 General 17 Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 16 17 General 17 Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 12 17 General 17 Stream Path: \x18496\x16923\x17194\x17910\x18229, File Type: data, Stream Size: 36 17 General 17 Stream Path: \x18496\x16924\x18037\x16812\x15144\x17522\x17783\x17394, File Type: data, Stream Size: 24 18 General 18 Stream Path: \x18496\x16924\x18037\x16812\x15528\x17841\x16695\x17391, File Type: data, Stream Size: 32 18 General 18 Stream Path: \x18496\x16925\x17915\x17884\x17404\x18472, File Type: data, Stream Size: 36 18 General 18 Stream Path: \x18496\x17163\x16689\x18229, File Type: data, Stream Size: 28 18 General 18 Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 18 18 General 18 Stream Path: \x18496\x17165\x17380\x17074, File Type: data, Stream Size: 462 18 General 19 Stream Path: \x18496\x17167\x16943, File Type: data, Stream Size: 72 19 General 19 Stream Path: \x18496\x17356\x17828\x18486, File Type: data, Stream Size: 26 19 General 19 Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 408 19 General 19 Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 84 19 General 19 Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: data, Stream Size: 48 20 General 20 Stream Path: \x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x17522, File Type: VAX-order2 68k Blit mpx/mux executable, Stream Size: 24 20 General 20 Stream Path: \x18496\x17548\x17905\x17589\x15279\x16953\x17905, File Type: data, Stream Size: 1056 20 General 20 Stream Path: \x18496\x17548\x17905\x17589\x18479, File Type: data, Stream Size: 4446 20 General 20 Stream Path: \x18496\x17742\x17589\x18485, File Type: data, Stream Size: 632 20 General 20 Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 196 21 General 21 Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 16 21 General 21 Stream Path: \x18496\x17998\x17512\x15799\x17636\x17203\x17073, File Type: data, Stream Size: 104 21 General 21 Network Behavior 21 Code Manipulations 21 Statistics 21 Behavior 22 System Behavior 22 Analysis Process: msiexec.exe PID: 944 Parent PID: 2916 22 General 22 File Activities 22 Analysis Process: VSSVC.exe PID: 260 Parent PID: 428 22 General 22 File Activities 23 Registry Activities 23 Analysis Process: svchost.exe PID: 2920 Parent PID: 428 23 General 23 Analysis Process: svchost.exe PID: 2240 Parent PID: 428 23 General 23 Analysis Process: FolderSizeSvc.exe PID: 2296 Parent PID: 428 23
Copyright null 2021 Page 3 of 25 General 24 Analysis Process: FolderSize.exe PID: 2072 Parent PID: 908 24 General 24 File Activities 24 Registry Activities 24 Key Value Created 24 Analysis Process: FolderSize.exe PID: 2360 Parent PID: 1388 24 General 24 Disassembly 25 Code Analysis 25
Copyright null 2021 Page 4 of 25 Analysis Report FolderSize-2.6-x86.msi
Overview
General Information Detection Signatures Classification
Sample FolderSize-2.6-x86.msi Name: AAllllllooccaattteess meemoorrryy wwiiittthhiiinn rrraannggee wwhhiiicc…
Analysis ID: 358426 CAChlhloeeccakktsse fsffoo mrrr aaevvmaaoiiilllaraybb llwlee i tsshyyisnst ttereamn g dderrri iivwveehssi c … MD5: 12283f7c0b119d3… CCohonenttctaakiiinsn ssf o ccra aappvaaabbiiliilalliiittbtiiieeless stttoyo s ddteetmtteec cdttt r vivviiirrertttusua a… SHA1: f365b1ca8fb7e6c… Ransomware CCoonntttaaiiinnss ffcfuuannpccatttibiiooinlnitaaiellliiitsttyy t tottoo d ccehhteeccktk v iiiffif r atau dad…
Miner Spreading SHA256: 8d01e67b69fde23… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo dcdyhynenacamk iiifcc aal lllldlyy… mmaallliiiccciiioouusss Infos: malicious
Evader Phishing CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qdquyueneraryym CCicPPaUUlly sssuusssppiiiccciiioouusss CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qquueerrryy CCPPUU … suspicious Most interesting Screenshot: cccllleeaann CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qquueerrryy llCloocPcaaUllle e… clean
Exploiter Banker CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy wtwohh qiiiccuhhe mrya aloyy c bbaeele…
CCrroreenaattatteeinss s oo frrru mncootdidoiiiffnfiiieeassli t wyw iiiwnndhdoiocwwhs sm ssaeeyrrrv vbiiicceeess Spyware Trojan / Bot
Adware DCDereettteaectcettteesd do prp oomttteeonndtttiiifiaaielll scc rrrwyypipntttodo o fffuwunnsc cstttiieioornnvices Score: 5 Range: 0 - 100 FDFooeuutenncddt e eedvv aapssoiiivtveeen AtAiaPPlI II c ccrhyhapaitiinon ((f(munaacyyt i osstnttoopp…
Whitelisted: false FFoouunndd pepovotatteesnnivtttiieiaa lllA ssPtttrrrIiii nncggh addienec c(rrrmyyppatttyiiioo snnt o/// paa… Confidence: 60% MFoaauyyn ssdllle epeeoppt e (((neetvviaalss siiivvterei n lllogoo odppessc))) r tyttoop hthioiiinnndd e/e rarr …
QMuaueyerr risiieeless e ttthphe e( e vvvooalllusumivee liiionnofffooprrrsm) aatotttiii oohnnin (((dnneaarm …
UQUsuseessr i eccoso ddtheee oo vbbofffuulussmccaaettt iiioionnnfo tttreemcchahntniioiiqqnuu e(enssa (((m… Analysis Advice Uses code obfuscation techniques (
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Startup
System is w7x64 msiexec.exe (PID: 944 cmdline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\FolderSize-2.6-x86.msi' MD5: AC2E7152124CEED36846BD1B6592A00F) VSSVC.exe (PID: 260 cmdline: C:\Windows\system32\vssvc.exe MD5: B60BA0BC31B0CB414593E169F6F21CC2) svchost.exe (PID: 2920 cmdline: C:\Windows\System32\svchost.exe -k swprv MD5: C78655BC80301D76ED4FEF1C1EA40A7D) svchost.exe (PID: 2240 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: C78655BC80301D76ED4FEF1C1EA40A7D) FolderSizeSvc.exe (PID: 2296 cmdline: C:\Program Files (x86)\FolderSize\FolderSizeSvc.exe MD5: C3FE7DBDEE220251595AB81A13080B5B) FolderSize.exe (PID: 2072 cmdline: 'C:\Program Files (x86)\FolderSize\FolderSize.exe' -install MD5: 418149883729C7B7BE2508DF05F2ABA4) FolderSize.exe (PID: 2360 cmdline: 'C:\Program Files (x86)\FolderSize\FolderSize.exe' MD5: 418149883729C7B7BE2508DF05F2ABA4) cleanup
Malware Configuration
No configs have been found
Yara Overview
No yara matches
Copyright null 2021 Page 5 of 25 Sigma Overview
No Sigma rule has matched
Signature Overview
• Compliance • Spreading • Networking • System Summary • Data Obfuscation • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection
Click to jump to signature section
There are no malicious signatures, click here to show all signatures .
Compliance:
Binary contains paths to debug symbols
Mitre Att&ck Matrix
Remote Initial Privilege Credential Lateral Command Network Service Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Replication Command Windows Windows Virtualization/Sandbox OS System Time Replication Archive Exfiltration Encrypted Eavesdrop on Remotely Through and Scripting Service 1 Service 1 Evasion 2 Credential Discovery 1 Through Collected Over Other Channel 1 Insecure Track Device Removable Interpreter 2 Dumping Removable Data 1 Network Network Without Media 1 Media 1 Medium Communication Authorization Default Native Registry Process Process Injection 2 LSASS Security Software Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Accounts API 2 Run Keys / Injection 2 Memory Discovery 3 1 Desktop Removable Over Redirect Phone Wipe Data Startup Protocol Media Bluetooth Calls/SMS Without Folder 1 Authorization Domain At (Linux) Logon Script Registry Deobfuscate/Decode Security Virtualization/Sandbox SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Accounts (Windows) Run Keys / Files or Information 1 Account Evasion 2 Admin Shares Network Exfiltration Track Device Device Startup Manager Shared Location Cloud Folder 1 Drive Backups Local At (Windows) Logon Script Logon Obfuscated Files or NTDS Process Discovery 1 Distributed Input Scheduled Protocol SIM Card Accounts (Mac) Script Information 2 Component Capture Transfer Impersonation Swap (Mac) Object Model Cloud Cron Network Network Software Packing LSA Peripheral Device SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Secrets Discovery 1 1 Transfer Channels Device Script Size Limits Communication
Replication Launchd Rc.common Rc.common Steganography Cached File and Directory VNC GUI Input Exfiltration Multiband Jamming or Through Domain Discovery 1 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media External Scheduled Startup Startup Compile After DCSync System Information Windows Web Portal Exfiltration Commonly Rogue Wi-Fi Remote Task Items Items Delivery Discovery 3 5 Remote Capture Over Used Port Access Points Services Management Alternative Protocol
Copyright null 2021 Page 6 of 25 Behavior Graph
Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped
Is Windows Process
Behavior Graph Number of created Registry Values Number of created Files ID: 358426 Visual Basic Sample: FolderSize-2.6-x86.msi Startdate: 25/02/2021 Delphi Architecture: WINDOWS Java Score: 5 .Net C# or VB.NET
C, C++ or other language
started started started Is malicious
Internet msiexec.exe svchost.exe FolderSize.exe
4 other processes
5 1
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version
No bigger version No bigger version
Copyright null 2021 Page 7 of 25 Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Source Detection Scanner Label Link FolderSize-2.6-x86.msi 0% Virustotal Browse FolderSize-2.6-x86.msi 0% Metadefender Browse FolderSize-2.6-x86.msi 0% ReversingLabs
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
Source Detection Scanner Label Link www.icra.org/vocabulary/. 0% URL Reputation safe www.icra.org/vocabulary/. 0% URL Reputation safe
Copyright null 2021 Page 8 of 25 Source Detection Scanner Label Link www.icra.org/vocabulary/. 0% URL Reputation safe www.icra.org/vocabulary/. 0% URL Reputation safe wellformedweb.org/CommentAPI/ 0% URL Reputation safe wellformedweb.org/CommentAPI/ 0% URL Reputation safe wellformedweb.org/CommentAPI/ 0% URL Reputation safe wellformedweb.org/CommentAPI/ 0% URL Reputation safe www.iis.fhg.de/audioPA 0% URL Reputation safe www.iis.fhg.de/audioPA 0% URL Reputation safe www.iis.fhg.de/audioPA 0% URL Reputation safe www.iis.fhg.de/audioPA 0% URL Reputation safe computername/printers/printername/.printer 0% Avira URL Cloud safe www.%s.comPA 0% URL Reputation safe www.%s.comPA 0% URL Reputation safe www.%s.comPA 0% URL Reputation safe www.%s.comPA 0% URL Reputation safe windowsmedia.com/redir/services.asp?WMPFriendly=true 0% URL Reputation safe windowsmedia.com/redir/services.asp?WMPFriendly=true 0% URL Reputation safe windowsmedia.com/redir/services.asp?WMPFriendly=true 0% URL Reputation safe windowsmedia.com/redir/services.asp?WMPFriendly=true 0% URL Reputation safe foldersize.sourceforge.netG 0% Avira URL Cloud safe treyresearch.net 0% URL Reputation safe treyresearch.net 0% URL Reputation safe treyresearch.net 0% URL Reputation safe treyresearch.net 0% URL Reputation safe
Domains and IPs
Contacted Domains
No contacted domains info
URLs from Memory and Binaries
Name Source Malicious Antivirus Detection Reputation services.msn.com/svcs/oe/certpage.asp? msiexec.exe, 00000000.00000002 false high name=%s&email=%s&&Check .2262653613.0000000003AE7000.0 0000002.00000001.sdmp www.windows.com/pctv. msiexec.exe, 00000000.00000002 false high .2260470885.0000000003900000.0 0000002.00000001.sdmp investor.msn.com msiexec.exe, 00000000.00000002 false high .2260470885.0000000003900000.0 0000002.00000001.sdmp www.msnbc.com/news/ticker.txt msiexec.exe, 00000000.00000002 false high .2260470885.0000000003900000.0 0000002.00000001.sdmp www.icra.org/vocabulary/. msiexec.exe, 00000000.00000002 false URL Reputation: safe unknown .2262653613.0000000003AE7000.0 URL Reputation: safe 0000002.00000001.sdmp URL Reputation: safe URL Reputation: safe svchost.exe, 00000003.00000002 false high schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous .2339440011.0000000000DD0000.0 . 0000002.00000001.sdmp wellformedweb.org/CommentAPI/ msiexec.exe, 00000000.00000002 false URL Reputation: safe unknown .2259858634.0000000003280000.0 URL Reputation: safe 0000002.00000001.sdmp URL Reputation: safe URL Reputation: safe investor.msn.com/ msiexec.exe, 00000000.00000002 false high .2260470885.0000000003900000.0 0000002.00000001.sdmp foldersize.sourceforge.net msiexec.exe, 00000000.00000003 false high .2071472900.0000000000423000.0 0000004.00000001.sdmp www.iis.fhg.de/audioPA msiexec.exe, 00000000.00000002 false URL Reputation: safe unknown .2259858634.0000000003280000.0 URL Reputation: safe 0000002.00000001.sdmp URL Reputation: safe URL Reputation: safe
