Analysis Overview
SHA256
2fdb840680a5c6dc92f0c642bf8d9c42b60f6b9c9ec61cc3f487edd931583583
Threat Level: Shows suspicious behavior
The file FL5.iso was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
UPX packed file
ASPack v2.12-2.42
Executes dropped EXE
Adds Run key to start application
Checks installed software on the system
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
Program crash
Enumerates physical storage devices
NSIS installer
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Checks processor information in registry
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-18 01:04
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-18 01:04
Reported
2024-05-18 01:10
Platform
win11-20240426-en
Max time kernel
91s
Max time network
95s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4088 wrote to memory of 1288 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4088 wrote to memory of 1288 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4088 wrote to memory of 1288 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\FLEngine.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\FLEngine.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1288 -ip 1288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 576
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/1288-0-0x0000000010000000-0x00000000100DC000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-18 01:04
Reported
2024-05-18 01:10
Platform
win11-20240426-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2184 wrote to memory of 3568 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2184 wrote to memory of 3568 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2184 wrote to memory of 3568 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\OpenAsio.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\OpenAsio.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3568 -ip 3568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 484
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-18 01:04
Reported
2024-05-18 01:10
Platform
win11-20240426-en
Max time kernel
146s
Max time network
159s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3200 wrote to memory of 4172 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3200 wrote to memory of 4172 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3200 wrote to memory of 4172 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\REX Shared Library.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\REX Shared Library.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-18 01:04
Reported
2024-05-18 01:10
Platform
win11-20240508-en
Max time kernel
90s
Max time network
118s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2016 wrote to memory of 5024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2016 wrote to memory of 5024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2016 wrote to memory of 5024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\elastique.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\elastique.dll,#1
Network
| Country | Destination | Domain | Proto |
| NL | 52.111.243.30:443 | tcp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-18 01:04
Reported
2024-05-18 01:09
Platform
win11-20240426-en
Max time kernel
146s
Max time network
157s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4628 wrote to memory of 1140 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4628 wrote to memory of 1140 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4628 wrote to memory of 1140 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\svctl32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\svctl32.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-18 01:04
Reported
2024-05-18 01:10
Platform
win11-20240426-en
Max time kernel
90s
Max time network
103s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Crack\FL.exe
"C:\Users\Admin\AppData\Local\Temp\Crack\FL.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/1456-0-0x0000000000400000-0x000000000041B000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-18 01:04
Reported
2024-05-18 01:09
Platform
win11-20240426-en
Max time kernel
145s
Max time network
96s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Image-Line\FLStudio5\collab_install.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\SET54F1.tmp | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| File created | C:\Windows\SysWOW64\SET54F1.tmp | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vorbis.acm | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| File created | C:\Windows\SysWOW64\rewire.dll | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rewire.dll | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Packs\SimSynth\Riffs\Be Glissful.syn | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Projects\Tutorial\Fruity Peak Controller (advanced).flp | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Packs\Choirs\CHR_80s_C5.wav | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Misc\Used by demo projects\ArentYouClever\AYC_Vox.wav | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Misc\Used by demo projects\SL_TremStrings.wav | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Channel presets\TS404\Xylophone.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Packs\Sytrus\Percussion\Percussion - quarnk.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Plugin presets\Generators\BeepMap\Voice.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Scores\Chopping\Arpeggios\Scales\Scales - Diminished.fsc | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Plugins\Fruity\Generators\Sytrus\Artwork\Back_Info.bmp | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Channel presets\3x Osc\Rave lead.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Plugins\Fruity\Generators\Dashboard\Artwork\XP30\Roland XP-30-small.ini | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Plugin presets\Effects\Fruity Formula Controller\Synchronized randomness.