File name:

DAEMON Tools Lite.zip

Full analysis: https://app.any.run/tasks/f0e9e2cd-8b38-4e39-990c-c49e158abfa3
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 09, 2023, 22:27:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

223260A7026BE5E988A922D7ED83C473

SHA1:

E9AA942CC98C65939FB2D364898136E0E05AC221

SHA256:

6C9C3C2EE1DC4FD106882B2DA35BFA50DE5F7AE42B62B0979DCA6B57973807C9

SSDEEP:

196608:tTc3Smj5H4cL5drUqyQb4z0igm1CudFHCyzV:dCrMV4igULdFHVV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • DTLite4471-0335.exe (PID: 2332)
      • SPTDinst-x86.exe (PID: 3452)
      • DTLite.exe (PID: 3536)

    • Creates a writable file in the system directory

      • SPTDinst-x86.exe (PID: 3452)

    • Registers / Runs the DLL via REGSVR32.EXE

      • DTLite4471-0335.exe (PID: 2332)

    • Changes the autorun value in the registry

      • sidebar.exe (PID: 2128)

  • SUSPICIOUS

    • Application launched itself

      • WinRAR.exe (PID: 1864)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • DTLite4471-0335.exe (PID: 2332)

    • The process creates files with name similar to system file names

      • DTLite4471-0335.exe (PID: 2332)

    • Executes as Windows Service

      • VSSVC.exe (PID: 1276)

    • Searches for installed software

      • SPTDinst-x86.exe (PID: 3452)
      • dllhost.exe (PID: 3308)

    • Drops a system driver (possible attempt to evade defenses)

      • SPTDinst-x86.exe (PID: 3452)

    • Reads the Internet Settings

      • SetupHelper.exe (PID: 276)
      • sidebar.exe (PID: 1784)
      • DTShellHlp.exe (PID: 3740)
      • SetupHelper.exe (PID: 1904)
      • DTLite.exe (PID: 2092)
      • sipnotify.exe (PID: 128)
      • DTLite.exe (PID: 2100)
      • sidebar.exe (PID: 2128)
      • DTHelper.exe (PID: 2584)
      • DTShellHlp.exe (PID: 2516)
      • DTLite.exe (PID: 3536)
      • DTLiteDownloader.exe (PID: 3656)
      • DTLiteMicroSetup.exe (PID: 4092)

    • Reads security settings of Internet Explorer

      • sidebar.exe (PID: 1784)

    • Checks Windows Trust Settings

      • sidebar.exe (PID: 1784)

    • Reads settings of System Certificates

      • sidebar.exe (PID: 1784)
      • sipnotify.exe (PID: 128)
      • DTLiteDownloader.exe (PID: 3656)

    • Reads Internet Explorer settings

      • sidebar.exe (PID: 1784)
      • sidebar.exe (PID: 2128)

    • Reads Microsoft Outlook installation path

      • sidebar.exe (PID: 1784)
      • sidebar.exe (PID: 2128)

    • Creates files in the driver directory

      • SPTDinst-x86.exe (PID: 3452)

    • The process executes via Task Scheduler

      • ctfmon.exe (PID: 648)
      • sipnotify.exe (PID: 128)

    • Process requests binary or script from the Internet

      • DTLite.exe (PID: 3536)

  • INFO

    • Reads the computer name

      • DTLite4471-0335.exe (PID: 2332)
      • wmpnscfg.exe (PID: 2316)
      • SPTDinst-x86.exe (PID: 3452)
      • SetupHelper.exe (PID: 276)
      • sidebar.exe (PID: 1784)
      • DTLite.exe (PID: 2092)
      • SetupHelper.exe (PID: 1904)
      • DTShellHlp.exe (PID: 3740)
      • sidebar.exe (PID: 2128)
      • DTLite.exe (PID: 2100)
      • IMEKLMG.EXE (PID: 2084)
      • IMEKLMG.EXE (PID: 2092)
      • DTShellHlp.exe (PID: 2516)
      • DTHelper.exe (PID: 2584)
      • wmpnscfg.exe (PID: 2788)
      • wmpnscfg.exe (PID: 2700)
      • DTLite.exe (PID: 3536)
      • DTLiteDownloader.exe (PID: 3656)
      • DTLiteMicroSetup.exe (PID: 4092)
      • DTInstaller.exe (PID: 1048)

    • Checks supported languages

      • DTLite4471-0335.exe (PID: 2332)
      • DTSetupHelper.exe (PID: 2668)
      • wmpnscfg.exe (PID: 2316)
      • SPTDinst-x86.exe (PID: 3452)
      • sidebar.exe (PID: 1784)
      • SetupHelper.exe (PID: 276)
      • DTLite.exe (PID: 2092)
      • SetupHelper.exe (PID: 1904)
      • IMEKLMG.EXE (PID: 2084)
      • DTShellHlp.exe (PID: 3740)
      • IMEKLMG.EXE (PID: 2092)
      • sidebar.exe (PID: 2128)
      • DTShellHlp.exe (PID: 2516)
      • DTLite.exe (PID: 2100)
      • wmpnscfg.exe (PID: 2700)
      • wmpnscfg.exe (PID: 2788)
      • DTHelper.exe (PID: 2584)
      • DTLite.exe (PID: 3536)
      • DTLiteDownloader.exe (PID: 3656)
      • DTLiteMicroSetup.exe (PID: 4092)
      • DTInstaller.exe (PID: 1048)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2620)

    • Create files in a temporary directory

      • DTLite4471-0335.exe (PID: 2332)
      • sidebar.exe (PID: 1784)
      • DTLite.exe (PID: 3536)
      • DTLiteDownloader.exe (PID: 3656)
      • DTLiteMicroSetup.exe (PID: 4092)

    • Creates files in the program directory

      • DTLite4471-0335.exe (PID: 2332)

    • Reads the machine GUID from the registry

      • SPTDinst-x86.exe (PID: 3452)
      • sidebar.exe (PID: 1784)
      • sidebar.exe (PID: 2128)
      • wmpnscfg.exe (PID: 2700)
      • wmpnscfg.exe (PID: 2788)
      • DTShellHlp.exe (PID: 2516)
      • DTLiteDownloader.exe (PID: 3656)
      • DTLiteMicroSetup.exe (PID: 4092)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2316)
      • IMEKLMG.EXE (PID: 2092)
      • IMEKLMG.EXE (PID: 2084)
      • DTLite.exe (PID: 2100)
      • sidebar.exe (PID: 2128)
      • wmpnscfg.exe (PID: 2700)
      • wmpnscfg.exe (PID: 2788)

    • Reads Windows Product ID

      • DTLite4471-0335.exe (PID: 2332)
      • DTLite.exe (PID: 2100)

    • Creates files or folders in the user directory

      • sidebar.exe (PID: 1784)

    • Application launched itself

      • msedge.exe (PID: 3020)

    • Reads security settings of Internet Explorer

      • sipnotify.exe (PID: 128)

    • Checks proxy server information

      • sidebar.exe (PID: 1784)
      • sidebar.exe (PID: 2128)

    • Process checks are UAC notifies on

      • IMEKLMG.EXE (PID: 2084)
      • IMEKLMG.EXE (PID: 2092)

    • Reads Environment values

      • DTLiteDownloader.exe (PID: 3656)
      • DTLiteMicroSetup.exe (PID: 4092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2023:12:09 22:24:32
ZipCRC: 0xfb5a2dba
ZipCompressedSize: 13851805
ZipUncompressedSize: 13867275
ZipFileName: DAEMON Tools Lite.rar
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
34
Malicious processes
11
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe no specs dtlite4471-0335.exe no specs dtlite4471-0335.exe dtsetuphelper.exe no specs wmpnscfg.exe no specs sptdinst-x86.exe no specs vssvc.exe no specs SPPSurrogate no specs regsvr32.exe no specs setuphelper.exe no specs sidebar.exe dtshellhlp.exe no specs dtlite.exe no specs setuphelper.exe no specs msedge.exe msedge.exe msedge.exe ctfmon.exe no specs sipnotify.exe imeklmg.exe no specs imeklmg.exe no specs dtlite.exe no specs sidebar.exe dthelper.exe no specs dtshellhlp.exe no specs dthelper.exe wmpnscfg.exe no specs wmpnscfg.exe no specs dtlite.exe dtlitedownloader.exe dtlitemicrosetup.exe no specs dtlitemicrosetup.exe dtinstaller.exe

