Analysis Overview
SHA256
fb8844d36e0b52aa5cd7a8e1983d8ba2b4b99d8fb77839515064d2c619f93add
Threat Level: Shows suspicious behavior
The file DTPro821-0709 — копия.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
VMProtect packed file
Loads dropped DLL
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-29 09:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240611-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\SRL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:13
Platform
win11-20240508-en
Max time kernel
111s
Max time network
96s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4768 wrote to memory of 3416 | N/A | C:\Users\Admin\AppData\Local\Temp\DTPro821-0709 — копия.exe | C:\Users\Admin\AppData\Local\Temp\DTPro821-0709 — копия.exe |
| PID 4768 wrote to memory of 3416 | N/A | C:\Users\Admin\AppData\Local\Temp\DTPro821-0709 — копия.exe | C:\Users\Admin\AppData\Local\Temp\DTPro821-0709 — копия.exe |
| PID 4768 wrote to memory of 3416 | N/A | C:\Users\Admin\AppData\Local\Temp\DTPro821-0709 — копия.exe | C:\Users\Admin\AppData\Local\Temp\DTPro821-0709 — копия.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\DTPro821-0709 — копия.exe
"C:\Users\Admin\AppData\Local\Temp\DTPro821-0709 — копия.exe"
C:\Users\Admin\AppData\Local\Temp\DTPro821-0709 — копия.exe
"C:\Users\Admin\AppData\Local\Temp\DTPro821-0709 — копия.exe" /tmppath "C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp" /handle 4768 /posx 388 /posy 141 /eula 0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | secure.disc-soft.com | udp |
| US | 8.8.8.8:53 | secure.disc-soft.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\setuphlp.dll
| MD5 | f46b7526ad6b55787bf9121bfbee5d99 |
| SHA1 | 34bd3ad4e745b41f41b65a2a73091aa8caf54947 |
| SHA256 | e58b63385ceededbc4df742c43f9497e1cc344e239099449a7659833c1dcdb5b |
| SHA512 | 7d0ce39300ee54aa2dc5f4863b839b6be2cb4d33a9841b5a0b6328b890c3c9c6d0d3814040864d3b671bd5b56226b35db77b5a2bc7b149acfd4871b58618b580 |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\sptdintf.dll
| MD5 | 3862c98f3676f3fd8bf4759db17cf273 |
| SHA1 | 8ce5ca251376345220fa502930e4339cfbd7721d |
| SHA256 | 1c7d5e42ff3bc5e1a0ecd01fa68633dc67515b3a06e660fcd2d22d6ea436a6f1 |
| SHA512 | 1836a39ad1bf17e086836298323cc36538174d991aa2e9ee4fd8b4594e88aad1723fd875501f2e256e2b358fc88a84cd564b5bef79eca2b51af4880c9646f396 |
memory/4768-70-0x0000000074250000-0x000000007425F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\BGR.dll
| MD5 | b9639391916b85cc1bcfc2d0c2318c9e |
| SHA1 | 320021f6525df836fda341573d2364c0fb3a1c89 |
| SHA256 | 92218f65ae3c47ce9e51809597ae09145d471fe07080bb8d6cc240cf905c8b37 |
| SHA512 | 0523b96fb037f8a8741be433a457bd2e7da411dfeddb967d9951dac1da556b604227e4486c22958a1d79717bb32ca7c6c7699216c4488c4a3d9fdaf8a0b03fd8 |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\BIH.dll
| MD5 | 32bdc33646f60c50881269a2b9b17e45 |
| SHA1 | cc08a3a281d3a4cbd353676ea09f08cc8e8ca1e5 |
| SHA256 | 1acb73e1049a52ba1797564485b8f20e3697a73125becd7a012ee2df5f8b1a4d |
| SHA512 | 0d8050c31945a10811aa1b281c82a8443b79f251fae665dca80064ca8b1f8e801c1c9f76c5ab6953b4a8cea5c11ba0047ed867ed5f45fc2a9602564c2da7aec3 |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\CHT.dll
| MD5 | 401ca53adae17536fe1c910e35dddd35 |
| SHA1 | b85a3af5eb73750365b2b70bee107aed8c444cfb |
| SHA256 | ed9b68a2adaa3339f6572dbd318474b6a55dc954928ed1c28f3432e9949d8746 |
| SHA512 | a94c34f7e88755dbe27dd99bbb8998630e81af6e327cac7c84ccfe01c6b28b918a7b5243f72ea7506e98313a6d6a34a680611da8ccb5eaae35800260d431cb44 |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\CSY.dll