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Packs\Sytrus\Pad\Pad - vocad.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Packs\Vintage\VT_CB.wav | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Plugin presets\Generators\FL Keys\Plain Piano.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Plugin presets\Generators\Fruity DX10\Clunk Bass.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Plugins\Fruity\Generators\Fruity DrumSynth Live\Fruity DrumSynth Live.dll | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Channel presets\TS404\Cans Long.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Packs\SimSynth\Riffs\RatMeat.syn | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Packs\Sytrus\Short synth\Short synth - pacman pill.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Plugin presets\Generators\FL Keys\Concert Piano.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Packs\DrumLoops\DL_AfterKill.zgr | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Projects\Short clips\Vocoder test 2.flp | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Plugins\Fruity\Generators\Sytrus\Data\LFO\Immediate.fnv | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Packs\Sytrus\Pad\Pad - lemuria.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Packs\FPC\Toms\FPC_Tom_GtomLow_002.wav | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Projects\Cool stuff\JasonC-Dark Corners.flp | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Projects\Tutorial\Getting started\GettingStarted1.flp | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Channel presets\TS404\Childs Play.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Packs\SimSynth\Riffs\Banging.syn | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Packs\Strings\STR_Chorussy_C1.wav | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Scores\Chopping\Chords\Seventh\minor Major Seventh - m-Maj7.fsc | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Packs\SimSynth\Misc\Trance.syn | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Packs\Dance\DNC_Snare_3.wav | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Packs\Sytrus\Piano\Piano - music box.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Plugin presets\Generators\Sytrus\Sequence - eurogate 4.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Scores\Chopping\Chords\Ninenth\Ninenth Sharp 11nth - 9#11.fsc | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Scores\Chopping\Chords\Seventh\Seventh Sharp 9nth - 7#9.fsc | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Projects\Short clips\BeepMap Ambi 2.flp | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Channel presets\3x Osc\String 4.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Packs\Sytrus\Synth string\Synth string - hollow keyboard.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Plugins\Fruity\Effects\Buzz Effect Adapter\Rymix FlaserBox.prs | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Plugins\Fruity\Generators\Dashboard\Artwork\Default\Dark Pan Wheel.ini | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\System\Tools\BeatSlicer\zx_bs_d.hlp | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Channel presets\3x Osc\Voodoo.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Plugins\Fruity\Generators\Sytrus\Data\LFO\Default.fnv | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Packs\Pads\PAD_GloomPrelude.wav | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Plugin presets\Generators\Sytrus\Percussion - ethnic hit.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Scores\Chopping\Leads\opaque.fsc | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Packs\Pads\PAD_Fantasy_C3.wav | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Plugins\Fruity\Generators\FL Keys\Wavtables\Rhodes.wti | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Plugin presets\Generators.nfo | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Channel presets\TS404\Fat Square.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Packs\Shapes\Misc\SHP_BungList_7.wav | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Packs\Sytrus\Pad\Pad - ether.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Scores\Chopping\Arpeggios\Seventh\minor Seventh add 11nth - m7add11.fsc | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Projects\Templates\DrumSynth\Effects\GUNSHOT.DS | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Channel presets\TS404\Bee.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Channel presets\TS404\303ish Again 4.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Packs\Sytrus\Plucked\Plucked - double.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Packs\Vocals\VOC_ThatsRight.wav | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Plugin presets\Effects\Fruity Phaser\old fashion.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| File created | C:\Program Files (x86)\Image-Line\FLStudio5\Data\Patches\Plugin presets\Effects\Fruity Reeverb\Echoey.fst | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\runonce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\runonce.