Process information

PID
CMD
Path
Indicators
Parent process
128C:\Windows\system32\sipnotify.exe -LogonOrUnlockC:\Windows\System32\sipnotify.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
sipnotify
Exit code:
0
Version:
6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716)
Modules
Images
c:\windows\system32\sipnotify.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
276C:\Users\admin\AppData\Local\Temp\nsj3895.tmp\SetupHelper.exe "sidebar.exe"C:\Users\admin\AppData\Local\Temp\nsj3895.tmp\SetupHelper.exeDTLite4471-0335.exe
User:
admin
Company:
DT Soft Ltd
Integrity Level:
MEDIUM
Description:
Setup Helper Process
Exit code:
1
Version:
1.0.0.0001
Modules
Images
c:\users\admin\appdata\local\temp\nsj3895.tmp\setuphelper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
648C:\Windows\System32\ctfmon.exe C:\Windows\System32\ctfmon.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CTF Loader
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1032"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x6a0bf598,0x6a0bf5a8,0x6a0bf5b4C:\Program Files\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1048"C:\Users\admin\AppData\Local\Temp\DT_INSTALL_TMP\DTInstaller.exe" C:\Users\admin\AppData\Local\Temp\DT_INSTALL_TMP\DTInstaller.exe
DTLiteMicroSetup.exe
User:
admin
Company:
Disc Soft FZE LLC
Integrity Level:
HIGH
Description:
DAEMON Tools Lite
Exit code:
3762504530
Version:
12.0.0.2126
Modules
Images
c:\users\admin\appdata\local\temp\dt_install_tmp\dtinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1276C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1784"C:\Program Files\Windows Sidebar\sidebar.exe" C:\Program Files\Windows Sidebar\sidebar.exe
SetupHelper.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Desktop Gadgets
Exit code:
1073807364
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows sidebar\sidebar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1864"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\DAEMON Tools Lite.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
1073807364
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1872regsvr32.exe /s DTGadget32.dllC:\Windows\System32\regsvr32.exeDTLite4471-0335.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1904C:\Users\admin\AppData\Local\Temp\nsj3895.tmp\SetupHelper.exe "http://dt-updates.com/license/freeliteactivate"C:\Users\admin\AppData\Local\Temp\nsj3895.tmp\SetupHelper.exeDTLite4471-0335.exe
User:
admin
Company:
DT Soft Ltd
Integrity Level:
MEDIUM
Description:
Setup Helper Process
Exit code:
1
Version:
1.0.0.0001
Modules
Images
c:\users\admin\appdata\local\temp\nsj3895.tmp\setuphelper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
27 434
Read events
27 147
Write events
263
Delete events
24

Modification events

(PID) Process:(1864) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(1864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(1864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
100
Suspicious files
45
Text files
665
Unknown types
0