Copyright null 2021 Page 9 of 25 Name Source Malicious Antivirus Detection Reputation computername/printers/printername/.printer msiexec.exe, 00000000.00000002 false Avira URL Cloud: safe low .2259858634.0000000003280000.0 0000002.00000001.sdmp www.%s.comPA svchost.exe, 00000003.00000002 false URL Reputation: safe low .2339440011.0000000000DD0000.0 URL Reputation: safe 0000002.00000001.sdmp URL Reputation: safe URL Reputation: safe windowsmedia.com/redir/services.asp? msiexec.exe, 00000000.00000002 false URL Reputation: safe unknown WMPFriendly=true .2262653613.0000000003AE7000.0 URL Reputation: safe 0000002.00000001.sdmp URL Reputation: safe URL Reputation: safe www.hotmail.com/oe msiexec.exe, 00000000.00000002 false high .2260470885.0000000003900000.0 0000002.00000001.sdmp foldersize.sourceforge.netG msiexec.exe, 00000000.00000003 false Avira URL Cloud: safe unknown .2258939873.0000000000466000.0 0000004.00000001.sdmp treyresearch.net msiexec.exe, 00000000.00000002 false URL Reputation: safe unknown .2259858634.0000000003280000.0 URL Reputation: safe 0000002.00000001.sdmp URL Reputation: safe URL Reputation: safe
Contacted IPs
No contacted IP infos
General Information
Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 358426 Start date: 25.02.2021 Start time: 15:49:20 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 6m 28s Hypervisor based Inspection enabled: false Report type: light Sample file name: FolderSize-2.6-x86.msi Cookbook file name: defaultwindowsofficecookbook.jbs Analysis system description: Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) Number of analysed new started processes analysed: 8 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean5.winMSI@7/0@0/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 100% (good quality ratio 91.6%) Quality average: 76.3% Quality standard deviation: 31.6% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .msi Close Viewer
Copyright null 2021 Page 10 of 25 Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtFsControlFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryDirectoryFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.
Simulations
Behavior and APIs
Time Type Description 15:49:33 API Interceptor 308x Sleep call for process: msiexec.exe modified 15:50:45 API Interceptor 358x Sleep call for process: VSSVC.exe modified 15:50:45 API Interceptor 508x Sleep call for process: svchost.exe modified 15:50:58 API Interceptor 201x Sleep call for process: FolderSize.exe modified 15:51:01 Autostart Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Folder Size C:\Program Files (x86)\FolderSiz e\FolderSize.exe 15:51:11 Autostart Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Folder Size C:\Program Files (x86)\FolderS ize\FolderSize.exe
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Created / dropped Files
No created / dropped files found
Copyright null 2021 Page 11 of 25 Static File Info
General File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: FolderSize Installation Database, Subject: Folder Size, Author: Brio, Keywords: Installer,MSI ,Database, Template: Intel;1033, Last Saved By: Brio1, Revision Number: {93D54CA4-0E16-4F1C-99C4-2A2 9B7E4A329}, Last Printed: Sun Mar 7 04:22:54 2004, Create Time/Date: Sun Mar 7 04:22:54 2004, Last Saved Time/Date: Thu Jan 26 04:44:54 2006, Number of Pages: 100, Number of Words: 2, Name of Creating Application: Windows Installer, Security: 1 Entropy (8bit): 7.124425566862393 TrID: Generic OLE2 / Multistream Compound File (8008/1) 100.00% File name: FolderSize-2.6-x86.msi File size: 274432 MD5: 12283f7c0b119d3a4945be3be953e588 SHA1: f365b1ca8fb7e6c3bd6f3524e0dff4ce33895011 SHA256: 8d01e67b69fde230da3654b8755326a0e38001a1bf7cf98 c89b1b2ba1f544f74 SHA512: 1583aa81c77f82e8795ee3d1e61175354cc743577d898f6 af12a6dd6c2b4961d5c4479330071d4daebaf126c5b0f80 a3df4d77a033eff7de73283c93da8576ef SSDEEP: 3072:31IuY0zTPU9oDUXuALkN3F+OnjNhsqTNHOeJdq aBUP26bBj2grJjJcC:31IMPvIXBkZFPnXT5JmuWXd+C File Content Preview: ...... >......
File Icon
Icon Hash: a2a0b496b2caca72
Static OLE Info
General Document Type: OLE Number of OLE Files: 1
OLE File "FolderSize-2.6-x86.msi"
Indicators Has Summary Info: True Application Name: Windows Installer Encrypted Document: True Contains Word Document Stream: False Contains Workbook/Book Stream: False Contains PowerPoint Document Stream: False Contains Visio Document Stream: False Contains ObjectPool Stream: Flash Objects Count: Contains VBA Macros: False
Summary Code Page: 1252 Title: FolderSize Installation Database Subject: Folder Size Author: Brio Keywords: Installer,MSI,Database Template: Intel;1033 Last Saved By: Brio1 Revion Number: {93D54CA4-0E16-4F1C-99C4-2A29B7E4A329} Last Printed: 2004-03-07 04:22:54 Create Time: 2004-03-07 04:22:54
Copyright null 2021 Page 12 of 25 Summary Last Saved Time: 2006-01-26 04:44:54 Number of Pages: 100 Number of Words: 2 Creating Application: Windows Installer Security: 1
Streams
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 468