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FLPFile\shell\open\command | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.FLKEY | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Filter\{1989C251-CAF3-4B79-BDBF-4FDB82AEF383}\ = "IL FL Studio DXi" | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{499755CF-C66A-4B9E-A834-0182BDAEF6E0}\ProgID | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FLPFile\ = "FL Studio project file" | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\ = "Registration Entries" | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1989C251-CAF3-4B79-BDBF-4FDB82AEF383}\Pins\Input\IsRendered = "0" | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{499755CF-C66A-4B9E-A834-0182BDAEF6E0}\Pins\Master Output\Types | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FLKeyFile | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1989C251-CAF3-4B79-BDBF-4FDB82AEF383}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1989C251-CAF3-4B79-BDBF-4FDB82AEF383}\Pins\Master Output\ConnectsToPin = "Input" | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FL Studio DXi (Multi).IL Multi FL Studio DXi\ = "IL Multi FL Studio DXi" | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FL Studio DXi (Multi).IL Multi FL Studio DXi\Clsid | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FLPFile\shell\open | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FL Studio DXi.IL FL Studio DXi\Clsid | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{760014B7-306F-4A53-9350-170E2742AB0E}\InprocServer32\ = "C:\\PROGRA~2\\IMAGE-~1\\FLSTUD~1\\System\\Plugin\\DXi\\FLSTUD~1.DLL" | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\MfxSoftSynths\{1989C251-CAF3-4B79-BDBF-4FDB82AEF383}\HelpFileTopic = "1" | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FL Studio DXi (Multi).IL Multi FL Studio DXi | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{760014B7-306F-4A53-9350-170E2742AB0E}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FSTFile\shell | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1989C251-CAF3-4B79-BDBF-4FDB82AEF383}\Pins | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1989C251-CAF3-4B79-BDBF-4FDB82AEF383}\Pins\Input\AllowedZero = "0" | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MfxSoftSynths\{1989C251-CAF3-4B79-BDBF-4FDB82AEF383}\Description = "IL FL Studio DXi" | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{499755CF-C66A-4B9E-A834-0182BDAEF6E0}\Pins\Input\IsRendered = "0" | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FLPFile\shell\Open with FL Studio 5\command | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{499755CF-C66A-4B9E-A834-0182BDAEF6E0}\InprocServer32\ = "C:\\PROGRA~2\\IMAGE-~1\\FLSTUD~1\\System\\Plugin\\DXi\\FLSTUD~1.DLL" | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1989C251-CAF3-4B79-BDBF-4FDB82AEF383}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{760014B7-306F-4A53-9350-170E2742AB0E} | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{499755CF-C66A-4B9E-A834-0182BDAEF6E0}\Pins\Input\Direction = "0" | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.FLP | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FLPFile\shell\Open with FL Studio 5 | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1989C251-CAF3-4B79-BDBF-4FDB82AEF383}\ProgID\ = "FL Studio DXi.IL FL Studio DXi" | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1989C251-CAF3-4B79-BDBF-4FDB82AEF383}\Pins\Input\Types\{73647561-0000-0010-8000-00AA00389B71}\{00000000-0000-0000-0000-000000000000} | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.FSC\ = "FSCFile" | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FL Studio DXi.IL FL Studio DXi\Clsid\ = "{1989C251-CAF3-4B79-BDBF-4FDB82AEF383}" | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A1D8395-2D96-4C24-9536-299C400A6B01}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.FLP\ = "FLPFile" | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FLPFile\shell | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FLPFile\shell\Open with FL Studio 5\command\ = "\"C:\\Program Files (x86)\\Image-Line\\FLStudio5\\FL.exe\" \"%1\"" | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{499755CF-C66A-4B9E-A834-0182BDAEF6E0}\Pins\Master Output\AllowedZero = "0" | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\MfxSoftSynths\{499755CF-C66A-4B9E-A834-0182BDAEF6E0}\HelpFileTopic = "1" | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{499755CF-C66A-4B9E-A834-0182BDAEF6E0}\Pins\Master Output | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.FST\ = "FSTFile" | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FSCFile | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FSCFile\shell\open\command | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FLKeyFile\shell\open\command\ = "\"C:\\Program Files (x86)\\Image-Line\\FLStudio5\\FL.exe\" \"%1\"" | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A1D8395-2D96-4C24-9536-299C400A6B01}\InprocServer32\ = "C:\\PROGRA~2\\IMAGE-~1\\FLSTUD~1\\System\\Plugin\\DXi\\FLSTUD~2.DLL" | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FLPFile\shell\Open with FL Studio 5\ = "Open with FL Studio 5" | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FL Studio DXi.IL FL Studio DXi | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FSTFile\shell\open\command\ = "\"C:\\Program Files (x86)\\Image-Line\\FLStudio5\\FL.exe\" \"%1\"" | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{499755CF-C66A-4B9E-A834-0182BDAEF6E0}\Merit = "2097152" | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{499755CF-C66A-4B9E-A834-0182BDAEF6E0}\Pins\Master Output\Types\{73647561-0000-0010-8000-00AA00389B71}\{00000000-0000-0000-0000-000000000000} | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MfxSoftSynths\{499755CF-C66A-4B9E-A834-0182BDAEF6E0}\Description = "IL Multi FL Studio DXi" | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FLKeyFile\shell\open\command | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FLKeyFile\shell | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MfxSoftSynths | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{499755CF-C66A-4B9E-A834-0182BDAEF6E0}\Pins\Input\Types\{73647561-0000-0010-8000-00AA00389B71} | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{499755CF-C66A-4B9E-A834-0182BDAEF6E0}\Pins\Master Output\Types\{73647561-0000-0010-8000-00AA00389B71} | C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FSCFile\shell\open | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FSCFile\shell\open\command\ = "\"C:\\Program Files (x86)\\Image-Line\\FLStudio5\\FL.exe\" \"%1\"" | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe
"C:\Users\Admin\AppData\Local\Temp\FLStudio5_Install.exe"
C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe
"C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe" /Setup
C:\Windows\SysWOW64\InfDefaultInstall.exe
"C:\Windows\System32\InfDefaultInstall.exe" "C:\Users\Admin\AppData\Local\Temp\vorbisacm.inf"
C:\Windows\SysWOW64\runonce.exe
"C:\Windows\system32\runonce.exe" -r
C:\Windows\SysWOW64\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe
"C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe" /IconSetup
C:\Program Files (x86)\Image-Line\FLStudio5\collab_install.exe
"C:\Program Files (x86)\Image-Line\FLStudio5\collab_install.exe"
C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe
"C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x000000000000049C
Network
Files
C:\Users\Admin\AppData\Local\Temp\nsf39CF.tmp\UserInfo.dll
| MD5 | 419d642fe3436fda8bb22eea9c37a6ca |
| SHA1 | c1644131b880c6e03f14de3c79efd27093a77908 |
| SHA256 | 25c4f65b02eca4ad897d7a623b3ca1290bac836e98ab5ee5f6c527dfb6a41dd7 |
| SHA512 | 29df088e3b5189efd6fbeebc2f23c5850303d40fe5331cd336bb852d986f9ab66f7bcd963ebf8c4e4eea7d49a6590027490d651a3e4781024c7983a2c456a337 |
C:\Users\Admin\AppData\Local\Temp\nsf39CF.tmp\InstallOptions.dll
| MD5 | 4c7d97d0786ff08b20d0e8315b5fc3cb |
| SHA1 | bb6f475e867b2bf55e4cd214bd4ef68e26d70f6c |
| SHA256 | 75e20f4c5eb00e9e5cb610273023e9d2c36392fa3b664c264b736c7cc2d1ac84 |
| SHA512 | f37093fd5cdda74d8f7376c60a05b442f884e9d370347c7c39d84eca88f23fbea6221da2e57197acd78c817a74703c49fb28b89d41c3e34817cc9301b0b6485a |
C:\Users\Admin\AppData\Local\Temp\nsf39CF.tmp\ioSpecial.ini
| MD5 | 5c20814f7bf0ac0897340347715ae8a2 |
| SHA1 | 7eb1d73ce0045be8145495b4ee7ffa18f2c205e7 |
| SHA256 | 68ef96f8504d750f613f4fbebe70b396189dc8f64c32c651bccfa6a4a84b1ac8 |
| SHA512 | da1d736cb2d87b2c35cc2b006d59dea3d523ca2e8a5a9ac5f5ed85653595bfccee267b604759d4b8bfb6559dd9612dfb491b9cdb135c838d7511f7e9f82058ce |
C:\Users\Admin\AppData\Local\Temp\nsf39CF.tmp\ioRegPage.ini
| MD5 | 0cb632160060a897ecf2ab6666680492 |
| SHA1 | c918a8961ecd1cadc82e9a2671da7e2478f62570 |
| SHA256 | 7e931495f20c7acef9ac5866b05bf362f6d9b7ec5f3b034c7d1513311ac950d8 |
| SHA512 | 2361b0a036422548f2cf390b310b1f04da70d68f39334bb6756322f011227f44c697da2ff45de766a2c89a3c9bf96529937e2a8c9c2e75fd5af757de776356ba |
C:\Users\Admin\AppData\Local\Temp\nsf39CF.tmp\ioRegPage.ini
| MD5 | c9ca063b98e020fb1cb3cea5742c78ff |
| SHA1 | 2cfc58c2915bb0c0004e13a6e4d3f2c1f815c96c |
| SHA256 | 2dd8ec35a59e7676f3ce486f959578dfca91512a335e034eafcfb8ecefda9adf |
| SHA512 | fbb6b3d496ef8723dcd5cedaccd7f01488b001001c64854fa6f37724f53dfec241940a7afa75ea6546665842e648ebfb7fc102280b9756a46e53962f4114cb61 |
C:\Users\Admin\AppData\Local\Temp\nsf39CF.tmp\ioA.ini
| MD5 | ac7d6a8de9346fffede107c1028e43ef |
| SHA1 | f9d35d30b2324f0336d72204bfc1d1324ab83e72 |
| SHA256 | 45701011f641c4c564fa98eb759ef27ef5e4c836cf14d496d1ccacdbc7fa421b |
| SHA512 | d679190ba47737d21bf51ff3ce54800be4818d5863cf5e650c5faa16140c07b8f2e716da16d3520cba8b64c0ab2416c9d4d7f246050171925ae27ee3e6e2a2ff |
C:\Program Files (x86)\Image-Line\FLStudio5\FL.exe
| MD5 | 10d8b89cce423268f96f6a7c7ce0c9f5 |
| SHA1 | 855a814e9c9f052f0874e7c6e6c08b8372b55108 |
| SHA256 | 390196cbc0dcaa2fa8c43ddff70dd7cbb2feb7c0d4d55a74902e99fc151e6672 |
| SHA512 | 1bdfe43fe3dfd9561161f48045e667baa1b1d07d2c7fc670f5f264cac8fb7d268c1d17e20480c64955d6775b1e662655bff3bc61bdb444e37822c22a907e1959 |
C:\Program Files (x86)\Image-Line\FLStudio5\System\Plugin\ReWire\FLReWire.dll
| MD5 | 6c45f6befa3d6d8c5ebbf5a8bc7305b4 |
| SHA1 | dca98a99387e48af966872b4d196fc99a373b4eb |
| SHA256 | 75cd6d12bc9c804f62148d5c95d38f96c85d4c6e128120a7e8c7adbe441f1eca |
| SHA512 | 33a78a29c272af07791777ed73dda500bef247ddf59a70d2062c3a724dbd16a43cf687d0ccc14e0286ae247610c397c51d76ef948c27b85285b0bc745b3f06b8 |
memory/4812-4377-0x00000000022E0000-0x000000000236A000-memory.dmp
C:\Program Files (x86)\Image-Line\FLStudio5\FLEngine.dll
| MD5 | 2116f88a5a50bc0198c21e3d3cb6a06e |
| SHA1 | 982fe0ea8a877046cd6233f239c07a8efee24d15 |
| SHA256 | 0d3bcea5939d2bea661a619cd6e40a26d964584504f3155e7fc3ef1a477ada0c |
| SHA512 | 3bd98925cce77bea075f540e1db39a492ef927483129f148731a4cd49a17184378042a6462014f6e55234953949947cb91caf2b6cac8e69e1a6936577e2994ac |
C:\Program Files (x86)\Image-Line\FLStudio5\LAMEenc.dll
| MD5 | cbcbc4a9219ef8abaca6bbf3d4728f49 |
| SHA1 | 066eeed2f62c2dd4403cc8ae88d802b9b1404d84 |
| SHA256 | ce28ae3c9259c80cfaaeeabb6e84f71f95694204264a60f78a51b48f4d755555 |
| SHA512 | c9f697e895adbe73ec6e87145e3ed06068d8c62480e2d15ffd04b5e5ddf4ef0d305f468f2d50cfe09d93bff8a8ca8705b216fc9a75bd9cddacdd823c7546ef15 |
memory/4812-4383-0x0000000010000000-0x00000000100DC000-memory.dmp
C:\Program Files (x86)\Image-Line\FLStudio5\OpenAsio.dll
| MD5 | 6a67d93d68b3139dc5440a8ed3762d9c |
| SHA1 | ff9e34401520e6fab6a8a5478b157ef73f8e91a4 |
| SHA256 | 7fbc378945d8ae3f4b9cbad3bba1214186de319f4afb3f79e5b606edce6e6bc9 |
| SHA512 | e66bfb5f8d9fcf433246d8135bda976aea92b7c525a0c0b8d760fa072d69c2646666f0a8113b88afe1734258f92a30cd377d159ce0687c9fd7bf8917bd53f90a |
memory/4812-4387-0x00000000021C0000-0x00000000021CE000-memory.dmp
C:\Program Files (x86)\Image-Line\FLStudio5\WhatsNew.doc
| MD5 | 68bb6979724e6b77fdad2c134ee2ed24 |
| SHA1 | 2fb7410c285f3e4e46d18fe2e4057b4bf3022702 |
| SHA256 | e10772185f12ad3c239792934f37899e9345505dcbecde1265a673ecd9789565 |
| SHA512 | c6f33a8c65072027204b10a11009da1d34948d730d449815a3e9f05ad5a075d9e9995f20f70ebd637546897c73f5b9d4bd001f81c9bc0c18e3e4f67ce5fef9d3 |
C:\Program Files (x86)\Image-Line\FLStudio5\System\Internet\FL Studio online.url
| MD5 | 7c15a8c786db0780fc11196e933e2a62 |
| SHA1 | fef984a36adb335f9abc8944bac0566cefba2c76 |
| SHA256 | b6ba2433047e7a8a851775f3e4e23e6b9f37dd59d0bd5c3e4b16f3a21a74659d |