Dropped files

PID
Process
Filename
Type
1864WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb1864.35096\DAEMON Tools Lite.rar
MD5:
SHA256:
2332DTLite4471-0335.exeC:\Users\admin\AppData\Local\Temp\nsj3895.tmp\Lang\CHT.dllexecutable
MD5:AD57EE0D9A28AB264D01F172DFCAC93A
SHA256:E0F46FCF3B7716358484AFAAC79B591E5FAE99AEB27D170CF27B14E049E35FEA
2332DTLite4471-0335.exeC:\Users\admin\AppData\Local\Temp\nsj3895.tmp\Lang\ELL.dllexecutable
MD5:76B7376195CDCB9190D39A230E08EF84
SHA256:969A59D13057FC44105F8D122DEE224344F4DEF2D8801CEC5893356B8AD82CB6
2332DTLite4471-0335.exeC:\Users\admin\AppData\Local\Temp\nsj3895.tmp\Lang\ARA.dllexecutable
MD5:F19376DB613143D95FD294B96AE4ED6B
SHA256:E1855BD443435B0E0D5A13D6835C3C8909E09E366CD82191CD37F9C54FFC6B6B
2332DTLite4471-0335.exeC:\Users\admin\AppData\Local\Temp\nsj3895.tmp\Lang\CSY.dllexecutable
MD5:7A4FA95833CB77E3FCE893A6525ACC8A
SHA256:C9E5FC80617DC36D5EEEC77887B9231F19D4F0D1D4799E3E51720B790451EE2B
2332DTLite4471-0335.exeC:\Users\admin\AppData\Local\Temp\nsj3895.tmp\Lang\DAN.dllexecutable
MD5:FE6E3FB8DB110BFBEB3028E3FA31F0D0
SHA256:EF374B1F241C08BBFDFF03185F741CE719AE12195620DF3A37C08DFBC1F68A57
2332DTLite4471-0335.exeC:\Users\admin\AppData\Local\Temp\nsj3895.tmp\Lang\ENU.dllexecutable
MD5:C931D8397F269FE8CDA546CA66A10FEC
SHA256:A584EA861CC31FEAF1896BC6B8FFF9E9C4AEC1A1D7AFD9E9B5758CE8E66EB1BB
2332DTLite4471-0335.exeC:\Users\admin\AppData\Local\Temp\nsj3895.tmp\Lang\HRV.dllexecutable
MD5:90DF3C1359ADD247170A3B7EEB6A4B7E
SHA256:BB3BA5095CA201B0BF1032C96613CF4859AD1AE7E9D5A0F1386AD40F014BD3BF
2332DTLite4471-0335.exeC:\Users\admin\AppData\Local\Temp\nsj3895.tmp\Lang\ESN.dllexecutable
MD5:40AFB01FC9D6DD8A5632EE171240203C
SHA256:D0E0883AC2934F2C008C2871AAA993477B6C3B84703721D4D6560E3D349F3840
2332DTLite4471-0335.exeC:\Users\admin\AppData\Local\Temp\nsj3895.tmp\Lang\CAT.dllexecutable
MD5:0FED535F48C72915C58DC6074F2BE17F
SHA256:F16F5ED78FB69B797A433CF3600964BB3EA17DF9B8C210677328C2FBAA78A78E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
32
DNS requests
25
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2332
DTLite4471-0335.exe
GET
500
167.99.255.139:80
http://dt.web-search-home.com/getsettings?query=IMTrGnJ%2fMkKkt1m94Tg5qiC6UoauEVzEvQMF6fyPaPEjuhOSxpWnlhX7Go2eQSk%2bt%2bfwHIz3ApZe13AVePAqDrUP8iFlnl9MV0HvwleViJSMjNvfSPjkK9v2xQS7xQYDdGpUyiWGWEXJo%2f7Y7f%2fbI2P2OHJGwpl0T50NcNuaysI%3d
unknown
binary
2 b
unknown
1784
sidebar.exe
GET
301
161.35.70.0:80
http://www.daemon-tools.cc/rss_news.xml
unknown
html
169 b
unknown
1784
sidebar.exe
GET
200
23.212.210.158:80
http://x1.c.lencr.org/
unknown
binary
717 b
unknown
1784
sidebar.exe
GET
200
2.19.198.75:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?db23b8582f1331a4
unknown
compressed
65.2 Kb
unknown
1784
sidebar.exe
GET
200
2.19.198.75:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5860c6130e360890
unknown
compressed
4.66 Kb
unknown
128
sipnotify.exe
HEAD
200
88.221.61.151:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133466345625310000
unknown
unknown
2792
msedge.exe
GET
301
138.68.93.157:80
http://dt-updates.com/license/freeliteactivate
unknown
html
169 b
unknown
3536
DTLite.exe
POST
301
188.42.46.250:80
http://depot.mountspace.com/
unknown
html
185 b
unknown
3536
DTLite.exe
GET
200
167.172.161.3:80
http://disc-tools.com/download/c2127b7a040a6001d54941fd7beb06abaca36ca1/1702164631/DTLiteDownloader.exe
unknown
executable
188 Kb
unknown
3536
DTLite.exe
POST
200
138.68.93.157:80
http://dt-updates.com/license/activate
unknown
binary
352 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2332
DTLite4471-0335.exe
167.99.255.139:80
dt.web-search-home.com
DIGITALOCEAN-ASN
DE
unknown
1784
sidebar.exe
161.35.70.0:80
www.daemon-tools.cc
DIGITALOCEAN-ASN
DE
unknown
1784
sidebar.exe
161.35.70.0:443
www.daemon-tools.cc
DIGITALOCEAN-ASN
DE
unknown
1784
sidebar.exe
2.19.198.75:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1784
sidebar.exe
23.212.210.158:80
x1.c.lencr.org
AKAMAI-AS
AU
unknown
1032
msedge.exe
52.168.117.172:443
nw-umwatson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
dt.web-search-home.com
  • 167.99.255.139
unknown
www.daemon-tools.cc
  • 161.35.70.0
unknown
ctldl.windowsupdate.com
  • 2.19.198.75
  • 23.32.238.136
  • 23.32.238.154
  • 23.32.238.144
  • 23.32.238.161
  • 23.32.238.155
  • 23.32.238.121
  • 23.32.238.129
  • 2.19.198.65
whitelisted
x1.c.lencr.org
  • 23.212.210.158
whitelisted
blog.daemon-tools.cc
  • 161.35.70.0
unknown
nw-umwatson.events.data.microsoft.com
  • 52.168.117.172
whitelisted
dt-updates.com
  • 138.68.93.157
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
nav-edge.smartscreen.microsoft.com
  • 20.105.95.163
whitelisted
edge.microsoft.com
  • 131.253.33.239
  • 13.107.22.239
whitelisted

