File name:

DaemonTools Lite.exe

Full analysis: https://app.any.run/tasks/f8d63723-6c8a-4f2e-b65f-0bf637cc4cba
Verdict: Malicious activity
Analysis date: March 05, 2024, 17:51:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

0FA6CD1DE96BDE0431C1C91904F6D040

SHA1:

E750C443A83F9B135B499E7917C5A93120384BB3

SHA256:

17761E85FBD73BA7F17F6862C530E982B8E5778FB509BE6BCF749078C55F1BB0

SSDEEP:

98304:Dl8BAikUcxYxltsKjHuzga3FXXs5QmZg7cvjAcDhWaXKkdGNxlEEms0oHXhBomPd:f+jivORfnfu7PYeM3FMX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • DaemonTools Lite.exe (PID: 2752)

    • Drops the executable file immediately after the start

      • DaemonTools Lite.exe (PID: 2752)
      • drvinst.exe (PID: 120)
      • drvinst.exe (PID: 1992)

    • Creates a writable file in the system directory

      • drvinst.exe (PID: 120)
      • drvinst.exe (PID: 1992)

    • Registers / Runs the DLL via REGSVR32.EXE

      • DaemonTools Lite.exe (PID: 2752)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • DaemonTools Lite.exe (PID: 2752)

    • Executable content was dropped or overwritten

      • DaemonTools Lite.exe (PID: 2752)
      • drvinst.exe (PID: 120)
      • drvinst.exe (PID: 1992)

    • Searches for installed software

      • DaemonTools Lite.exe (PID: 2752)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • DaemonTools Lite.exe (PID: 2752)

    • Creates a software uninstall entry

      • DaemonTools Lite.exe (PID: 2752)

    • Adds/modifies Windows certificates

      • DaemonTools Lite.exe (PID: 2752)

    • Drops a system driver (possible attempt to evade defenses)

      • DaemonTools Lite.exe (PID: 2752)
      • drvinst.exe (PID: 120)
      • drvinst.exe (PID: 1992)

    • Creates files in the driver directory

      • drvinst.exe (PID: 120)
      • drvinst.exe (PID: 1992)

    • Checks Windows Trust Settings

      • drvinst.exe (PID: 120)
      • DaemonTools Lite.exe (PID: 2752)
      • drvinst.exe (PID: 1992)
      • drvinst.exe (PID: 1576)
      • sidebar.exe (PID: 2468)

    • Executes as Windows Service

      • VSSVC.exe (PID: 1836)

    • Reads security settings of Internet Explorer

      • DaemonTools Lite.exe (PID: 2752)
      • SetupHelper.exe (PID: 1784)
      • sidebar.exe (PID: 2468)

    • Reads settings of System Certificates

      • DaemonTools Lite.exe (PID: 2752)
      • sidebar.exe (PID: 2468)

    • Reads the Internet Settings

      • rundll32.exe (PID: 1808)
      • SetupHelper.exe (PID: 1784)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 2040)

  • INFO

    • Reads the computer name

      • DaemonTools Lite.exe (PID: 2752)
      • wmpnscfg.exe (PID: 3240)
      • drvinst.exe (PID: 120)
      • drvinst.exe (PID: 1992)
      • drvinst.exe (PID: 1576)
      • SetupHelper.exe (PID: 1784)
      • sidebar.exe (PID: 2468)

    • Checks supported languages

      • wmpnscfg.exe (PID: 3240)
      • DaemonTools Lite.exe (PID: 2752)
      • DTSetupHelper.exe (PID: 3460)
      • drvinst.exe (PID: 120)
      • drvinst.exe (PID: 1992)
      • drvinst.exe (PID: 1576)
      • SetupHelper.exe (PID: 1784)
      • sidebar.exe (PID: 2468)

    • Create files in a temporary directory

      • DaemonTools Lite.exe (PID: 2752)

    • Creates files in the program directory

      • DaemonTools Lite.exe (PID: 2752)

    • Reads Windows Product ID

      • DaemonTools Lite.exe (PID: 2752)

    • Reads the machine GUID from the registry

      • DaemonTools Lite.exe (PID: 2752)
      • drvinst.exe (PID: 120)
      • drvinst.exe (PID: 1992)
      • drvinst.exe (PID: 1576)
      • sidebar.exe (PID: 2468)

    • Reads the software policy settings

      • drvinst.exe (PID: 120)
      • DaemonTools Lite.exe (PID: 2752)
      • drvinst.exe (PID: 1992)
      • drvinst.exe (PID: 1576)
      • sidebar.exe (PID: 2468)

    • Adds/modifies Windows certificates

      • drvinst.exe (PID: 120)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 1808)

    • Process checks computer location settings

      • drvinst.exe (PID: 1576)

    • Application launched itself

      • msedge.exe (PID: 1840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:04:10 12:19:31+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 25600
InitializedDataSize: 431104
UninitializedDataSize: 16896
EntryPoint: 0x354b
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 4.49.1.356
ProductVersionNumber: 4.49.1.356
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Disc Soft Ltd
FileDescription: DAEMON Tools Lite Setup
FileVersion: 4.49.1.0356.0
InternalName: DAEMON Tools Lite4.49.1.0356.exe
LegalCopyright: Copyright (C) 2004-2012
OriginalFileName: DAEMON Tools Lite4.49.1.0356.exe
ProductName: DAEMON Tools Lite
ProductVersion: 4.49.1.0356.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
65
Monitored processes
26
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start daemontools lite.exe dtsetuphelper.exe no specs drvinst.exe vssvc.exe no specs drvinst.exe drvinst.exe no specs rundll32.exe no specs dinotify.exe no specs rundll32.exe no specs regsvr32.exe no specs setuphelper.exe no specs sidebar.exe no specs dtlite.exe no specs setuphelper.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs daemontools lite.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120DrvInst.exe "4" "20" "C:\Users\admin\AppData\Local\Temp\{7415aae9-8f59-3399-3756-d46c39f1005c}\dtsoftbus01.inf" "0" "6fa1095ab" "000003F8" "WinSta0\Default" "00000558" "208" "C:\Program Files\DAEMON Tools Lite"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
992C:\Users\admin\AppData\Local\Temp\nsr4DF.tmp\SetupHelper.exe "http://dt-updates.com/license/freeliteactivate"C:\Users\admin\AppData\Local\Temp\nsr4DF.tmp\SetupHelper.exeDaemonTools Lite.exe
User:
admin
Company:
DT Soft Ltd
Integrity Level:
MEDIUM
Description:
Setup Helper Process
Exit code:
1
Version:
1.0.0.0001
1432"C:\Users\admin\AppData\Local\Temp\DaemonTools Lite.exe" C:\Users\admin\AppData\Local\Temp\DaemonTools Lite.exeexplorer.exe
User:
admin
Company:
Disc Soft Ltd
Integrity Level:
MEDIUM
Description:
DAEMON Tools Lite Setup
Exit code:
3221226540
Version:
4.49.1.0356.0
Modules
Images
c:\users\admin\appdata\local\temp\daemontools lite.exe
c:\windows\system32\ntdll.dll
1576DrvInst.exe "1" "200" "DTSOFTBUS&Rev1\DTCDROM&Rev1\1&79f5d87&0&00" "" "" "634813977" "00000000" "000005F4" "00000550"C:\Windows\System32\drvinst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1736"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2148 --field-trial-handle=1328,i,14331363602024877433,1640223434079103495,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
1784C:\Users\admin\AppData\Local\Temp\nsr4DF.tmp\SetupHelper.exe "sidebar.exe"C:\Users\admin\AppData\Local\Temp\nsr4DF.tmp\SetupHelper.exeDaemonTools Lite.exe
User:
admin
Company:
DT Soft Ltd
Integrity Level:
MEDIUM
Description:
Setup Helper Process
Exit code:
1
Version:
1.0.0.0001
1808rundll32.exe C:\Windows\system32\newdev.dll,pDiDeviceInstallNotification \\.\pipe\PNP_Device_Install_Pipe_1.{f80dc317-d875-4d43-92d6-c94f748c748b} "(null)"C:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
1836C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1840"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument http://dt-updates.com/license/freeliteactivateC:\Program Files\Microsoft\Edge\Application\msedge.exe
SetupHelper.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
1892C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
14 508
Read events
14 267
Write events
227
Delete events
14

Modification events

(PID) Process:(2752) DaemonTools Lite.exeKey:HKEY_CURRENT_USER\Software\Disc Soft\DAEMON Tools Pro\View
Operation:writeName:Language
Value:
1033
(PID) Process:(2752) DaemonTools Lite.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:DAEMON Tools Lite
Value:
"C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
(PID) Process:(2752) DaemonTools Lite.exeKey:HKEY_CURRENT_USER\Software\Disc Soft\DAEMON Tools Pro\Config
Operation:writeName:UseTrayAgent
Value:
0
(PID) Process:(2752) DaemonTools Lite.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:delete valueName:C:\Program Files\DAEMON Tools Lite\DTLite.exe
Value:
(PID) Process:(2752) DaemonTools Lite.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DAEMON Tools Lite
Operation:writeName:DisplayName
Value:
DAEMON Tools Lite
(PID) Process:(2752) DaemonTools Lite.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DAEMON Tools Lite
Operation:writeName:UninstallString
Value:
C:\Program Files\DAEMON Tools Lite\uninst.exe
(PID) Process:(2752) DaemonTools Lite.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DAEMON Tools Lite
Operation:writeName:DisplayVersion
Value:
4.49.1.0356
(PID) Process:(2752) DaemonTools Lite.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DAEMON Tools Lite
Operation:writeName:URLInfoAbout
Value:
http://www.daemon-tools.cc/
(PID) Process:(2752) DaemonTools Lite.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DAEMON Tools Lite
Operation:writeName:Publisher
Value:
Disc Soft Ltd
(PID) Process:(2752) DaemonTools Lite.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DAEMON Tools Lite
Operation:writeName:DisplayIcon
Value:
C:\Program Files\DAEMON Tools Lite\DTLite.exe
Executable files
107
Suspicious files
32
Text files
43
Unknown types
14

Dropped files

PID
Process
Filename
Type
2752DaemonTools Lite.exeC:\Users\admin\AppData\Local\Temp\nsr4DF.tmp\Lang\ARA.dllexecutable
MD5:F5272E2BF2E11C7D4F0C9A14D52C5B7B
SHA256:8A5C2EFD2A04A0BE4AED5E29D0C0F4D68C18E15DAEF7559375F3C08CDEFF575C
2752DaemonTools Lite.exeC:\Users\admin\AppData\Local\Temp\nsr4DF.tmp\Lang\BGR.dllexecutable
MD5:53B039760B24B3FC54465CF234150B89
SHA256:834A2140FAEF8A5C79B34D8579986B6FC09B580C6239E4B941A1E8446B82E7F3
2752DaemonTools Lite.exeC:\Users\admin\AppData\Local\Temp\nsr4DF.tmp\Lang\BIH.dllexecutable
MD5:D8951EF349F624C91775B718DC8ED244
SHA256:9B40A12655CBD529703490F53DD37C0EA17D38499BF4680F5288F60B78E6289E
2752DaemonTools Lite.exeC:\Users\admin\AppData\Local\Temp\nsr4DF.tmp\Lang\CHT.dllexecutable
MD5:D96F35887A108FD3D7DB5AE5B7EBA2BF
SHA256:9DEE891753A1024E848BAB1612AE2624EE57584A9FF1A5704D8BDCE743F84571
2752DaemonTools Lite.exeC:\Users\admin\AppData\Local\Temp\nsr4DF.tmp\Lang\CAT.dllexecutable
MD5:7C53A22A684BA61056D0A1AD9027D74E
SHA256:81B449089297A577C728DCA224D5A7531DB0D7FEADF272F2CBCE150B3D0293A2
2752DaemonTools Lite.exeC:\Users\admin\AppData\Local\Temp\nsr4DF.tmp\Lang\CHS.dllexecutable
MD5:492AC7137A8D00BBB12291B464FEF115
SHA256:C4D260E44928FA3EFA494432AD0A9A1CB737B60C2EB9AC690B14920AE7FDD244
2752DaemonTools Lite.exeC:\Users\admin\AppData\Local\Temp\nsr4DF.tmp\Lang\CSY.dllexecutable
MD5:E48DA04559CD4F0C7CBB1A428269468E
SHA256:ABCD4ACF0545EF3275D5330AE17E3EB2B82FEC0EC64BD837DACDBD6ACDDE2BED
2752DaemonTools Lite.exeC:\Users\admin\AppData\Local\Temp\nsr4DF.tmp\Lang\DEU.dllexecutable
MD5:70F2667E96A5156CFBB5B0A129982C55
SHA256:D5DA42B236AC196C0BD63EDE2C6E1FE5CC94801803B473510DA1BAD32222AC34
2752DaemonTools Lite.exeC:\Users\admin\AppData\Local\Temp\nsr4DF.tmp\Lang\DAN.dllexecutable
MD5:0283B73702353989729AFD082C353BB5
SHA256:1AD314449C5032E5657E9C71F0C76E6415147C5166EB2D7E7A3A813B5D142EAA
2752DaemonTools Lite.exeC:\Users\admin\AppData\Local\Temp\nsr4DF.tmp\Lang\ELL.dllexecutable
MD5:43A0A3EAECFCB6E7227F51846B077A5C
SHA256:72DFC2D448894D0DFF6EE5D906915F1460D3D02B88CD624655578F55033B6A30
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
24
DNS requests
29
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2752
DaemonTools Lite.exe
GET
500
167.99.255.139:80
http://dt.web-search-home.com/getsettings?query=0aZ06J3t9EKqe72BsnSBUKEq8%2fYacPI%2b%2bdNiPboaK1CMErI5J1nWmcNa0qTkXRJDvn2wg%2freRWts80WnQYK3G1NL4RkZUFQPVW235jOcCOn1W3r%2fTNa8MeAAHt4kNx1WsWvndgqOocHkpJd8BZcqIBfJW5oHKV9y0iaHbl2dul0%3d
unknown
binary
2 b
unknown
3272
msedge.exe
GET
301
138.68.93.157:80
http://dt-updates.com/license/freeliteactivate
unknown
html
169 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2752
DaemonTools Lite.exe
167.99.255.139:80
dt.web-search-home.com
DIGITALOCEAN-ASN
DE
unknown
1840
msedge.exe
239.255.255.250:1900
unknown
3272
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3272
msedge.exe
52.123.242.237:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
CH
unknown
3272
msedge.exe
138.68.93.157:80
dt-updates.com
DIGITALOCEAN-ASN
DE
unknown
3272
msedge.exe
138.68.93.157:443
dt-updates.com
DIGITALOCEAN-ASN
DE
unknown
3272
msedge.exe
172.217.23.99:443
www.recaptcha.net
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
dt.web-search-home.com
  • 167.99.255.139
unknown
config.edge.skype.com
  • 52.123.242.237
  • 52.123.242.235
  • 52.123.242.232
  • 52.123.242.234
whitelisted
dt-updates.com
  • 138.68.93.157
unknown
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
www.recaptcha.net
  • 172.217.23.99
whitelisted
fonts.googleapis.com
  • 142.250.186.42
whitelisted
fonts.gstatic.com
  • 216.58.206.35
whitelisted
www.gstatic.com
  • 142.250.181.227
whitelisted
www.google-analytics.com
  • 142.250.186.174
whitelisted
cdn.daemon-tools.cc
  • 185.172.148.128
unknown

Threats

PID
Process
Class
Message
3272
msedge.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
3272
msedge.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
Potentially Bad Traffic
ET DNS Query for .cc TLD
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DaemonTools Lite.exe