| MD5 | 58420297d7a0c5932fbafe76d7ea4fa0 |
| SHA1 | 2ede9197eb768a54f1b88fde5330c538d2b2ca04 |
| SHA256 | 0cca39e5c8263f5340d57f9df089868dd7e5ccea7afa274747dd5897737ba03f |
| SHA512 | 8430c7bc994c0c9950172c94924bbf3566939ec3baaab278885895efb7a80e6b9b97e16fd9cbbea404ae74f5f6764ffbd1de5cc559cd84f9d527a81604ee891d |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\ENU.dll
| MD5 | 5c269b69563170f4de5bce98130cb708 |
| SHA1 | c73c0cac1f9c2f3bc2d1d72807fe5b223a5f8b16 |
| SHA256 | 35a9aa1628fc63bd21c5a08ae72305074b12f3f420980ccdcb4b48b858d09574 |
| SHA512 | 30ed439352fa2db75e21af55ac18f2cfd529463c3e65a8a2edf04a07dda0211fba688421b4f77d6d654a999c8d95f7c00f94bdec5e4d5d329841b69f2f67e5ca |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\ESN.dll
| MD5 | f9419bb0b489d63dace11955d9fdd941 |
| SHA1 | eb769f963642739a840f30185a9a8f3382ddbc8c |
| SHA256 | 72a6b15ba2865fe7bf4c34e152cbe6afb9a3dc0045eb113972104efbc2323de7 |
| SHA512 | 76419589ae717945261a1cf1815166c485be6f8be35976f422385d55b9b9bbd449f99e6dff9d8c9fdc8c7b8e32ec7ad4f656d354f9ccbb5da3a577a8e97ccf3b |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\HUN.dll
| MD5 | 24eb04d054ee11a495e0202ab0ee2d38 |
| SHA1 | 19846a753ae9a9d65d5bc9c6bf89bad04be0307d |
| SHA256 | 83f98f0e7aa7ee1b43072371cb3ae100c23fdf8c8efb35e9cc2ca1a3f3f28e0f |
| SHA512 | 65ca1373f3bcfe2e3b17a0a0faa21cea7f5c3ba3f1ebef4de9e62250769050c65c3d7d2ad4a25b0dff681b3851f1afdc92b15c44fbb1bad62c62383e9d634ff2 |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\ITA.dll
| MD5 | 202cc5f0dc6d9b219ab9264ba0bfb277 |
| SHA1 | ca0626d7fcfef4f42ef0a379d0b858893c2199e2 |
| SHA256 | 2f2859e04fa45a8bcac47b5c256ae3c4b4a021d2ba8f8363b96cb5387419cc3f |
| SHA512 | 4128e68b3ed56d22d3b6016ea531426ef70bc8f389b174530415afb28fb8f3ad2e81d36c26b3f45cedf2177afbd999545eed51042c81ac51eecc3b3e6581a3a0 |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\SVE.dll
| MD5 | 7a82d043ad0b29c3c4cda8635c86f930 |
| SHA1 | 87702f717315a695139b4c6e2509ca0a89ddc069 |
| SHA256 | 19a7b33190d62b2cfd620c28a35328e90e4c8dc50f72991fe02a1afb9f7bcf47 |
| SHA512 | d92046245a5321d9241a7b0d04f704db07fdc7cd4ce056ae8022c53a8457730a420406319f6e3574385b7246fd84bca93817c9c081c55e85d914717a4ff77b0d |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\System.dll
| MD5 | 0ac4d26689bd27aa2856b96007be3cfa |
| SHA1 | e149c1f77ac35cb335f4b33d258df4420580e514 |
| SHA256 | 9e7ac4e2ca2fec46ab51d5b6d4868c76de684f65d375482c37be4be39bcf3b49 |
| SHA512 | 8040a48231ddade86991652e9cb72e9a487766730032abe52c713562cf914092e5397a328b6d59464846cc5ff0d00dea92e6ed69d9b480acae8c6053addb3b58 |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\ioSpecial.ini
| MD5 | 142336fa8a9ba03a5c9385b549688054 |
| SHA1 | 2254a9ca16d8f217cd768aaa5e45b25f2cb076ab |
| SHA256 | 6e2c9de7eb8484372821f4db5f77f08c6e663409df3c39545733680011eaf892 |
| SHA512 | 4cc4d6dce5526fbd3dd2660f611a97f59e787652c27aadbafa0241742d8e2e4e0acd9dffdb99d7db3e93aaa4009cb87ff3420858a55bafcef6a5fb5d52e8897f |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\InstallOptions.dll
| MD5 | 67d8f4d5acdb722e9cb7a99570b3ded1 |
| SHA1 | f4a729ba77332325ea4dbdeea98b579f501fd26f |
| SHA256 | fa8de036b1d9bb06be383a82041966c73473fc8382d041fb5c1758f991afeae7 |
| SHA512 | 03999cc26a76b0de6f7e4e8a45137ee4d9c250366ac5a458110f00f7962158311eea5f22d3ee4f32f85aa6969eb143bdb8f03ca989568764ed2bc488c89b4b7f |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\UKR.dll
| MD5 | ff5253ac24d75adb7afa313c4c0485f1 |
| SHA1 | c5ce136559cf2a51e583a5511d0f695e199596c5 |
| SHA256 | e760c35136156803c394819e78254356c034bb78a0b2edce1cd3149f553d3da7 |