| SHA512 | 4770c9cfe3baf76a595b31bfa429070bf8b1d08bbf0a300ebe21379fa6ca9aa52c6c4723bd0e7367430b7ce609b00b3c583a2381fc9b695d038423d86a65dd5b |
C:\Program Files (x86)\Image-Line\FLStudio5\Help\FL.chm
| MD5 | 75e68c871152831dae52c6616d45acfa |
| SHA1 | 7c18abd83ab466fb369752a8cb32e2c59b8d8d1c |
| SHA256 | 8dc56562b05dd71a21b4c35aa04c0ead91df20d626317ee35559ca8ca2915498 |
| SHA512 | 0d0ec95d1cd39c294ce3d4b3b737e63e498af0b9b5bbce54ef434887f7722fe0c4a6b8e0dd1190a7179d46dcb80bfd02177b4b7cdda7e184382e05c1ae3a39da |
C:\Program Files (x86)\Image-Line\FLStudio5\System\Installers\VorbisACM\vorbis.acm
| MD5 | cf2b89cd147519657ca087b180b5a884 |
| SHA1 | 642bd41d6ad1c2157758ad50b71f0ea0f395177a |
| SHA256 | b967669cc398fc7e044809c7b42123528de4888eb65a7f6612143d064e5577d1 |
| SHA512 | cc42b7c2cde0699a63bc89a313112e145c34ea112766c60de4173e2cb59a68b22acf420d1cd2a059e4c4eef534a7eccca7dd6ad57f96855173bad12a058bd810 |
C:\Program Files (x86)\Image-Line\FLStudio5\System\Installers\VorbisACM\vorbisacm.inf
| MD5 | 48bb8665188520b1e4839b04a490d199 |
| SHA1 | ee6babad0b43e85c2ce51e0a37c1bc923cc671a9 |
| SHA256 | 4370bd705846fe7fd1f7cbe8d2fc9f94f22b2aa0648e9d6e9de1b51cb688f4ef |
| SHA512 | 33caaca2203cca619d2a337c33625ce3fa571a5ff4abf3b1addae112849f0bb1f137b2779844979a2fd693621ab58f4f2c6585a59d685a0a10aa777efde9b693 |
memory/4812-4404-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4636-4417-0x0000000002250000-0x00000000022DA000-memory.dmp
memory/4636-4421-0x0000000010000000-0x00000000100DC000-memory.dmp
memory/4636-4424-0x00000000022A0000-0x00000000022AE000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4636-4427-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Program Files (x86)\Image-Line\FLStudio5\System\Plugin\DXi\FL Studio DXi.dll
| MD5 | 01fbee8cb845814c348a3dbbbc48b159 |
| SHA1 | 809a2752c5d9debaac4e47a5b12a968d891e5db5 |
| SHA256 | 0597c30764bcc1c5d7cc941f152e5acfa540b61875700b83c5af2dc9075d6d78 |
| SHA512 | b718c46c8d86411a82041f5ab64ec454ed96047f2f6cfc605bd5612a59ed6fbb083bc5db6daab4f0f6f54e29ab5aac7e1d415f461e220e19d7b7f3dd913b1054 |
memory/3084-4444-0x0000000003180000-0x000000000320A000-memory.dmp
C:\Program Files (x86)\Image-Line\FLStudio5\System\Plugin\DXi\FL Studio DXi (Multi).dll
| MD5 | bd9aa511000228cd9b754cd9be4e9703 |
| SHA1 | 679169d8eb3e3b14494890b0105b39e255482a02 |
| SHA256 | c283aa3191cacfa3db6c8a32b238abe8fcd822ec1926f6456be63fff08322cb4 |
| SHA512 | b612560921afa0f32d1dd524a22e386c81017c733234896c21471a13bfdea5f1340de85a0232b109eb210bd015f9f9c651d94781ea7032419ea6df5f42077937 |
C:\Users\Admin\AppData\Local\Temp\nsf39CF.tmp\FindFLPath.dll
| MD5 | 1e103dc7ad819122f7b0cd59b3094c17 |
| SHA1 | 9995e8cc6ca2daaa9a0a8171a32f3b73fafce622 |
| SHA256 | 7b983016692b27760c62b86fc039a01351a21457dc571e147c922ab501b65d17 |
| SHA512 | 70034ec9ae33b642555380d33c49e24f7694dc601844dbc0d5f5035027cd580675243149572d2da584b3ac4d348a65307d57f4c4748c24c36527e403241aaf94 |
C:\Program Files (x86)\Image-Line\FLStudio5\System\Plugin\ReWire\ReWire.dll
| MD5 | 36391dd461f9a916c00d3b89fd99aa2d |
| SHA1 | 96181bd24d7c2021bd3ce608fb7777bf38c7608e |
| SHA256 | e73bec6ef8c068fda718d562bf9ef84a07a82d3d362d87e48e2b453dded9edca |
| SHA512 | e4cf18227996de5a7fb9e80867346e1e16198566a7280323b83bc7539452b9b416a6b1f8f1bdb12ecfbbd29532bbc83c61c5d522ad498fb18e67bb47cc2b7f93 |
memory/3084-4450-0x0000000003180000-0x0000000003196000-memory.dmp
C:\Program Files (x86)\Image-Line\FLStudio5\collab_install.exe
| MD5 | 440ab846c631672d84c5c52324d8ef73 |
| SHA1 | 7939c134b6699a926b9f427484d5f32308713d60 |
| SHA256 | 9c99f21604c04e4599cc3ea7b1539c325138dd93b36a858b1f395b722c59e662 |
| SHA512 | 1bba007f99259d2bedb05b2e9c74223aab74f4269784a6729c23d23a10ce16aa8126e340eda971bc40474551b06536f1adaa00fef9d370e65450436d203a31e1 |
memory/3084-4439-0x0000000003180000-0x0000000003207000-memory.dmp
memory/3084-4432-0x0000000003180000-0x0000000003207000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsx7193.tmp\ioSpecial.ini
| MD5 | 577152e7e1b312e1e48ea2cd3cf6ca14 |
| SHA1 | c74a972b2053d8d84622a4c8f0779d20b5da50c2 |
| SHA256 | c92d6ad09e23f0dd73a1b51dfd11d316d1b2da05bd72df4387b0d19368b41103 |
| SHA512 | 27a98d1a99c4810be4548297b431048b901261d1d8f6af6b8a79826fa59d188783f4a472d540c15c4ede76cf6f441b4873ae1a3d1998ef35dd0fb73b30441b8b |
C:\Users\Admin\AppData\Local\Temp\nsx7193.tmp\ioA.ini
| MD5 | 87d89f9a14bdbccd40d304fcd3ebac00 |
| SHA1 | 0ffd79e3be0cc446df7afe92443c2b5ce2ec2c1d |
| SHA256 | 608b419b45d64b0cd479b6f7b3d3d3b684ccdb8dc2b9b1c3b29929061bc987b2 |
| SHA512 | 568056d1d806cef5044972f7880b5dd220a812b138fb520deae1218fcafa2b8d81a7ae420ed7d4addd0572b909569575c4bcb20db899f59f6fd7855d42db4045 |
C:\Program Files (x86)\Image-Line\Collab\Uninstall.exe
| MD5 | 412dab5af63f796c1f16de391718c18b |
| SHA1 | 6a9074f4072c63478106ba2ebf98596d4f95c66a |
| SHA256 | a8fd336ea92e6870182c71e3b44026ff502482bab715b56e6cbc37c722e1257b |
| SHA512 | 37bdc3eab182134d9165dde8a796b9d35e00d7ccddb84b0f795358e68eef35907662e58a0794c733b878b4ef5951239af062f7cbe086e30e14ff841b1b7e5274 |
C:\Program Files (x86)\Image-Line\Collab\Collab.exe
| MD5 | b40133692c2849f2bdcaa9f21a0ecd45 |
| SHA1 | 8a4d1890f000b02d2ea4c8b544a0ecd57598724c |
| SHA256 | 2ba2a40d08493a9561b47ed58f21ded248d14c97752b00a1d22978bdf5252e86 |
| SHA512 | bf7eda65751b0aa0e49d025cf2bf34f94dc5070732915b4f5715adc0b3a889888ceacdb246ccf1f3cf97e7b799c0289ce028a474d5403f7849b6ebeab53b0d07 |
C:\Users\Admin\AppData\Local\Temp\nsx7193.tmp\ioSpecial.ini
| MD5 | f23f0817436a2f489991bc92020ba4b7 |
| SHA1 | c129478421231197b660f8947e60bdc305c9f884 |
| SHA256 | 3e25ce9c321a7d0d4b0d68b3d2548e6b4734870c10dfd8a02a1b87436b1cae02 |
| SHA512 | 6f7d105849fdcdbc6ced7bc6c67e0385f96ec35652ff848f553e99168cbe0c34a957c83eac282c4c1c23e32035bbdc44070554e64377ca99896d066d42a412c6 |
C:\Users\Admin\AppData\Local\Temp\nsx7193.tmp\modern-header.bmp
| MD5 | 583c38fb0f5af5fe584d9a9b01d6a3e7 |
| SHA1 | 84dedf7064bb740614f8661793f429f5ee950d86 |
| SHA256 | 4c9e804ce1a391f8e603b7b9c732a6529c1e81be4d12f125c8562ea9d49095c2 |
| SHA512 | 298dac48f75b5d597474fe22e9d69782629c02ebc855f4df91d470edac47ccfb8fe407a1a504fa4a5c94c523c6f03b7b755105b852f25a12d778f2a42313143b |
C:\Users\Admin\AppData\Local\Temp\nsf39CF.tmp\ioSpecial.ini
| MD5 | 3e3eafff03a97701a2676eb89170eb35 |
| SHA1 | caf7ad6c21555136ed0c3028d49f64ce68728e0c |
| SHA256 | 4f7809c826ece75665aa38a93012a26f7c75814b8c24df932c11d7368ad52172 |
| SHA512 | 0393cb8cb3c3b379f033e3dee56a2cc3670d3e758502b360f0c0010f0efbbe04553eae8ef2325e38417bfb1a2219921e147967e2af4568a470bb784ad6f7845e |
memory/2752-4769-0x0000000010000000-0x00000000100DC000-memory.dmp
C:\Program Files (x86)\Image-Line\FLStudio5\Artwork\FL Studio Demo\Title_Mask.jpg
| MD5 | fc706218eef142104429ee3b07b61dfb |
| SHA1 | b959607f870c61f8c0260601088ee553e7aa2474 |
| SHA256 | 7821e5d6bf4b03e0315fb79c64e3432420fe7e9a8153acf8a214374c7d2ee797 |
| SHA512 | f87fb77ad194ad577fcc7f9f98df01291edc604fa8c5d7a72ad086366c58977cc33d41e295985ac373d44f0a50e057704c09ecc5e6091176516a0428e5047149 |
C:\Program Files (x86)\Image-Line\FLStudio5\Artwork\FL Studio Demo\Title.jpg
| MD5 | 047d2706811cf744012b0a559d213f7b |
| SHA1 | 60a788218a2eab3dbe6ed715af536e49ba594803 |
| SHA256 | 2111366e40ce229be81da3c89c70a6ae59f1e6d98a41422dd49596b15f83dddc |
| SHA512 | 5bc48c042df43eba62e522d95e870d71d04a93e6617efd33ede2624cfe6f2b4cd9b1279a627d55b2a214c802bb8750502fcc7aa6c5857e67b4542864136ec286 |
memory/2752-4772-0x00000000022F0000-0x00000000022FE000-memory.dmp
C:\Program Files (x86)\Image-Line\FLStudio5\System\Config\MP3Genres.txt
| MD5 | 052d9c3b98769162335d64ae9ccd329c |
| SHA1 | 960c5ab2487b12380eee60e933b507bdc3bc88c8 |
| SHA256 | 769d539b2f81481b5d18b8c134ec22c69df69e562ca5d69b5265754706e3b2d3 |
| SHA512 | 794c187f8c8201cbd2bd108a901e38a3bb934bfd49bc87c829f0c8ee3ed4e4963d63d66e2803a1464ca378d6393ac12db68da2099cb6321284951dd443581d92 |
C:\Program Files (x86)\Image-Line\FLStudio5\Artwork\Skins\Default\PRKb_PL.bmp
| MD5 | c95819d3956a528c5dcbb5fc11568914 |
| SHA1 | 65530168876ada52e64d3ceff84d3dd3101583d8 |
| SHA256 | 864be8009f8bbe4afba4dd721a2b8bded3729ab90ba22ac184a54808e86ceba6 |
| SHA512 | 4353e7f39ae2d46f0639d17a16a5eea7800f08f304883ef7396a2ff37f9a8925d859dcbc337c6d8e5860c1e5b06668842fdd2a1837c8fadb473fbc7723a9ad99 |
C:\Program Files (x86)\Image-Line\FLStudio5\System\Config\Chords.map
| MD5 | 30223a4ae79dc9f758856ca187884351 |
| SHA1 | 610ef5d9dfe18820acbfe15cdb2b9369c9e575e8 |
| SHA256 | 0d48b416fdb3f5118865d68cfe2a62303ea3ba9cbeed220ed7c4eb77be880790 |
| SHA512 | 0c3dcd4011b49a3bf1e3b0ebc21bed8eff7a030564899a533dd8b370590cdcd976349cda864ee66c6671c6914962afe6eaa1ac21bdc9920216f5583c3875b3dd |
C:\Program Files (x86)\Image-Line\FLStudio5\Help\HelpPlugins.scr
| MD5 | 26beef74886e6a38eb9a2c73cded9fba |
| SHA1 | ae2b04ca879981855e51f739632fef18224ebabd |
| SHA256 | 6080a7cd972d2baf554b7762fc672164d80c96d87ebf3beb7037505e0049f733 |
| SHA512 | caaf719aea13938877dff39e8e5dcc81073b77785e9136e1e07cae1aacd99d0ec06c9d29953fed058db883d5f754350aec5a198fdbae71934ca31627440c82f5 |
memory/2752-4780-0x0000000005AB0000-0x0000000005BEE000-memory.dmp
memory/2752-4781-0x0000000002C60000-0x0000000002CD3000-memory.dmp
memory/2752-4782-0x00000000030F0000-0x000000000316B000-memory.dmp
memory/2752-4783-0x0000000006850000-0x00000000068BD000-memory.dmp
memory/2752-4784-0x00000000068E0000-0x000000000694B000-memory.dmp
memory/2752-4785-0x0000000007300000-0x0000000007385000-memory.dmp
memory/2752-4787-0x00000000078A0000-0x00000000079B5000-memory.dmp
memory/2752-4786-0x0000000007700000-0x000000000779B000-memory.dmp
memory/2752-4788-0x0000000007B10000-0x0000000007B8B000-memory.dmp
memory/2752-4789-0x0000000009950000-0x00000000099B7000-memory.dmp
memory/2752-4792-0x0000000009BC0000-0x0000000009C2E000-memory.dmp
memory/2752-4791-0x00000000073D0000-0x00000000073E6000-memory.dmp
memory/2752-4790-0x00000000073C0000-0x00000000073D0000-memory.dmp
memory/2752-4793-0x0000000009E70000-0x0000000009ED2000-memory.dmp
memory/2752-4798-0x000000000A400000-0x000000000A469000-memory.dmp
memory/2752-4797-0x000000000A090000-0x000000000A0A7000-memory.dmp
memory/2752-4796-0x0000000009C30000-0x0000000009C44000-memory.dmp
memory/2752-4799-0x000000000A7B0000-0x000000000A819000-memory.dmp
memory/2752-4795-0x0000000009FE0000-0x000000000A047000-memory.dmp
memory/2752-4794-0x0000000007E30000-0x0000000007E46000-memory.dmp
memory/2752-4800-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2752-4814-0x000000000A7B0000-0x000000000A819000-memory.dmp
memory/2752-4813-0x000000000A400000-0x000000000A469000-memory.dmp
memory/2752-4812-0x0000000009FE0000-0x000000000A047000-memory.dmp
memory/2752-4811-0x0000000009E70000-0x0000000009ED2000-memory.dmp
memory/2752-4810-0x0000000009BC0000-0x0000000009C2E000-memory.dmp
memory/2752-4808-0x0000000009950000-0x00000000099B7000-memory.dmp
memory/2752-4809-0x00000000073C0000-0x00000000073D0000-memory.dmp
memory/2752-4807-0x0000000007B10000-0x0000000007B8B000-memory.dmp
memory/2752-4806-0x0000000007700000-0x000000000779B000-memory.dmp
memory/2752-4805-0x00000000068E0000-0x000000000694B000-memory.dmp
memory/2752-4801-0x0000000002460000-0x000000000285A000-memory.dmp
memory/2752-4804-0x00000000030F0000-0x000000000316B000-memory.dmp
memory/2752-4803-0x0000000002C60000-0x0000000002CD3000-memory.dmp
memory/2752-4802-0x0000000010000000-0x00000000100DC000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-18 01:04
Reported
2024-05-18 01:10
Platform
win11-20240426-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2576 wrote to memory of 2404 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2576 wrote to memory of 2404 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2576 wrote to memory of 2404 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AccessControl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AccessControl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2404 -ip 2404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 468
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-18 01:04
Reported
2024-05-18 01:10
Platform
win11-20240508-en
Max time kernel
146s
Max time network
156s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1280 wrote to memory of 3896 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1280 wrote to memory of 3896 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1280 wrote to memory of 3896 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sveng32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sveng32.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-18 01:04
Reported
2024-05-18 01:10
Platform
win11-20240426-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4604 wrote to memory of 2464 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4604 wrote to memory of 2464 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4604 wrote to memory of 2464 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dsplib.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dsplib.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2464 -ip 2464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 448
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-18 01:04
Reported
2024-05-18 01:10
Platform
win11-20240419-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\FL.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Users\Admin\AppData\Local\Temp\FL.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Users\Admin\AppData\Local\Temp\FL.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Users\Admin\AppData\Local\Temp\FL.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\FL.exe
"C:\Users\Admin\AppData\Local\Temp\FL.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3512 -ip 3512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 856
Network
Files
memory/3512-0-0x0000000010000000-0x00000000100DC000-memory.dmp
memory/3512-1-0x0000000002830000-0x000000000283E000-memory.dmp
memory/3512-2-0x00000000023E0000-0x00000000023E1000-memory.dmp
memory/3512-3-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3512-5-0x0000000010000000-0x00000000100DC000-memory.dmp
memory/3512-4-0x0000000002420000-0x000000000281A000-memory.dmp
memory/3512-6-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3512-9-0x0000000010000000-0x00000000100DC000-memory.dmp
memory/3512-7-0x0000000002420000-0x000000000281A000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-18 01:04
Reported
2024-05-18 01:09
Platform
win11-20240508-en
Max time kernel
145s
Max time network
154s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4896 wrote to memory of 1956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4896 wrote to memory of 1956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4896 wrote to memory of 1956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LAMEenc.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LAMEenc.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1956 -ip 1956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 448
Network
Files
memory/1956-0-0x0000000010000000-0x00000000100DC000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-18 01:04
Reported
2024-05-18 01:09
Platform
win11-20240508-en
Max time kernel
101s
Max time network
132s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\WhatsNew.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| NL | 52.109.89.19:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.184:443 | metadata.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
Files
memory/2788-0-0x00007FFC95BD0000-0x00007FFC95BE0000-memory.dmp
memory/2788-2-0x00007FFC95BD0000-0x00007FFC95BE0000-memory.dmp
memory/2788-3-0x00007FFC95BD0000-0x00007FFC95BE0000-memory.dmp
memory/2788-5-0x00007FFCD5BE3000-0x00007FFCD5BE4000-memory.dmp
memory/2788-4-0x00007FFC95BD0000-0x00007FFC95BE0000-memory.dmp
memory/2788-1-0x00007FFC95BD0000-0x00007FFC95BE0000-memory.dmp
memory/2788-6-0x00007FFCD5B40000-0x00007FFCD5D49000-memory.dmp
memory/2788-8-0x00007FFCD5B40000-0x00007FFCD5D49000-memory.dmp
memory/2788-9-0x00007FFCD5B40000-0x00007FFCD5D49000-memory.dmp
memory/2788-7-0x00007FFCD5B40000-0x00007FFCD5D49000-memory.dmp
memory/2788-10-0x00007FFCD5B40000-0x00007FFCD5D49000-memory.dmp
memory/2788-12-0x00007FFCD5B40000-0x00007FFCD5D49000-memory.dmp
memory/2788-13-0x00007FFCD5B40000-0x00007FFCD5D49000-memory.dmp
memory/2788-15-0x00007FFCD5B40000-0x00007FFCD5D49000-memory.dmp
memory/2788-16-0x00007FFC93800000-0x00007FFC93810000-memory.dmp
memory/2788-18-0x00007FFCD5B40000-0x00007FFCD5D49000-memory.dmp
memory/2788-17-0x00007FFCD5B40000-0x00007FFCD5D49000-memory.dmp
memory/2788-14-0x00007FFCD5B40000-0x00007FFCD5D49000-memory.dmp
memory/2788-19-0x00007FFCD5B40000-0x00007FFCD5D49000-memory.dmp
memory/2788-21-0x00007FFC93800000-0x00007FFC93810000-memory.dmp
memory/2788-23-0x00007FFCD5B40000-0x00007FFCD5D49000-memory.dmp
memory/2788-22-0x00007FFCD5B40000-0x00007FFCD5D49000-memory.dmp
memory/2788-20-0x00007FFCD5B40000-0x00007FFCD5D49000-memory.dmp
memory/2788-11-0x00007FFCD5B40000-0x00007FFCD5D49000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCD96E3.tmp\sist02.xsl
| MD5 | f883b260a8d67082ea895c14bf56dd56 |
| SHA1 | 7954565c1f243d46ad3b1e2f1baf3281451fc14b |
| SHA256 | ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353 |
| SHA512 | d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e |
memory/2788-514-0x00007FFCD5B40000-0x00007FFCD5D49000-memory.dmp
memory/2788-515-0x00007FFCD5B40000-0x00007FFCD5D49000-memory.dmp
memory/2788-539-0x00007FFC95BD0000-0x00007FFC95BE0000-memory.dmp
memory/2788-540-0x00007FFC95BD0000-0x00007FFC95BE0000-memory.dmp
memory/2788-542-0x00007FFC95BD0000-0x00007FFC95BE0000-memory.dmp
memory/2788-541-0x00007FFC95BD0000-0x00007FFC95BE0000-memory.dmp
memory/2788-543-0x00007FFCD5B40000-0x00007FFCD5D49000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-18 01:04
Reported
2024-05-18 01:10
Platform
win11-20240508-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 224 wrote to memory of 4680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 224 wrote to memory of 4680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 224 wrote to memory of 4680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Speaker.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Speaker.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4680 -ip 4680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 512
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-18 01:04
Reported
2024-05-18 01:09
Platform
win11-20240508-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1912 wrote to memory of 4632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1912 wrote to memory of 4632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1912 wrote to memory of 4632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ZeroX_AS.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ZeroX_AS.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4632 -ip 4632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 500
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.11:443 | tcp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-18 01:04
Reported
2024-05-18 01:09
Platform
win11-20240508-en
Max time kernel
91s
Max time network
102s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4748 wrote to memory of 5036 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4748 wrote to memory of 5036 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4748 wrote to memory of 5036 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\FFT.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\FFT.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5036 -ip 5036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 448
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-18 01:04
Reported
2024-05-18 01:09
Platform
win11-20240426-en
Max time kernel
90s
Max time network
95s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2712 wrote to memory of 804 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2712 wrote to memory of 804 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2712 wrote to memory of 804 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnzDll.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnzDll.dll,#1
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-18 01:04
Reported
2024-05-18 01:09
Platform
win11-20240426-en
Max time kernel
92s
Max time network
99s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4108 wrote to memory of 3840 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4108 wrote to memory of 3840 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4108 wrote to memory of 3840 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ZipDll.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ZipDll.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-18 01:04
Reported
2024-05-18 01:10
Platform
win11-20240426-en
Max time kernel
146s
Max time network
159s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2632 wrote to memory of 2484 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2632 wrote to memory of 2484 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2632 wrote to memory of 2484 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ds2wav.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ds2wav.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2484 -ip 2484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 448
Network
| Country | Destination | Domain | Proto |
| NL | 52.111.243.30:443 | tcp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-18 01:04
Reported
2024-05-18 01:10
Platform
win11-20240426-en
Max time kernel
90s
Max time network
96s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2548 wrote to memory of 2108 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2548 wrote to memory of 2108 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2548 wrote to memory of 2108 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ss2wav.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ss2wav.dll,#1
Network
Files
memory/2108-0-0x0000000002A20000-0x0000000002A59000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-18 01:04
Reported
2024-05-18 01:09
Platform
win11-20240508-en
Max time kernel
91s
Max time network
99s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1856 wrote to memory of 408 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1856 wrote to memory of 408 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1856 wrote to memory of 408 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Crack\FLEngine.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Crack\FLEngine.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-18 01:04
Reported
2024-05-18 01:09
Platform
win11-20240426-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2460 wrote to memory of 3724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2460 wrote to memory of 3724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2460 wrote to memory of 3724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3724 -ip 3724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 532
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-18 01:04
Reported
2024-05-18 01:10
Platform
win11-20240419-en
Max time kernel
92s
Max time network
104s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 656 wrote to memory of 4504 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 656 wrote to memory of 4504 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 656 wrote to memory of 4504 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ss2wav16.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ss2wav16.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |