Windows Analysis Report
TreeSizeFreeSetup.exe

Overview

General Information

Sample name:	TreeSizeFreeSetup.exe
Analysis ID:	1501919
MD5:	f818f2dac2d096073210a183b91cff4e
SHA1:	0d802c7f197afc4a699a2663447fd579bd4d0e12
SHA256:	c685e16e86183d11c30407ee688dc5a6081e3ea1958d3b9b509bc36e3edbce07
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Drops PE files

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Signatures

Uses 32bit PE files

Source: TreeSizeFreeSetup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: TreeSizeFreeSetup.exe

Static PE information: certificate valid

Source: TreeSizeFreeSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: TreeSizeFreeSetup.exe, TreeSizeFreeSetup.tmp.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: TreeSizeFreeSetup.exe, TreeSizeFreeSetup.tmp.0.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: TreeSizeFreeSetup.exe, TreeSizeFreeSetup.tmp.0.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: TreeSizeFreeSetup.exe, TreeSizeFreeSetup.tmp.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: TreeSizeFreeSetup.exe, TreeSizeFreeSetup.tmp.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: TreeSizeFreeSetup.exe, TreeSizeFreeSetup.tmp.0.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: TreeSizeFreeSetup.exe, TreeSizeFreeSetup.tmp.0.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: TreeSizeFreeSetup.exe, TreeSizeFreeSetup.tmp.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: TreeSizeFreeSetup.exe, TreeSizeFreeSetup.tmp.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: TreeSizeFreeSetup.exe, TreeSizeFreeSetup.tmp.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: TreeSizeFreeSetup.exe, TreeSizeFreeSetup.tmp.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: TreeSizeFreeSetup.exe, 00000000.00000002.2445856607.0000000002865000.00000004.00001000.00020000.00000000.sdmp, TreeSizeFreeSetup.exe, 00000000.00000003.1174941114.0000000002650000.00000004.00001000.00020000.00000000.sdmp, TreeSizeFreeSetup.tmp, 00000001.00000003.1179395905.0000000003692000.00000004.00001000.00020000.00000000.sdmp, TreeSizeFreeSetup.tmp, 00000001.00000002.2446477363.0000000003820000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: TreeSizeFreeSetup.exe, 00000000.00000002.2443195048.0000000002347000.00000004.00001000.00020000.00000000.sdmp, TreeSizeFreeSetup.exe, 00000000.00000003.1174941114.0000000002650000.00000004.00001000.00020000.00000000.sdmp, TreeSizeFreeSetup.tmp, 00000001.00000002.2444046973.000000000259E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://customers.jam-software.de/survey.php
Source: TreeSizeFreeSetup.exe, 00000000.00000002.2443195048.0000000002347000.00000004.00001000.00020000.00000000.sdmp, TreeSizeFreeSetup.exe, 00000000.00000003.1174941114.0000000002650000.00000004.00001000.00020000.00000000.sdmp, TreeSizeFreeSetup.tmp, 00000001.00000002.2444046973.000000000259E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jam-software.upvoty.com/TreeSize
Source: TreeSizeFreeSetup.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: TreeSizeFreeSetup.exe, TreeSizeFreeSetup.tmp.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: TreeSizeFreeSetup.exe, 00000000.00000003.1176516486.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, TreeSizeFreeSetup.exe, 00000000.00000003.1176145422.00000000029A0000.00000004.00001000.00020000.00000000.sdmp, TreeSizeFreeSetup.tmp, 00000001.00000000.1177818704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, TreeSizeFreeSetup.tmp.0.dr	String found in binary or memory: https://www.innosetup.com/
Source: TreeSizeFreeSetup.tmp, 00000001.00000003.1179395905.0000000003620000.00000004.00001000.00020000.00000000.sdmp, TreeSizeFreeSetup.tmp, 00000001.00000003.1179395905.0000000003692000.00000004.00001000.00020000.00000000.sdmp, TreeSizeFreeSetup.tmp, 00000001.00000002.2447941370.0000000003A4C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.jam-software.com/TreeSize/editions.shtml
Source: TreeSizeFreeSetup.tmp, 00000001.00000003.1179395905.0000000003692000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.jam-software.com/TreeSize/editions.shtml0ExplorerContextMenuItems
Source: TreeSizeFreeSetup.tmp, 00000001.00000003.1179395905.0000000003620000.00000004.00001000.00020000.00000000.sdmp, TreeSizeFreeSetup.tmp, 00000001.00000002.2447941370.0000000003A4C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.jam-software.com/TreeSize/surumler.shtml
Source: TreeSizeFreeSetup.tmp, 00000001.00000003.1179395905.0000000003620000.00000004.00001000.00020000.00000000.sdmp, TreeSizeFreeSetup.tmp, 00000001.00000002.2444046973.00000000025FD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.jam-software.com/company/help-us-translate.shtml?language=EN
Source: TreeSizeFreeSetup.tmp, 00000001.00000003.1179395905.0000000003692000.00000004.00001000.00020000.00000000.sdmp, TreeSizeFreeSetup.tmp, 00000001.00000002.2444046973.00000000025F4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.jam-software.com/company/privacy.shtml
Source: TreeSizeFreeSetup.tmp, 00000001.00000003.1179395905.0000000003620000.00000004.00001000.00020000.00000000.sdmp, TreeSizeFreeSetup.tmp, 00000001.00000002.2444046973.000000000263F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.jam-software.com/treesize/
Source: TreeSizeFreeSetup.exe, TreeSizeFreeSetup.tmp.0.dr	String found in binary or memory: https://www.jam-software.com0
Source: TreeSizeFreeSetup.tmp, 00000001.00000003.1179395905.0000000003692000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.jam-software.de/TreeSize/editions.shtml
Source: TreeSizeFreeSetup.tmp, 00000001.00000002.2444046973.0000000002540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.jam-software.de/TreeSize/editions.shtmlPqY
Source: TreeSizeFreeSetup.tmp, 00000001.00000002.2447941370.0000000003A33000.00000004.00001000.00020000.00000000.sdmp, TreeSizeFreeSetup.tmp, 00000001.00000003.1179395905.0000000003692000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.jam-software.de/company/privacy.shtml
Source: TreeSizeFreeSetup.exe, 00000000.00000002.2443195048.0000000002347000.00000004.00001000.00020000.00000000.sdmp, TreeSizeFreeSetup.exe, 00000000.00000003.1174941114.0000000002650000.00000004.00001000.00020000.00000000.sdmp, TreeSizeFreeSetup.tmp, 00000001.00000002.2444046973.000000000259E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.jam-software.de/freeware/?language=
Source: TreeSizeFreeSetup.tmp, 00000001.00000003.1179395905.0000000003620000.00000004.00001000.00020000.00000000.sdmp, TreeSizeFreeSetup.tmp, 00000001.00000002.2444046973.000000000263F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.jam-software.de/treesize/
Source: TreeSizeFreeSetup.exe, 00000000.00000003.1176516486.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, TreeSizeFreeSetup.exe, 00000000.00000003.1176145422.00000000029A0000.00000004.00001000.00020000.00000000.sdmp, TreeSizeFreeSetup.tmp, 00000001.00000000.1177818704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, TreeSizeFreeSetup.tmp.0.dr	String found in binary or memory: https://www.remobjects.com/ps

PE file contains executable resources (Code or Archives)

Source: TreeSizeFreeSetup.tmp.0.dr

Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Sample file is different than original file name gathered from version info

Source: TreeSizeFreeSetup.exe, 00000000.00000002.2443195048.0000000002378000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs TreeSizeFreeSetup.exe
Source: TreeSizeFreeSetup.exe, 00000000.00000003.1176516486.000000007FB50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs TreeSizeFreeSetup.exe
Source: TreeSizeFreeSetup.exe, 00000000.00000000.1174462731.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs TreeSizeFreeSetup.exe
Source: TreeSizeFreeSetup.exe, 00000000.00000003.1176145422.00000000029A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs TreeSizeFreeSetup.exe
Source: TreeSizeFreeSetup.exe	Binary or memory string: OriginalFileName vs TreeSizeFreeSetup.exe

Uses 32bit PE files

Source: TreeSizeFreeSetup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: clean1.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\TreeSizeFreeSetup.exe

File created: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp

Jump to behavior

Source: C:\Users\user\Desktop\TreeSizeFreeSetup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\TreeSizeFreeSetup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\TreeSizeFreeSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: TreeSizeFreeSetup.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\TreeSizeFreeSetup.exe

File read: C:\Users\user\Desktop\TreeSizeFreeSetup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TreeSizeFreeSetup.exe "C:\Users\user\Desktop\TreeSizeFreeSetup.exe"
Source: C:\Users\user\Desktop\TreeSizeFreeSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp "C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp" /SL5="$402BC,12766924,857088,C:\Users\user\Desktop\TreeSizeFreeSetup.exe"
Source: C:\Users\user\Desktop\TreeSizeFreeSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp "C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp" /SL5="$402BC,12766924,857088,C:\Users\user\Desktop\TreeSizeFreeSetup.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TreeSizeFreeSetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TreeSizeFreeSetup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TreeSizeFreeSetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\TreeSizeFreeSetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TreeSizeFreeSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: TreeSizeFreeSetup.exe

Static PE information: certificate valid

Source: TreeSizeFreeSetup.exe

Static file information: File size 13832808 > 1048576

Source: TreeSizeFreeSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains sections with non-standard names

Source: TreeSizeFreeSetup.exe	Static PE information: section name: .didata
Source: TreeSizeFreeSetup.tmp.0.dr	Static PE information: section name: .didata

Drops PE files

Source: C:\Users\user\Desktop\TreeSizeFreeSetup.exe

File created: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp

Jump to dropped file

Source: C:\Users\user\Desktop\TreeSizeFreeSetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B6GD7.tmp\TreeSizeFreeSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1501919
Product:	CloudBasic
Start time:	18:42:22
Start date:	30.08.2024
Sample:	TreeSizeFreeSetup.exe
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f818f2dac2d096073210a183b91cff4e
SHA1:	0d802c7f197afc4a699a2663447fd579bd4d0e12
SHA256:	c685e16e86183d11c30407ee688dc5a6081e3ea1958d3b9b509bc36e3edbce07
Filetype:	Win32 Executable (generic) a (10002005/4) 98.45%

Windows Analysis Report
TreeSizeFreeSetup.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report TreeSizeFreeSetup.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
TreeSizeFreeSetup.exe