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
1120
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
3536
DTLite.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .exe file with no User-Agent
3536
DTLite.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3536
DTLite.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3536
DTLite.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
1 ETPRO signatures available at the full report
Process
Message
msedge.exe
[1209/222856.519:ERROR:process_info.cc(617)] range at 0x0, size 0x18 fully unreadable
msedge.exe
[1209/222856.535:ERROR:process_info.cc(617)] range at 0x0, size 0x18 fully unreadable
msedge.exe
[1209/222857.613:ERROR:filesystem_win.cc(130)] GetFileAttributes C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments\6ac1878d-651b-4e55-9c5d-aea78ce8e8f6: The system cannot find the file specified. (0x2)
msedge.exe
[1209/222857.613:ERROR:filesystem_win.cc(130)] GetFileAttributes C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments\6ac1878d-651b-4e55-9c5d-aea78ce8e8f6: The system cannot find the file specified. (0x2)
msedge.exe
[1209/222857.644:ERROR:filesystem_win.cc(130)] GetFileAttributes C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments\6ac1878d-651b-4e55-9c5d-aea78ce8e8f6: The system cannot find the file specified. (0x2)
msedge.exe
[1209/222857.644:ERROR:filesystem_win.cc(130)] GetFileAttributes C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments\6ac1878d-651b-4e55-9c5d-aea78ce8e8f6: The system cannot find the file specified. (0x2)
msedge.exe
[1209/222858.152:ERROR:process_info.cc(617)] range at 0x0, size 0x18 fully unreadable
msedge.exe
[1209/222858.183:ERROR:process_info.cc(617)] range at 0x0, size 0x18 fully unreadable
msedge.exe
[1209/222858.862:ERROR:filesystem_win.cc(130)] GetFileAttributes C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments\6ac1878d-651b-4e55-9c5d-aea78ce8e8f6: The system cannot find the file specified. (0x2)
msedge.exe
[1209/222858.867:ERROR:filesystem_win.cc(130)] GetFileAttributes C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments\6ac1878d-651b-4e55-9c5d-aea78ce8e8f6: The system cannot find the file specified. (0x2)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
DAEMON Tools Lite.zip