General Stream Path: \x5SummaryInformation File Type: data Stream Size: 468 Entropy: 4.27956216341 Base64 Encoded: True Data ASCII: ...... O h . . . . . + ' . . 0 ...... L ...... X ...... d ...... p ...... x ...... ! . . . F o l d e r S i z e I n s t a l l a t i o n D a t a b a s e ...... F o l d e r S i z e ...... Data Raw: fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a4 01 00 00 0f 00 00 00 01 00 00 00 80 00 00 00 02 00 00 00 88 00 00 00 03 00 00 00 b4 00 00 00 04 00 00 00 c8 00 00 00 05 00 00 00 d8 00 00 00 07 00 00 00 f8 00 00 00 08 00 00 00 0c 01 00 00 09 00 00 00 1c 01 00 00 0b 00 00 00 4c 01 00 00
Stream Path: \x16786\x17522\x15358\x17394\x16935\x16181\x18284\x18344\x16812\x18482, File Type: MS Windows icon resource - 9 icons, 48x48, 16 colors, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel, Stream Size: 25214
General Stream Path: \x16786\x17522\x15358\x17394\x16935\x16181\x18284\x18344\x16812\x18482 File Type: MS Windows icon resource - 9 icons, 48x48, 16 colors, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel Stream Size: 25214 Entropy: 5.52753815565 Base64 Encoded: True Data ASCII: ...... 0 0 ...... h ...... ( ...... 0 0 ...... h . . . ^ " . . 0 0 ...... % . . . ' ...... n M ...... h . . . . ^ . . ( . . . 0 . . . ` ...... Data Raw: 00 00 01 00 09 00 30 30 10 00 01 00 04 00 68 06 00 00 96 00 00 00 20 20 10 00 01 00 04 00 e8 02 00 00 fe 06 00 00 10 10 10 00 01 00 04 00 28 01 00 00 e6 09 00 00 30 30 00 00 01 00 08 00 a8 0e 00 00 0e 0b 00 00 20 20 00 00 01 00 08 00 a8 08 00 00 b6 19 00 00 10 10 00 00 01 00 08 00 68 05 00 00 5e 22 00 00 30 30 00 00 01 00 20 00 a8 25 00 00 c6 27 00 00 20 20 00 00 01 00 20 00 a8 10
Stream Path: \x17163\x16689\x18229\x15870\x18088, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318
General Stream Path: \x17163\x16689\x18229\x15870\x18088 File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors Stream Size: 318 Entropy: 2.03444158006 Base64 Encoded: False Data ASCII: ...... ( ...... ( ...... Data Raw: 00 00 01 00 01 00 10 10 10 00 00 00 00 00 28 01 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00
Stream Path: \x17163\x16689\x18229\x16318\x18483, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318
General Stream Path: \x17163\x16689\x18229\x16318\x18483 File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors Stream Size: 318 Entropy: 2.03693614652
Copyright null 2021 Page 13 of 25 General Base64 Encoded: False Data ASCII: ...... ( ...... ( ...... Data Raw: 00 00 01 00 01 00 10 10 10 00 00 00 00 00 28 01 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00
Stream Path: \x17163\x16689\x18229\x16958\x16827\x16687\x17200\x18470, File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors, Stream Size: 766
General Stream Path: \x17163\x16689\x18229\x16958\x16827\x16687\x17200\x18470 File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors Stream Size: 766 Entropy: 3.3484862649 Base64 Encoded: True Data ASCII: ...... ( ...... @ ...... 3 3 1 ...... 3 3 2 3 3 3 3 3 3 3 3 3 3 3 3 . 3 3 $ D D D D D D D D D D D @ 1 . 2 D D D D D D D D D D D D D . . 2 D D D D D D @ D D D D D D C . 2 D D D D D D 3 4 D D D D D C . 2 D D D D D @ 3 0 D D D D D . . 3 $ D D D D D 3 4 D D D D D 1 . 3 $ Data Raw: 00 00 01 00 01 00 20 20 10 00 00 00 00 00 e8 02 00 00 16 00 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 c0 c0 00 80 80 80 00 00 80 80 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 33
Stream Path: \x17163\x16689\x18229\x17214\x17009\x18482, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors, Stream Size: 1078
General Stream Path: \x17163\x16689\x18229\x17214\x17009\x18482 File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors Stream Size: 1078 Entropy: 2.86422695486 Base64 Encoded: False Data ASCII: ...... & ...... ( ...... ( ...... @ ...... p ...... w p ...... p ...... p ...... p ...... p ...... w w . . . w w ...... Data Raw: 00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 10 10 10 00 00 00 00 00 28 01 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 80 80 80 00 c0 c0 c0 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00
Stream Path: \x17163\x16689\x18229\x17214\x17841\x17207\x17574\x18481, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32, Stream Size: 2998
General Stream Path: \x17163\x16689\x18229\x17214\x17841\x17207\x17574\x18481 File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32 Stream Size: 2998 Entropy: 4.40653521205 Base64 Encoded: True Data ASCII: ...... & ...... ( ...... @ ...... { ...... w ...... p . . x . . . . w ...... x . . . w . . w ...... p . . x x . . w ~ ...... x . . . . . ~ ...... Data Raw: 00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00
Stream Path: \x17163\x16689\x18229\x17790\x17448\x18034\x16812\x18482, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32, Stream Size: 2998
General Stream Path: \x17163\x16689\x18229\x17790\x17448\x18034\x16812\x18482 File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
Copyright null 2021 Page 14 of 25 General Stream Size: 2998 Entropy: 4.92283562852 Base64 Encoded: False Data ASCII: ...... & ...... ( ...... @ ...... p ...... w ...... w w ...... w . f . w ...... w . . . . . v v f . w ...... n f f l . w . . . . Data Raw: 00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00
Stream Path: \x17163\x16689\x18229\x17790\x17640\x17188\x17205\x18470, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32, Stream Size: 2998
General Stream Path: \x17163\x16689\x18229\x17790\x17640\x17188\x17205\x18470 File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32 Stream Size: 2998 Entropy: 4.6676615263 Base64 Encoded: True Data ASCII: ...... & ...... ( ...... @ ...... w ...... { ...... p ...... x . { . w p ...... ( . . . { . w ...... ( x x x ...... Data Raw: 00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00
Stream Path: \x17551\x16879\x17768\x17180\x16957\x16830\x16740, File Type: Microsoft Cabinet archive data, 156085 bytes, 4 files, Stream Size: 156085
General Stream Path: \x17551\x16879\x17768\x17180\x16957\x16830\x16740 File Type: Microsoft Cabinet archive data, 156085 bytes, 4 files Stream Size: 156085 Entropy: 7.99864045615 Base64 Encoded: True Data ASCII: M S C F . . . . . a ...... , ...... h ...... M B . . . F o l d e r S i z e C o l u m n . d l l ...... h . . . . M B . . . F o l d e r S i z e . c p l ...... T . . . . M B . . . F o l d e r S i z e S v c . e x e ...... M B . . . F o l d e r S i z e . e x e . . . c . . F . . [ ...... / . . " S ` $ ...... W B . . . . A ( ) . Q . . * ( S . . \\ o . ; . ! . = . . . . . M : . u ; ...... Data Raw: 4d 53 43 46 00 00 00 00 b5 61 02 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 04 00 00 00 00 00 00 00 b1 00 00 00 0f 00 03 15 00 68 01 00 00 00 00 00 00 00 4d 42 97 04 20 00 46 6f 6c 64 65 72 53 69 7a 65 43 6f 6c 75 6d 6e 2e 64 6c 6c 00 00 ec 01 00 00 68 01 00 00 00 4d 42 97 04 20 00 46 6f 6c 64 65 72 53 69 7a 65 2e 63 70 6c 00 00 c0 01 00 00 54 03 00 00 00 4d 42 97 04 20 00
Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 1096
General Stream Path: \x18496\x15167\x17394\x17464\x17841 File Type: data Stream Size: 1096 Entropy: 5.09742564013 Base64 Encoded: False Data ASCII: ...... v . v . v . v ...... Data Raw: 06 00 06 00 06 00 b1 00 b1 00 ba 00 ba 00 ba 00 ba 00 ba 00 ba 00 ba 00 ba 00 ba 00 ba 00 ba 00 ba 00 ba 00 cb 00 cb 00 cb 00 cb 00 cb 00 cb 00 dc 00 dc 00 dc 00 dc 00 dc 00 dc 00 dc 00 dc 00 dc 00 dc 00 dc 00 dc 00 e2 00 e2 00 fe 00 fe 00 8e 01 8e 01 8e 01 8e 01 92 01 92 01 92 01 92 01 92 01 92 01 c2 01 c2 01 c2 01 c2 01 c9 01 c9 01 c9 01 c9 01 c9 01 c9 01 c9 01 c9 01 c9 01 c9 01
Stream Path: \x18496\x15518\x16925\x17915, File Type: data, Stream Size: 200
General Stream Path: \x18496\x15518\x16925\x17915 File Type: data
Copyright null 2021 Page 15 of 25 General Stream Size: 200 Entropy: 4.38289846131 Base64 Encoded: False Data ASCII: $ . % . & . ' . ( . ) . + . - . / . 1 . 3 . 5 . 7 . 9 . : . < . > . @ . B . D . F . H . J . L . N . P . R . T . V . X . Z . \\ . ^ . ` . b . d . f . h . j . l . n . p . r . t . v . w . y . { . } . . . . . % . & . ' . ( . * . , . . . 0 . 2 . 4 . 6 . 8 . . . ; . = . ? . A . C . E . G . I . K . M . O . Q . S . U . W . Y . [ . ] . _ . a . c . e . g . i . k . m . o . q . s . u . . . x . z . | . ~ . . . Data Raw: 24 03 25 03 26 03 27 03 28 03 29 03 2b 03 2d 03 2f 03 31 03 33 03 35 03 37 03 39 03 3a 03 3c 03 3e 03 40 03 42 03 44 03 46 03 48 03 4a 03 4c 03 4e 03 50 03 52 03 54 03 56 03 58 03 5a 03 5c 03 5e 03 60 03 62 03 64 03 66 03 68 03 6a 03 6c 03 6e 03 70 03 72 03 74 03 76 03 77 03 79 03 7b 03 7d 03 7f 03 00 00 25 03 26 03 27 03 28 03 2a 03 2c 03 2e 03 30 03 32 03 34 03 36 03 38 03 ee 01
Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ASCII text, with very long lines, with no line terminators, Stream Size: 31387
General Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468 File Type: ASCII text, with very long lines, with no line terminators Stream Size: 31387 Entropy: 4.92134640897 Base64 Encoded: True Data ASCII: N a m e T y p e A c t i o n A c t i o n T e x t C C P S e a r c h F i l e : [ 1 ] B i n d i n g e x e c u t a b l e s B i n d I m a g e P r o p e r t y : [ 1 ] , S i g n a t u r e : [ 2 ] S e a r c h i n g f o r i n s t a l l e d a p p l i c a t i o n s A p p S e a r c h F r e e s p a c e : [ 1 ] A l l o c a t i n g r e g i s t r y s p a c e A l l o c a t e R e g i s t r y S p a c e A d v e r t i s i n g a p p l i c a t i o n A d v e r t i s e T e m p l a t e D e s c r i p t i o n Data Raw: 4e 61 6d 65 54 79 70 65 41 63 74 69 6f 6e 41 63 74 69 6f 6e 54 65 78 74 43 43 50 53 65 61 72 63 68 46 69 6c 65 3a 20 5b 31 5d 42 69 6e 64 69 6e 67 20 65 78 65 63 75 74 61 62 6c 65 73 42 69 6e 64 49 6d 61 67 65 50 72 6f 70 65 72 74 79 3a 20 5b 31 5d 2c 20 53 69 67 6e 61 74 75 72 65 3a 20 5b 32 5d 53 65 61 72 63 68 69 6e 67 20 66 6f 72 20 69 6e 73 74 61 6c 6c 65 64 20 61 70 70 6c 69
Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 3588
General Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479 File Type: data Stream Size: 3588 Entropy: 3.30976882396 Base64 Encoded: False Data ASCII: ...... $ ...... ! ...... & ...... " ...... ( ...... $ ...... 2 ...... Data Raw: 00 00 00 00 04 00 05 00 00 00 00 00 00 00 00 00 04 00 02 00 06 00 05 00 0a 00 0a 00 09 00 02 00 09 00 02 00 13 00 01 00 09 00 02 00 1d 00 01 00 24 00 01 00 09 00 02 00 0f 00 01 00 19 00 01 00 15 00 02 00 17 00 01 00 09 00 01 00 08 00 01 00 0b 00 14 00 21 00 02 00 0c 00 03 00 1c 00 03 00 0e 00 03 00 0d 00 02 00 10 00 01 00 0b 00 02 00 0f 00 02 00 12 00 01 00 0d 00 02 00 0e 00 02 00
Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 52
General Stream Path: \x18496\x16255\x16740\x16943\x18486 File Type: data Stream Size: 52 Entropy: 4.32177463215 Base64 Encoded: False Data ASCII: ...... v ...... # . Data Raw: 06 00 b1 00 ba 00 cb 00 dc 00 e2 00 fe 00 8e 01 92 01 c2 01 c9 01 d1 01 d9 01 76 02 82 02 88 02 89 02 94 02 9d 02 a1 02 a4 02 ff 02 0b 03 10 03 1a 03 23 03
Stream Path: \x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481, File Type: data, Stream Size: 4
General Stream Path: \x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481 File Type: data Stream Size: 4 Entropy: 1.5 Base64 Encoded: False Data ASCII: . . . .
Copyright null 2021 Page 16 of 25 General Data Raw: a2 02 a3 02
Stream Path: \x18496\x16778\x17207\x17522\x16925\x17915, File Type: data, Stream Size: 420
General Stream Path: \x18496\x16778\x17207\x17522\x16925\x17915 File Type: data Stream Size: 420 Entropy: 4.40503824969 Base64 Encoded: False Data ASCII: ...... " . % . & . ) . , . / . 1 . 3 . 6 . 9 . ; . = . @ . B . E . G . J . L . O . R . T . U . X . [ . ^ . a . d . f . i . l . n . q . t . w . y . { . ~ ...... # . . . ' . * . - . 0 . 2 . 4 . 7 . : . < . > . A . C . F . H . K . M . P . S . . . V . Y . \\ . _ . b . e . g . j . m . o . r . u . x . z . | ...... Data Raw: 07 00 0a 00 0d 00 10 00 12 00 16 00 18 00 19 00 1c 00 1f 00 22 00 25 00 26 00 29 00 2c 00 2f 00 31 00 33 00 36 00 39 00 3b 00 3d 00 40 00 42 00 45 00 47 00 4a 00 4c 00 4f 00 52 00 54 00 55 00 58 00 5b 00 5e 00 61 00 64 00 66 00 69 00 6c 00 6e 00 71 00 74 00 77 00 79 00 7b 00 7e 00 80 00 83 00 85 00 87 00 89 00 8c 00 8e 00 90 00 92 00 94 00 96 00 98 00 9a 00 9c 00 9e 00 a1 00 a3 00
Stream Path: \x18496\x16786\x17522, File Type: data, Stream Size: 4
General Stream Path: \x18496\x16786\x17522 File Type: data Stream Size: 4 Entropy: 2.0 Base64 Encoded: False Data ASCII: . . . . Data Raw: 93 02 01 00
Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 16
General Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486 File Type: data Stream Size: 16 Entropy: 2.0 Base64 Encoded: False Data ASCII: ...... Data Raw: ca 00 ca 00 ca 00 ca 00 c9 00 d3 00 d6 00 d9 00
Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 16
General Stream Path: \x18496\x16911\x17892\x17784\x18472 File Type: data Stream Size: 16 Entropy: 3.07781953111 Base64 Encoded: False Data ASCII: ...... Data Raw: ca 00 00 00 86 02 87 02 01 80 03 80 d1 00 18 80
Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 12
General Stream Path: \x18496\x16918\x17191\x18468 File Type: MIPSEB Ucode Stream Size: 12 Entropy: 2.12581458369 Base64 Encoded: False Data ASCII: ...... Data Raw: 01 80 04 80 00 00 aa 02 00 00 00 00
Stream Path: \x18496\x16923\x17194\x17910\x18229, File Type: data, Stream Size: 36
General Stream Path: \x18496\x16923\x17194\x17910\x18229
Copyright null 2021 Page 17 of 25 General File Type: data Stream Size: 36 Entropy: 3.19173035523 Base64 Encoded: False Data ASCII: ...... Data Raw: 02 03 05 03 08 03 00 80 02 80 00 80 03 03 06 03 09 03 00 00 86 02 08 03 04 03 07 03 0a 03 c9 00 d3 00 c9 00
Stream Path: \x18496\x16924\x18037\x16812\x15144\x17522\x17783\x17394, File Type: data, Stream Size: 24
General Stream Path: \x18496\x16924\x18037\x16812\x15144\x17522\x17783\x17394 File Type: data Stream Size: 24 Entropy: 2.34436093777 Base64 Encoded: False Data ASCII: ...... Data Raw: 0e 03 0f 03 ca 00 ca 00 80 80 01 80 00 00 00 00 00 00 00 00 d6 00 d6 00
Stream Path: \x18496\x16924\x18037\x16812\x15528\x17841\x16695\x17391, File Type: data, Stream Size: 32
General Stream Path: \x18496\x16924\x18037\x16812\x15528\x17841\x16695\x17391 File Type: data Stream Size: 32 Entropy: 2.08770470625 Base64 Encoded: False Data ASCII: ...... Data Raw: 19 03 ca 00 86 02 10 00 00 80 02 00 00 80 01 00 00 80 00 00 00 00 00 00 00 00 00 00 d6 00 00 00
Stream Path: \x18496\x16925\x17915\x17884\x17404\x18472, File Type: data, Stream Size: 36
General Stream Path: \x18496\x16925\x17915\x17884\x17404\x18472 File Type: data Stream Size: 36 Entropy: 2.91367133993 Base64 Encoded: False Data ASCII: . . . ! . . . . . " ...... Data Raw: d6 02 20 03 21 03 1f 03 1f 03 22 03 08 80 08 80 0d 80 00 00 00 00 00 00 00 00 00 00 00 00 00 80 01 80 01 80
Stream Path: \x18496\x17163\x16689\x18229, File Type: data, Stream Size: 28
General Stream Path: \x18496\x17163\x16689\x18229 File Type: data Stream Size: 28 Entropy: 2.20183873051 Base64 Encoded: False Data ASCII: ...... Data Raw: b3 00 b4 00 b5 00 b6 00 b7 00 b8 00 b9 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00
Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 18
General Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492 File Type: data Stream Size: 18 Entropy: 2.59179322608 Base64 Encoded: False Data ASCII: ...... Data Raw: d1 00 d4 01 d6 01 d4 01 d6 01 00 00 d5 01 d7 01 d8 01
Stream Path: \x18496\x17165\x17380\x17074, File Type: data, Stream Size: 462
Copyright null 2021 Page 18 of 25 General Stream Path: \x18496\x17165\x17380\x17074 File Type: data Stream Size: 462 Entropy: 3.93405755921 Base64 Encoded: False Data ASCII: ...... ! . ( . 4 . 9 . > . I . Z . ] . a . d . g . n . s . v . z ...... 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . . . 2 . 2 . . . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . . . 2 . r . . . r . r . . . r . r . r . r . r . r . r . r . r . r . r . r . r . r . . . r . . . U . . . . . i ...... U ...... # ...... Data Raw: e6 00 fd 00 06 01 21 01 28 01 34 01 39 01 3e 01 49 01 5a 01 5d 01 61 01 64 01 67 01 6e 01 73 01 76 01 7a 01 80 01 86 01 8c 01 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 0a 80 32 80 32 80 0a 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 0a 80 32 80 72 81
Stream Path: \x18496\x17167\x16943, File Type: data, Stream Size: 72
General Stream Path: \x18496\x17167\x16943 File Type: data Stream Size: 72 Entropy: 3.16293203666 Base64 Encoded: False Data ASCII: ...... ` ...... Data Raw: d2 00 d5 00 d8 00 db 00 c9 00 d3 00 d6 00 d9 00 91 02 8f 02 92 02 90 02 00 60 01 80 00 dc 01 80 00 be 01 80 00 ea 01 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 82 00 82 00 82 00 80 01 80 02 80 03 80 04 80
Stream Path: \x18496\x17356\x17828\x18486, File Type: data, Stream Size: 26
General Stream Path: \x18496\x17356\x17828\x18486 File Type: data Stream Size: 26 Entropy: 0.927074502371 Base64 Encoded: False Data ASCII: ...... Data Raw: c7 00 c8 00 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ca 00 00 00
Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 408
General Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x169 34 File Type: data Stream Size: 408 Entropy: 4.70239617571 Base64 Encoded: False Data ASCII: ...... " . % . & . / . 1 . 6 . 9 . ; . = . @ . B . E . G . J . L . O . R . T . U . X . [ . ^ . a . d . f . i . l . n . q . t . w . y . { . ~ ...... Data Raw: 07 00 0a 00 0d 00 10 00 16 00 18 00 19 00 1c 00 1f 00 22 00 25 00 26 00 2f 00 31 00 36 00 39 00 3b 00 3d 00 40 00 42 00 45 00 47 00 4a 00 4c 00 4f 00 52 00 54 00 55 00 58 00 5b 00 5e 00 61 00 64 00 66 00 69 00 6c 00 6e 00 71 00 74 00 77 00 79 00 7b 00 7e 00 80 00 83 00 89 00 8c 00 8e 00 90 00 92 00 96 00 98 00 9c 00 9e 00 a1 00 a3 00 a5 00 a7 00 a9 00 ab 00 ac 00 ae 00 c5 01 c7 01
Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 84
General Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472 File Type: data Stream Size: 84 Entropy: 4.07242932368 Base64 Encoded: False Data ASCII: . . . . % . & . ; . 4 . 9 . Z . d . g . n . s ...... d ......
Copyright null 2021 Page 19 of 25 General Data Raw: 16 00 18 00 25 00 26 00 3b 00 34 01 39 01 5a 01 64 01 67 01 6e 01 73 01 8c 01 9e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9f 02 00 00 00 00 a0 02 00 00 95 02 00 00 e8 83 20 83 84 83 c8 80 64 80 ff 7f fd 7f e2 84 8c 80 00 85 d8 84 fe 7f ce 84 14 85
Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: data, Stream Size: 48
General Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487 File Type: data Stream Size: 48 Entropy: 2.57700494742 Base64 Encoded: False Data ASCII: ...... Data Raw: c9 00 d3 00 d6 00 d9 00 d0 00 d4 00 d7 00 da 00 d1 00 d1 00 d1 00 d1 00 02 80 00 80 00 80 00 80 00 00 00 00 00 00 00 00 d2 00 d5 00 d8 00 db 00
Stream Path: \x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x17522, File Type: VAX-order2 68k Blit mpx/mux executable, Stream Size: 24
General Stream Path: \x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x17522 File Type: VAX-order2 68k Blit mpx/mux executable Stream Size: 24 Entropy: 2.19812031259 Base64 Encoded: False Data ASCII: ...... Data Raw: 06 01 06 01 06 01 0c 01 17 01 19 01 90 01 90 01 90 01 91 01 91 01 91 01
Stream Path: \x18496\x17548\x17905\x17589\x15279\x16953\x17905, File Type: data, Stream Size: 1056
General Stream Path: \x18496\x17548\x17905\x17589\x15279\x16953\x17905 File Type: data Stream Size: 1056 Entropy: 4.09962942451 Base64 Encoded: False Data ASCII: ...... ! . ( . ( . ( . ( . ( . ( . ( . 4 . 9 . > . > . > . I . I . I . I . I . I . I . I . I . I . I . I . I . I . Z . Z . Z . ] . a . a . a . d . g . n . n . n . n . n . n . n . s . v . v . v . v . v . v . v . v . v . z . z . z . z . z . z . z . z ...... ) . * . . . 0 . 1 . 2 . 5 . 5 . @ . B . C . . . . . L . L . L . L . S . S . S . S . . . . . Data Raw: e6 00 e6 00 e6 00 e6 00 e6 00 e6 00 fd 00 fd 00 06 01 06 01 06 01 06 01 06 01 06 01 06 01 21 01 28 01 28 01 28 01 28 01 28 01 28 01 28 01 34 01 39 01 3e 01 3e 01 3e 01 49 01 49 01 49 01 49 01 49 01 49 01 49 01 49 01 49 01 49 01 49 01 49 01 49 01 49 01 5a 01 5a 01 5a 01 5d 01 61 01 61 01 61 01 64 01 67 01 6e 01 6e 01 6e 01 6e 01 6e 01 6e 01 6e 01 73 01 76 01 76 01 76 01 76 01 76 01
Stream Path: \x18496\x17548\x17905\x17589\x18479, File Type: data, Stream Size: 4446
General Stream Path: \x18496\x17548\x17905\x17589\x18479 File Type: data Stream Size: 4446 Entropy: 3.99687141658 Base64 Encoded: False Data ASCII: ...... ! . ! . ! . ! . ! . ! . ! . ( . ( . ( . ( . ( . ( . ( . ( . ( . 4 . 4 . 4 . 4 . 4 . 4 . 9 . 9 . 9 . 9 . 9 . 9 . 9 . > . > . > . > . > . > . > . > . > . I . I . I . I . I . I . I . I . I . I . I . I . I . Z . Z . Z . Z . Z . Z . ] . ] . ] . ] . ] . ] . ] . a . a . a . a . a . a . a . a . a . d . d . d . d . d . d . d . d . g . g . g . g . g . g . g . g . g . g . n . n . n . Data Raw: e6 00 e6 00 e6 00 e6 00 e6 00 e6 00 e6 00 e6 00 e6 00 e6 00 e6 00 e6 00 e6 00 fd 00 fd 00 fd 00 fd 00 06 01 06 01 06 01 06 01 06 01 06 01 06 01 06 01 06 01 06 01 06 01 06 01 06 01 06 01 06 01 06 01 06 01 21 01 21 01 21 01 21 01 21 01 21 01 21 01 28 01 28 01 28 01 28 01 28 01 28 01 28 01 28 01 28 01 34 01 34 01 34 01 34 01 34 01 34 01 39 01 39 01 39 01 39 01 39 01 39 01 39 01 3e 01
Stream Path: \x18496\x17742\x17589\x18485, File Type: data, Stream Size: 632
General Stream Path: \x18496\x17742\x17589\x18485 File Type: data Stream Size: 632 Entropy: 5.92343492728
Copyright null 2021 Page 20 of 25 General Base64 Encoded: False Data ASCII: ...... ! . M ...... ! . " . # . $ . % . & . ' . ( . ) . * . + . , . - . . . / . 0 . 1 . 2 . 3 . 4 . 5 . 6 . 7 . 8 . y . z . { . | . } . ~ ...... A . B . C . D . E . F . G . H . I ...... m . n . o . p . q . Data Raw: 00 80 01 80 02 80 03 80 04 80 05 80 06 80 07 80 08 80 09 80 0a 80 0b 80 0c 80 0d 80 0e 80 0f 80 10 80 11 80 12 80 13 80 14 80 15 80 16 80 17 80 20 80 21 80 4d 84 15 85 16 85 17 85 18 85 19 85 1a 85 1b 85 1c 85 1d 85 1e 85 1f 85 20 85 21 85 22 85 23 85 24 85 25 85 26 85 27 85 28 85 29 85 2a 85 2b 85 2c 85 2d 85 2e 85 2f 85 30 85 31 85 32 85 33 85 34 85 35 85 36 85 37 85 38 85 79 85
Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 196
General Stream Path: \x18496\x17753\x17650\x17768\x18231 File Type: data Stream Size: 196 Entropy: 4.50973578358 Base64 Encoded: False Data ASCII: ...... ( ...... Data Raw: ac 02 ad 02 af 02 b0 02 b1 02 b3 02 b5 02 b7 02 b8 02 ba 02 bc 02 be 02 c0 02 c2 02 c4 02 c5 02 c7 02 c9 02 cb 02 cd 02 cf 02 d1 02 d3 02 d5 02 d7 02 d9 02 db 02 dc 02 dd 02 de 02 e0 02 e1 02 e3 02 e4 02 e6 02 e8 02 ea 02 ec 02 ee 02 f0 02 f1 02 f3 02 f5 02 f7 02 f8 02 f9 02 fa 02 fb 02 fd 02 96 01 ae 02 96 01 93 02 b2 02 b4 02 b6 02 ea 00 b9 02 bb 02 bd 02 bf 02 c1 02 c3 02 f6 00
Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 16
General Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522 File Type: data Stream Size: 16 Entropy: 3.125 Base64 Encoded: False Data ASCII: ...... Data Raw: c5 01 c7 01 d2 80 12 80 db 00 db 00 c6 01 c8 01
Stream Path: \x18496\x17998\x17512\x15799\x17636\x17203\x17073, File Type: data, Stream Size: 104
General Stream Path: \x18496\x17998\x17512\x15799\x17636\x17203\x17073 File Type: data Stream Size: 104 Entropy: 3.82940660933 Base64 Encoded: False Data ASCII: ...... d . d . g . g ...... e . . . h . x . y . y . y . { . | . } . ~ . ~ . . . e . . . . . x . z . z . z ...... Data Raw: e6 00 06 01 06 01 06 01 06 01 06 01 06 01 06 01 06 01 64 01 64 01 67 01 67 01 ef 00 09 01 0e 01 11 01 13 01 15 01 17 01 17 01 19 01 06 00 65 01 06 00 68 01 78 02 79 02 79 02 79 02 7b 02 7c 02 7d 02 7e 02 7e 02 06 00 65 01 06 00 80 02 78 02 7a 02 7a 02 7a 02 e3 00 e3 00 e3 00 7f 02 7f 02 e3 00 e3 00 e3 00 81 02
Network Behavior
No network behavior found
Code Manipulations
Statistics
Copyright null 2021 Page 21 of 25 Behavior
• msiexec.exe • VSSVC.exe • svchost.exe • svchost.exe • FolderSizeSvc.exe • FolderSize.exe • FolderSize.exe
Click to jump to process
System Behavior
Analysis Process: msiexec.exe PID: 944 Parent PID: 2916
General
Start time: 15:49:33 Start date: 25/02/2021 Path: C:\Windows\System32\msiexec.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\FolderSize-2.6-x86.msi' Imagebase: 0xffb30000 File size: 128512 bytes MD5 hash: AC2E7152124CEED36846BD1B6592A00F Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Source File Path Completion Count Address Symbol
Source File Path Offset Length Completion Count Address Symbol
Analysis Process: VSSVC.exe PID: 260 Parent PID: 428
General
Start time: 15:50:45 Start date: 25/02/2021 Path: C:\Windows\System32\VSSVC.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\vssvc.exe Imagebase: 0xff0e0000
Copyright null 2021 Page 22 of 25 File size: 1600512 bytes MD5 hash: B60BA0BC31B0CB414593E169F6F21CC2 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
Source File Path Completion Count Address Symbol
Source File Path Offset Length Completion Count Address Symbol
Registry Activities
Source Key Path Completion Count Address Symbol
Source Key Path Name Type Data Completion Count Address Symbol
Analysis Process: svchost.exe PID: 2920 Parent PID: 428
General
Start time: 15:50:45 Start date: 25/02/2021 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\svchost.exe -k swprv Imagebase: 0xff0e0000 File size: 27136 bytes MD5 hash: C78655BC80301D76ED4FEF1C1EA40A7D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: svchost.exe PID: 2240 Parent PID: 428
General
Start time: 15:50:45 Start date: 25/02/2021 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\svchost.exe -k WerSvcGroup Imagebase: 0xff0e0000 File size: 27136 bytes MD5 hash: C78655BC80301D76ED4FEF1C1EA40A7D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: FolderSizeSvc.exe PID: 2296 Parent PID: 428
Copyright null 2021 Page 23 of 25 General
Start time: 15:50:57 Start date: 25/02/2021 Path: C:\Program Files (x86)\FolderSize\FolderSizeSvc.exe Wow64 process (32bit): true Commandline: C:\Program Files (x86)\FolderSize\FolderSizeSvc.exe Imagebase: 0x400000 File size: 114688 bytes MD5 hash: C3FE7DBDEE220251595AB81A13080B5B Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
Analysis Process: FolderSize.exe PID: 2072 Parent PID: 908
General
Start time: 15:50:58 Start date: 25/02/2021 Path: C:\Program Files (x86)\FolderSize\FolderSize.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\FolderSize\FolderSize.exe' -install Imagebase: 0x400000 File size: 126976 bytes MD5 hash: 418149883729C7B7BE2508DF05F2ABA4 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
Source File Path Offset Length Completion Count Address Symbol
Registry Activities
Key Value Created
Source Key Path Name Type Data Completion Count Address Symbol HKEY_CURRENT_USER\Software\Mic Folder Size unicode C:\Program Files (x86)\FolderS success or wait 1 405346 SHSetValueW rosoft\Windows\CurrentVersion\Run ize\FolderSize.exe
Analysis Process: FolderSize.exe PID: 2360 Parent PID: 1388
General
Start time: 15:51:11 Start date: 25/02/2021 Path: C:\Program Files (x86)\FolderSize\FolderSize.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\FolderSize\FolderSize.exe' Imagebase: 0x400000 File size: 126976 bytes MD5 hash: 418149883729C7B7BE2508DF05F2ABA4 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language
Copyright null 2021 Page 24 of 25 Reputation: low
Disassembly
Code Analysis
Copyright null 2021 Page 25 of 25