Prefetch execution
Flags execution of known offensive-security tools and Windows LOLBins (Mimikatz, PsExec, certutil, mshta, and more).
Windows Security Threat Scanner - WSTS
A read-only forensic scanner that inspects your Windows PC for malware indicators, persistence mechanisms, and evidence of log or credential-store tampering.
Runs 100% locally. No account. No telemetry. Nothing ever leaves your machine.
What WSTS checks
Startup persistence
Inspects user and global Startup folders for suspicious scripts, shortcuts, and recently planted payloads.
Event-log tampering
Detects cleared or recently modified Security, System, and Application logs — a common anti-forensic move.
Credential stores
Checks DPAPI and Credential Manager artifacts for recent modification that may indicate theft attempts.
Amcache & NTUSER
Reviews application-execution history hives for recent tampering or unusual activity.
Local report
Results render in your browser at 127.0.0.1 — generated on-device and never uploaded.
Why this download is safe
Security tools are frequently flagged by antivirus engines because they read the same forensic artifacts that malware touches. We are fully transparent so you can trust — and independently verify — exactly what you are running.
Read-only by design
WSTS never writes, deletes, modifies, or transmits any file. It opens artifacts for reading and reports what it finds. Nothing else.
Fully open source
Every line is public. Read the source, audit the logic, or build the executable yourself from our repository.
No network access
The scanner makes no outbound connections. You can verify this with your own firewall — block it entirely and it still works.
Checksummed every release
Every release is published with a SHA-256 hash so you can confirm the file is genuine and unmodified. Authenticode code-signing is being provisioned and will be added in a future build.
Independently scanned
We submit each build to VirusTotal. Review the multi-engine report before you run anything.
View VirusTotal report →If your antivirus flags it
A read-only forensic scanner reads the same credential and registry artifacts that malware touches, so an unsigned build can trigger a heuristic false-positive — Microsoft Defender may quarantine or delete it. To recover: open Windows Security → Virus & threat protection → Protection history, find the WSTS detection, and choose Restore / Allow. Always verify the SHA-256 hash below first. We submit every build to Microsoft and VirusTotal.
Verify before you run
Confirm the file you downloaded matches our official release. If the hash differs, do not run it — delete it and download again.
1. SHA-256 checksum
Official hash for WSTS-Setup-1.0.0.exe:
<published with each release>
Verify in PowerShell:
Get-FileHash .\WSTS-Setup-1.0.0.exe -Algorithm SHA256
2. Authenticode signature
Code-signing is being provisioned. Until it is in place this build is unsigned, so Windows will report NotSigned — that is expected. Confirm authenticity with the SHA-256 hash above. You can check signature status with:
Get-AuthenticodeSignature .\WSTS-Setup-1.0.0.exe | Format-List Status, SignerCertificate
Current status: NotSigned · Publisher (after signing): Antibody Cyber Technology, LLC
Download WSTS
WSTS-Setup-1.0.0.exe
Windows 10 / 11 (64-bit) · ~12 MB · Version 1.0.0
For best protection, always download directly from https://wsts.spatcyber.com and verify the SHA-256 hash above. We never distribute WSTS through third-party sites.
Run as Administrator for full artifact access. WSTS opens a local
dashboard at http://127.0.0.1:5900 in your browser.
Heads-up: until code-signing is in place, Microsoft Defender or SmartScreen may flag this unsigned forensic tool as a false positive and quarantine it. If that happens, restore it from Windows Security → Virus & threat protection → Protection history after verifying the SHA-256 hash above.