| SHA512 | ded7521ec959c0313e5778a03fd671fff9172099ff6e6b2573db4618a3a0bfab01ba7327ba1814ec57719b41cfe8ffec7946f84de69722acdeca8c2d89a7dfd3 |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\TRK.dll
| MD5 | f08791a449318eb9e12533e76cdd98b8 |
| SHA1 | f71714b8cc4b1a3e6651e164aa707d52c8d930be |
| SHA256 | 36c23c0ce1421c0eecbce2663318a8615256013f2d306d8730642345bbbb8c23 |
| SHA512 | cbca7285792e073daaa831a9ca8de921a4070dfe80f142dd4e1204495a04024d71f8516653750b82af7807b5a0705d47350a4f0ba0d85ac7309916537a6929ef |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\SRL.dll
| MD5 | 17b0d3abb59c60aed7e67e2140506fee |
| SHA1 | c3d3c1924b816e52765fd9896a8d537f17ff6c64 |
| SHA256 | 00e74691750af01dd7e7856e042b42a0d0189737049f87fa5022fda858921a74 |
| SHA512 | 29749bac60a7bd14489b369f8ab767b8eb49c9930146786cda488f99368c4a414c6a82ec52cb420f6d9fa5e697db81bc91b8aab19bd5503bb7c3d51f87b05e82 |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\RUS.dll
| MD5 | 4f76a2ec192213c2adfa2d4314879480 |
| SHA1 | 86a0a67d6bbf93d6a6fde29944e90fd197505de8 |
| SHA256 | 536b60e5acc056b65522929ae294380c099beae24dad2931fffea98391cd7029 |
| SHA512 | a20384ea9291d38c154d03d039f9736ccbe9d4d9511cb6975f95b80e99b435d7d743b62369f1c793001448f9554427245429492e7f1daf8a5da07d0f4a28573a |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\ROM.dll
| MD5 | 31a03e3f833383f644bd962020bbe8bc |
| SHA1 | 3f33c288ed102d209f332ce68775076e421ea806 |
| SHA256 | ba78d41455e84a2976e7d733bd89cdecdb5f8171d812e5de4ea1346cd8f5985b |
| SHA512 | 060ca907d0370a5d78d8e2ce3beab1fb409a1a43be9f4b05f510329fde1e248e6ec3adcc103d881b2df6e76296c60697cdaf86cda502c2ddf930c85b4fd85a7d |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\PTP.dll
| MD5 | 659f9b60ae64ac9ba449177896802471 |
| SHA1 | a1862520c204c2eee6d2db394c9f45da3731033c |
| SHA256 | 69c96a66e5ee3ad9c0236a49f03bbc9bd76a10c1317b9191bf2daf5e23e88129 |
| SHA512 | 704591a3d7686a200aa59e0a4fbab173fb6dc703ad9af039df9067d3489a92a6e73b953f3640f9a30e994ea98216697755a0819d61e89ecf5f73a1e4a1de19f6 |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\PTB.dll
| MD5 | 08d600d49125a504631a181d7e87595c |
| SHA1 | d7600bcb66456a6d80ef32305719ae77e0a5b318 |
| SHA256 | 34adb2f5f08955ec528f1cf3493a1298bc03280d58b1bb663232bb36f3f6f4f7 |
| SHA512 | d9f6834000af803b4148db96bf5e415996506f7c32da40e0efcf135ec964b88ade31d8d7c31e515bb33535b9bb13b32ca9e9d5def2b3ec6528a637c45825c126 |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\PLK.dll
| MD5 | 6614973adc21454e84d024fa5a676f3b |
| SHA1 | a607cc31416f5211e06632a2d3f6d60b61ecdd55 |
| SHA256 | f6d2a5f91566273f77b23659623ce16a5b0f2de9690fa85df31b1feab58dc4db |
| SHA512 | c62a562f293720f73f725c35f2659228815c7845de876d8966f0febe9489f8f3395f78ac814d403c449739beb62991dbc8815d6c8016d104d696e5c0e40e9d3f |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\JPN.dll
| MD5 | 0630f05c2968520182060f6a0ff100de |
| SHA1 | 81244ab1cf91e74d943f46d5b0da85a7418cc307 |
| SHA256 | 69319b3fe937d30bc0b343f5cd50369001875a841dd950ce7575a17f67e72960 |
| SHA512 | 4bd0a8565e9f388e581a4844f11488faa3fe15d5e85cbe85b71fa4a6ee3d81d8f184837fbd5bd2230c9a4044f72b1a215314fa4d60b1700c671c79fc31ada5e0 |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\IND.dll
| MD5 | 7fb5a56ad58557b51514f1a9f1e2665d |
| SHA1 | b92864e769d34b34a681ee5fa06ba1e1fe6a0222 |
| SHA256 | 42c248b80a51b44dd2e07ef6279fa5d18f6e96286c932c07a2d8d6dffc962e01 |
| SHA512 | 72fe76842f64e94b1287fb317bee914cd4565e0cc93a9f885eb655b5f4a96e792dfba970d5b98ab5d695251d8db5370a3788f116e41bb42ad4491ada91ecc705 |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\HYE.dll
| MD5 | 5e96c9c0d36c2b14ae7cd8120af20047 |
| SHA1 | 9003f28fccd5490b384c2f603423f60aaaa4b90d |
| SHA256 | a1cfa721372de95dac567e3256fb052b5d565fe02036efe7d2c2a6394ed3af59 |
| SHA512 | d4020212b2571d95d9ea5add18b9d48be32b1fb8397b590fe995c829a4ca1cae6fda84064b9ff59fbd6f5cc8e38a6aa8719379899a266eb826d4f74403bbe092 |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\HEB.dll
| MD5 | 2be97331bdd8d324e1bc3105a5f0f779 |
| SHA1 | 86f0f7f39570d73041c3a4bcba0451e5f1df67df |
| SHA256 | 7369132f892e6767cd6cd9507473848e38573f94f8db8dba2b9b10bcc4296a83 |
| SHA512 | 3e7002534855a06988c3aaf8d08cc88241987ca75290c19cd44089cc7b8eaf80e0fc27a173be345b9ced2131e2b9b0acd921b09418112804ed4dd15b22970cc9 |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\FRA.dll
| MD5 | 7b041b1a01b19adb4bc61ffb80169121 |
| SHA1 | a6e82fedf4952fa2da00db1b6c105a0066fe4c3c |
| SHA256 | ae5ab324d643731d9b3a1b1e58c74574f83fe7e015dc09d00851d9ed460aee3f |
| SHA512 | b957e6b1c10a601582d5bb0198855868d5ae58c87580ce034e628f05f54355525b7cfaeee675dbfc88c3ca84366ece0a26af536d58eab566ee67cf7a027cce91 |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\FIN.dll
| MD5 | aa704508e41a263522b27f7ebd0102cb |
| SHA1 | 4ef5883b21bff2ba0b860bf0e3fb7fd4f1358b00 |
| SHA256 | a773f997dac6aca1588861c57babd1a3426b665d0e0af90203346ffbaca7f723 |
| SHA512 | 4e1b5fdb9a8f6c02618545e279479266a129e5090545db117c46136c651c8cca168a7ed9b1dcabacb5649a2477e6be88cd51220fb2d92f71e19c898af255e13e |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\DEU.dll
| MD5 | 68f3243bb886c7b51996a52626f0dcd1 |
| SHA1 | bb39126c0eac485424026dfb8b0c7fd4b9951422 |
| SHA256 | 5bb196db71fd8e5af507404ce4ed81940d6a310b1700b92165f3253337bebea4 |
| SHA512 | 5d5299ba7eac7d8a78d0419fc767fc9a310d8e0af9a899c66bdfe514bae185e91e41f628384d099e552989fde4dd38631fc2ce90b76dff6bfe3c2c7d1ed02deb |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\Lang\CHS.dll
| MD5 | 9b92dda90afc1ae88b6516e4f3874be8 |
| SHA1 | 9b4431a46b40c7cd61504f2922e2aeb0671303ea |
| SHA256 | 07dcd105a36dc96858f2d40f544e33602fb401ea17740240cde8c7fe24a84d50 |
| SHA512 | 9f25be29e4ba79ce0f5552de6c7cea020ea396f54f1dc5cdcfd4145d74b6aa7c133b08bf32c41a2a88c2f43a4e52a765fa62c0262fc46d739381ef8f1d3836f3 |
memory/3416-320-0x0000000073340000-0x000000007334F000-memory.dmp
memory/4768-319-0x0000000074250000-0x000000007425F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\DTLicenseServerAddrSubscr.ini
| MD5 | e09f506074196c499f9c023e3a816d87 |
| SHA1 | fffb982692d670e06972c8f09434d884be12cd21 |
| SHA256 | fe099d78ed60dea71287e910800325c23e038180cc1d3777f07672a6a36e5b73 |
| SHA512 | 6732d92357ee3b1fd8cabf6271dcb5e2a98d1b8586d95015d1741b668d3866b091ec810ac34bd08c8d0ec6124a11b014e677be53a1d5ce993c60e0fc1fec23e1 |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\ioSpecial.ini
| MD5 | 0e408f722de3b5958478c436b191731d |
| SHA1 | a42afffb9c05c630a7545bf22a174c82a7d014c5 |
| SHA256 | 61bed987dc4beafd296f51aaf60f56cdd796fd779b3fc1c21f56dcbc49c1615c |
| SHA512 | 4dc5f528ce28fc76f5851b2cf423c173320d8daf3a6c6d819c15df8acfefb7458ba342138cbc319933c7e7c083288b0fa1eb6779432f077c1e25b36f604cc082 |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\DTSetupHelper.exe
| MD5 | 4f88bef9204d347c0d1c99d7be7baae8 |
| SHA1 | f86c4ef16233c330d0d0a7a6644237856c96952f |
| SHA256 | 5dbd4ed8d49d8993855c592445b581441e63aa42fe8adca5bd6331ebc96b91a5 |
| SHA512 | a2c0dbf44fe0bac79a321cd7052cbab41357bd05986cbe17cc860d0499329f9d90ddf62fe6dd2e62fc54114ac10175bdcdd6455c968177ae814e4df4fa91e443 |
C:\Users\Admin\AppData\Local\Temp\nsq47AA.tmp\daemonWizard.bmp
| MD5 | 62f412279f0a9bce4087c760afa48c79 |
| SHA1 | 8a4dc0c7a3dfe4757b4cb21c46377a94cc244214 |
| SHA256 | e080c93567a5aef8d309f7b087e22b6277165784fedfe366540c55b0a628f330 |
| SHA512 | e55a5031c072fc43f10ff8d228efe15b927bf01826b376fa9980f0383193b51577c53f3bfa3b30430471740fd8ec77c4add02bc2c5581a5bf2b77fb92883ea3d |
memory/3416-349-0x0000000073340000-0x000000007334F000-memory.dmp
C:\ProgramData\DAEMON Tools Pro\settings.ini
| MD5 | 2111f1d272eca51acd1606c77bee9596 |
| SHA1 | e53bb43e754cdc20402d6f2cb89de2cb22e38900 |
| SHA256 | 658506dbacbff7144c3512e2ce96e138f45343fe7912fbe3d42e2c593ce237f8 |
| SHA512 | 3461bd0911cc6fb9e101bff63418001251f8e93907fa12b4f8cc28925e932ac88bb0de522eb57d694fb46f2777d0bb2e06509885bcd9009d28ba335919924f77 |
C:\Users\Admin\AppData\Local\Temp\nsu9F20.tmp\DTLicenseServerAddrSubscr.ini
| MD5 | 779382b783f0db4cb2398547f8675cc6 |
| SHA1 | 2f8882474e386cc650fb24b4d15bc866676a5d37 |
| SHA256 | 38bb040015bb0d828df864e78692f53f0290c19a4895e94ec6841693cc200461 |
| SHA512 | 5d6f18fd77f460770c885e50bda86d692d55da31e30065ae532e179ed81f80c53ea717cac9dff67a639498f470abb8f4c9b7c76f95b9647267ea9bfefe7111d9 |
C:\Users\Admin\AppData\Local\Temp\nsu9F20.tmp\DTLicenseServerAddrSubscr.ini
| MD5 | 04a1e7073ea9a9800ca2a8f20a822d44 |
| SHA1 | 50f06914df8f56e2fc7eb7465dd8f958244f3b4e |
| SHA256 | 530954ecbabc9d75c0e6a14f8f1265d8cbbf3d15e6f3aaf1ea202314321982fb |
| SHA512 | 9bad9ff83e754b45a7f54899056d5a0e02dd20bbfb97478a3976cf7d4c9294c1693d83d8a95f43371e6751c822de02e0d9b77b3e58e79e8970e037ce72cc0a84 |
C:\Users\Admin\AppData\Local\Temp\nsu9F20.tmp\DTLicenseServerAddrSubscr.ini
| MD5 | 65aaec34f4420ee07e4f6e9cd0a77833 |
| SHA1 | ce8c12ce1d02e0355e056c5df64980d86e966796 |
| SHA256 | 47dae7e604364df4a40fa06a3064712bd09ef56bebd71aea54f82433cf5f320d |
| SHA512 | c1dd3896bb769920427d1b657731e2b0541b2a18d7790d7caa4cd109581e29ef003d52629054c9eeafaddda633a13a21d6a86c8ce9c4df3052b6939a56aef55f |
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240611-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\CSY.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240508-en
Max time kernel
91s
Max time network
93s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\PLK.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240611-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 576 wrote to memory of 3692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 576 wrote to memory of 3692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 576 wrote to memory of 3692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3692 -ip 3692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 460
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240508-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\ESN.dll,#1
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\IND.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240611-en
Max time kernel
91s
Max time network
94s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\UKR.dll,#1
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240611-en
Max time kernel
92s
Max time network
96s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Lang\BIH.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240611-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\HEB.dll,#1
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240611-en
Max time kernel
89s
Max time network
94s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\ENU.dll,#1
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240611-en
Max time kernel
14s
Max time network
115s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\JPN.dll,#1
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240508-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\SVE.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240508-en
Max time kernel
92s
Max time network
99s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\BIH.dll,#1
Network
| Country | Destination | Domain | Proto |
| IE | 52.111.236.22:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240611-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\ITA.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240419-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\PTP.dll,#1
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240611-en
Max time kernel
90s
Max time network
94s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\ROM.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240611-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\PTB.dll,#1
Network
| Country | Destination | Domain | Proto |
| NL | 52.111.243.30:443 | tcp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240611-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\TRK.dll,#1
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240508-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4852 wrote to memory of 4012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4852 wrote to memory of 4012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4852 wrote to memory of 4012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4012 -ip 4012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 544
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240611-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\BGR.dll,#1
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240611-en
Max time kernel
91s
Max time network
94s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\DEU.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240508-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\FIN.dll,#1
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240611-en
Max time kernel
139s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\HYE.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3732 wrote to memory of 1460 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3732 wrote to memory of 1460 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3732 wrote to memory of 1460 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setuphlp.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setuphlp.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.11:443 | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240419-en
Max time kernel
92s
Max time network
95s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\CHS.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\HUN.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240419-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\RUS.dll,#1
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240508-en
Max time kernel
90s
Max time network
99s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\FRA.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.43:443 | tcp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Lang\CHT.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240508-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Lang\BGR.dll,#1
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-29 09:11
Reported
2024-06-29 09:14
Platform
win11-20240611-en
Max time kernel
90s
Max time network
94s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Lang\CHS.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |