Malware analysis AnyDVD_HD_8_1_4_0_2b.rar Malicious activity

Add for printing

File name:	AnyDVD_HD_8_1_4_0_2b.rar
Full analysis:	https://app.any.run/tasks/22ebcb5c-3166-4087-af73-9f77c1227eb6
Verdict:	Malicious activity
Analysis date:	December 21, 2024, 17:33:55
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	42D768429FEC6F1D3264DB4BBEBCE9E1
SHA1:	36A2ABBEABE96F30AE67033DC7FFADA9A95892EA
SHA256:	02BDA9AAEBFB0F992E5AB6029DDE24204BC2754981997E46C01175C72C96B770
SSDEEP:	98304:l7pvFumQJrhfX8o6bsLueb6vgEFTpuyvvBv91S90uTwAwEKaC4nxbp9lYupeNe/C:1g/skZ4IrvFO6nK73WYeW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Generic archive extractor
  - WinRAR.exe (PID: 7100)
- Changes the autorun value in the registry
  - nst68A1.tmp (PID: 6388)
  - AnyDVDtray.exe (PID: 3052)
- Executing a file with an untrusted certificate
  - ADvdDiscHlp64.exe (PID: 6812)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 7100)
  - WinRAR.exe (PID: 6884)
  - WinRAR.exe (PID: 1804)
- Starts application with an unusual extension
  - SetupAnyDVD8140.exe (PID: 3952)
- Executable content was dropped or overwritten
  - SetupAnyDVD8140.exe (PID: 3952)
  - nst68A1.tmp (PID: 6388)
  - patch.exe (PID: 6304)
  - patch.exe (PID: 5528)
- Starts itself from another location
  - SetupAnyDVD8140.exe (PID: 3952)
- Creates or modifies Windows services
  - nst68A1.tmp (PID: 6388)
- Drops a system driver (possible attempt to evade defenses)
  - nst68A1.tmp (PID: 6388)
- Creates files in the driver directory
  - nst68A1.tmp (PID: 6388)
- Creates a software uninstall entry
  - nst68A1.tmp (PID: 6388)
- Detected use of alternative data streams (AltDS)
  - AnyDVDtray.exe (PID: 3052)
INFO
- The process uses the downloaded file
  - WinRAR.exe (PID: 7100)
  - WinRAR.exe (PID: 6884)
  - WinRAR.exe (PID: 1804)
- Creates files in the program directory
  - AnyDVDtray.exe (PID: 3612)
  - nst68A1.tmp (PID: 6388)
  - patch.exe (PID: 6304)
  - patch.exe (PID: 5528)
- Checks supported languages
  - AnyDVDtray.exe (PID: 3612)
  - SetupAnyDVD8140.exe (PID: 3952)
  - nst68A1.tmp (PID: 6388)
  - setacl.exe (PID: 6484)
  - setacl.exe (PID: 3076)
  - DevCon.exe (PID: 3988)
  - AnyDVDtray.exe (PID: 5200)
  - DevCon.exe (PID: 4444)
  - AnyDVD.exe (PID: 4996)
  - AnyDVDtray.exe (PID: 5236)
  - AnyDVD.exe (PID: 5920)
  - SetRegACL.exe (PID: 3208)
  - patch.exe (PID: 6304)
  - AnyDVD.exe (PID: 6440)
  - AnyDVDtray.exe (PID: 3052)
  - ADvdDiscHlp64.exe (PID: 6812)
  - ADvdDiscHlp64.exe (PID: 3076)
  - patch.exe (PID: 5528)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 7100)
  - WinRAR.exe (PID: 6884)
  - WinRAR.exe (PID: 1804)
- Reads the computer name
  - nst68A1.tmp (PID: 6388)
  - AnyDVDtray.exe (PID: 3612)
  - AnyDVDtray.exe (PID: 5236)
  - AnyDVDtray.exe (PID: 5200)
  - patch.exe (PID: 6304)
  - AnyDVDtray.exe (PID: 3052)
  - ADvdDiscHlp64.exe (PID: 6812)
  - patch.exe (PID: 5528)
- Create files in a temporary directory
  - SetupAnyDVD8140.exe (PID: 3952)
  - nst68A1.tmp (PID: 6388)
- The sample compiled with german language support
  - nst68A1.tmp (PID: 6388)
- The sample compiled with english language support
  - nst68A1.tmp (PID: 6388)
- Manual execution by a user
  - AnyDVD.exe (PID: 5920)
  - WinRAR.exe (PID: 6884)
  - AnyDVD.exe (PID: 6440)
  - WinRAR.exe (PID: 1804)
- Reads the machine GUID from the registry
  - AnyDVDtray.exe (PID: 3052)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion:	RAR v5
CompressedSize:	14107794
UncompressedSize:	14125832
OperatingSystem:	Win32
ArchivedFileName:	SetupAnyDVD8140.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

152

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1804

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Cracked.READ.NFO-BRD.rar"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

3032

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

ADvdDiscHlp64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3052

"C:\Program Files (x86)\RedFox\AnyDVD\AnyDVDtray.exe"

C:\Program Files (x86)\RedFox\AnyDVD\AnyDVDtray.exe

AnyDVD.exe

User:

admin

Company:

RedFox

Integrity Level:

MEDIUM

Description:

AnyDVD Application

Exit code:

3221225477

Version:

8.1.4.0

Modules

Images
c:\program files (x86)\redfox\anydvd\anydvdtray.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\psapi.dll
c:\windows\syswow64\version.dll

3076

"C:\Users\admin\AppData\Local\Temp\nst6A56.tmp\SetACL.exe" "MACHINE\SOFTWARE\SlySoft\AnyDVD\Status" /registry /grant S-1-5-32-545 /full /sid /silent

C:\Users\admin\AppData\Local\Temp\nst6A56.tmp\setacl.exe

—

nst68A1.tmp

User:

admin

Company:

Helge Klein

Integrity Level:

HIGH

Description:

SetACL

Exit code:

Version:

0, 9, 0, 4

Modules

Images
c:\users\admin\appdata\local\temp\nst6a56.tmp\setacl.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

3076

ADvdDiscHlp64.exe /u

C:\Program Files (x86)\RedFox\AnyDVD\ADvdDiscHlp64.exe

—

AnyDVDtray.exe

User:

admin

Integrity Level:

MEDIUM

Description:

AnyDVD 64bit helper

Exit code:

Version:

3, 0, 0, 1

Modules

Images
c:\program files (x86)\redfox\anydvd\advddischlp64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\program files (x86)\redfox\anydvd\advddischlp64.dll

3188

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

DevCon.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3208

"C:\Program Files (x86)\RedFox\AnyDVD\SetRegACL.exe" Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons 64

C:\Program Files (x86)\RedFox\AnyDVD\SetRegACL.exe

—

nst68A1.tmp

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\program files (x86)\redfox\anydvd\setregacl.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

3612

"C:\Users\admin\AppData\Local\Temp\nst6A56.tmp\AnyDVDTray.exe" -c

C:\Users\admin\AppData\Local\Temp\nst6A56.tmp\AnyDVDtray.exe

—

nst68A1.tmp

User:

admin

Company:

RedFox

Integrity Level:

HIGH

Description:

AnyDVD Application

Exit code:

Version:

8.1.4.0

Modules

Images
c:\users\admin\appdata\local\temp\nst6a56.tmp\anydvdtray.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll

3732

"C:\Users\admin\AppData\Local\Temp\Rar$EXa1804.30957\patch.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXa1804.30957\patch.exe

—

WinRAR.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa1804.30957\patch.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

3952

"C:\Users\admin\AppData\Local\Temp\Rar$EXa7100.25794\SetupAnyDVD8140.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXa7100.25794\SetupAnyDVD8140.exe

WinRAR.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa7100.25794\setupanydvd8140.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

Add for printing

Total events

6 669

Read events

6 301

Write events

365

Delete events

Modification events


(PID) Process:	(7100) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(7100) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(7100) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(7100) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\AnyDVD_HD_8_1_4_0_2b.rar
(PID) Process:	(7100) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(7100) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(7100) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(7100) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6388) nst68A1.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\SlySoft\AnyDVD
Operation:	write	Name:	Affiliate
Value: 0
(PID) Process:	(6388) nst68A1.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\SlySoft\AnyDVD
Operation:	write	Name:	ADvdDiscHlp
Value: C:\Program Files (x86)\RedFox\AnyDVD\ADvdDiscHlp.dll

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6388	nst68A1.tmp	C:\Users\admin\AppData\Local\Temp\nst6A56.tmp\setacl.exe		executable
		MD5:ACDE12FA9A971A254C76C34C0BBE8608	SHA256:243DEE6B04AA006BAEE70922DBE9AA80FD0682CBEF5E12AD1540CFD8D1188705
3952	SetupAnyDVD8140.exe	C:\Users\admin\AppData\Local\Temp\nst68A0.tmp\nst68A1.tmp		executable
		MD5:6E8D35CD4E2E0EB185971915B56D24A1	SHA256:A7269D8A20956352A211ED02264F29BDDD57485ED44312756C12C0DF9F1EDC48
6388	nst68A1.tmp	C:\Users\admin\AppData\Local\Temp\nst6A56.tmp\Language\AnyDVDfi.lng		binary
		MD5:400D6170548F868173BE315C82E3EB35	SHA256:91E1885FC51D95E8F66529FB63D89C6C6D3F6E578261C82476E902FB0F75A600
6388	nst68A1.tmp	C:\Users\admin\AppData\Local\Temp\nst6A56.tmp\Language\AnyDVDar.lng		binary
		MD5:3CE96C4952E3596984ABB7CB73E4247F	SHA256:E2BBA6938976CFA071B20B626D017AA61C0EDB064005D51BC1993AC7BAD19157
6388	nst68A1.tmp	C:\Users\admin\AppData\Local\Temp\nst6A56.tmp\ExecuteWithUAC.exe		executable
		MD5:549E70189FA7B3034A8E58A48CB353C0	SHA256:BB23AC0440D9DE37D035E68895C53C559DF4F31C8D0905033AB40AD0A2910E77
6388	nst68A1.tmp	C:\Users\admin\AppData\Local\Temp\nst6A56.tmp\Language\AnyDVDca.lng		binary
		MD5:EC2215A5307B916046CB802D46F9C2AC	SHA256:01E7DAC6DC3E1DD72E21AB799AAC0B08F1CCD3846F2E55B27BEB6D03AAEFDF0E
6388	nst68A1.tmp	C:\Users\admin\AppData\Local\Temp\nst6A56.tmp\InstallHelp.dll		executable
		MD5:83B07F94937A933CC1CD4AA07210BAB0	SHA256:BC68FEF64641E6C17430A956664464ECD0E58439789B685051F41E7FE4D31098
6388	nst68A1.tmp	C:\Users\admin\AppData\Local\Temp\nst6A56.tmp\Language\AnyDVDel.lng		binary
		MD5:A53E4B9A06A14C68EA65DE9BC4144BAE	SHA256:4B445E6629172A7D87579791FF3ACD5EE313E46CA6A2E141063486A06611C3E2
7100	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa7100.25794\SetupAnyDVD8140.exe		executable
		MD5:6E8D35CD4E2E0EB185971915B56D24A1	SHA256:A7269D8A20956352A211ED02264F29BDDD57485ED44312756C12C0DF9F1EDC48
6388	nst68A1.tmp	C:\Users\admin\AppData\Local\Temp\nst6A56.tmp\Language\AnyDVDda.lng		binary
		MD5:1910EE1A3EF65E2BE9DF799D7CAA3992	SHA256:1CFB702804D972528E7D68125DC465097C00DBF7EB99177FBC779AE5833111CA

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6612	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
6904	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4712	MoUsoCoreWorker.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	104.126.37.123:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
1176	svchost.exe	40.126.31.71:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.124.78.146	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	184.30.21.171 88.221.169.152	whitelisted
google.com	142.250.74.206	whitelisted
www.bing.com	104.126.37.123 104.126.37.130 104.126.37.171 104.126.37.137 104.126.37.176 104.126.37.139 104.126.37.131 104.126.37.128 104.126.37.178	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	40.126.31.71 20.190.159.2 40.126.31.73 20.190.159.64 20.190.159.75 20.190.159.71 20.190.159.73 20.190.159.4	whitelisted
go.microsoft.com	23.35.238.131	whitelisted
arc.msn.com	20.199.58.43	whitelisted
fd.api.iris.microsoft.com	20.223.35.26	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

AnyDVD_HD_8_1_4_0_2b.rar

42D768429FEC6F1D3264DB4BBEBCE9E1

36A2ABBEABE96F30AE67033DC7FFADA9A95892EA

02BDA9AAEBFB0F992E5AB6029DDE24204BC2754981997E46C01175C72C96B770

98304:l7pvFumQJrhfX8o6bsLueb6vgEFTpuyvvBv91S90uTwAwEKaC4nxbp9lYupeNe/C:1g/skZ4IrvFO6nK73WYeW

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

Changes the autorun value in the registry

Executing a file with an untrusted certificate

SUSPICIOUS

Reads security settings of Internet Explorer

Starts application with an unusual extension

Executable content was dropped or overwritten

Starts itself from another location

Creates or modifies Windows services

Drops a system driver (possible attempt to evade defenses)

Creates files in the driver directory

Creates a software uninstall entry

Detected use of alternative data streams (AltDS)

INFO

The process uses the downloaded file

Creates files in the program directory

Checks supported languages

Executable content was dropped or overwritten

Reads the computer name

Create files in a temporary directory

The sample compiled with german language support

The sample compiled with english language support

Manual execution by a user

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings