File name:

dvt-nch_activator.exe

Full analysis: https://app.any.run/tasks/ef4970a9-27c4-49f4-a392-42fd7e4a8b82
Verdict: Malicious activity
Analysis date: August 10, 2024, 10:01:32
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
opendir
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

D2F01DB513FA75CE18D15772380690DE

SHA1:

A449CAA1388AB97BE29C58CBAB073BBD5AC440D4

SHA256:

214FFD060EE6EBAE6727866FB133484F17FF5BEA4CCF233DB3E1E2503D2C6E1A

SSDEEP:

3072:hCYa+0Nu6vQAkQ5S7JmyxCbBKhiTbMG6d7lE1Eu3e6MqpA:uQLi8NiTbF6dpEWu3e6Mqu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • nchsetup.exe (PID: 5116)

  • SUSPICIOUS

    • Executing commands from a ".bat" file

      • dvt-nch_activator.exe (PID: 6408)

    • Executable content was dropped or overwritten

      • designsetup.exe (PID: 2648)
      • nchsetup.exe (PID: 5116)
      • zlib1v3.exe (PID: 3116)
      • infozip3.exe (PID: 1236)

    • Starts CMD.EXE for commands execution

      • dvt-nch_activator.exe (PID: 6408)

    • Reads security settings of Internet Explorer

      • designsetup.exe (PID: 2648)
      • nchsetup.exe (PID: 5116)
      • dreamplan.exe (PID: 2080)

    • Drops the executable file immediately after the start

      • designsetup.exe (PID: 2648)
      • nchsetup.exe (PID: 5116)
      • zlib1v3.exe (PID: 3116)
      • infozip3.exe (PID: 1236)
      • dvt-nch_activator.exe (PID: 6408)

    • Reads the date of Windows installation

      • designsetup.exe (PID: 2648)
      • nchsetup.exe (PID: 5116)

    • Checks Windows Trust Settings

      • nchsetup.exe (PID: 5116)

    • Searches for installed software

      • nchsetup.exe (PID: 5116)

    • Starts itself from another location

      • nchsetup.exe (PID: 5116)

    • Creates a software uninstall entry

      • nchsetup.exe (PID: 5116)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6476)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6476)

  • INFO

    • Checks supported languages

      • dvt-nch_activator.exe (PID: 6408)
      • mode.com (PID: 6512)
      • chcp.com (PID: 6492)
      • designsetup.exe (PID: 2648)
      • nchsetup.exe (PID: 5116)
      • infozip3.exe (PID: 1236)
      • zlib1v3.exe (PID: 3116)
      • dreamplan.exe (PID: 3160)
      • dreamplan.exe (PID: 2080)
      • identity_helper.exe (PID: 6780)
      • dreamplan.exe (PID: 6552)
      • dreamplan.exe (PID: 6128)

    • Changes the display of characters in the console

      • chcp.com (PID: 6492)

    • Create files in a temporary directory

      • dvt-nch_activator.exe (PID: 6408)
      • designsetup.exe (PID: 2648)
      • zlib1v3.exe (PID: 3116)
      • infozip3.exe (PID: 1236)
      • dreamplan.exe (PID: 2080)
      • dreamplan.exe (PID: 6128)

    • Manual execution by a user

      • designsetup.exe (PID: 6140)
      • designsetup.exe (PID: 2648)
      • dreamplan.exe (PID: 6552)
      • dreamplan.exe (PID: 6128)

    • Reads the computer name

      • designsetup.exe (PID: 2648)
      • nchsetup.exe (PID: 5116)
      • dreamplan.exe (PID: 2080)
      • dreamplan.exe (PID: 3160)
      • dreamplan.exe (PID: 6552)
      • identity_helper.exe (PID: 6780)
      • dreamplan.exe (PID: 6128)

    • Process checks computer location settings

      • designsetup.exe (PID: 2648)
      • nchsetup.exe (PID: 5116)

    • Creates files in the program directory

      • nchsetup.exe (PID: 5116)
      • zlib1v3.exe (PID: 3116)
      • infozip3.exe (PID: 1236)
      • dreamplan.exe (PID: 2080)
      • dreamplan.exe (PID: 6128)

    • Reads the machine GUID from the registry

      • nchsetup.exe (PID: 5116)

    • Reads the software policy settings

      • nchsetup.exe (PID: 5116)

    • Reads Microsoft Office registry keys

      • nchsetup.exe (PID: 5116)
      • dreamplan.exe (PID: 2080)
      • msedge.exe (PID: 1700)
      • msedge.exe (PID: 2340)

    • Creates files or folders in the user directory

      • dreamplan.exe (PID: 2080)

    • Application launched itself

      • msedge.exe (PID: 1700)
      • msedge.exe (PID: 2340)

    • Reads Environment values

      • identity_helper.exe (PID: 6780)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:07:30 08:52:45+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 70656
InitializedDataSize: 415744
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: Debug, Pre-release, Private build
FileOS: Windows 16-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
ProductName: NCH Software Products Activator
CompanyName: TEAM DVT
LegalCopyright: e!DVT 2k21
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
209
Monitored processes
70
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start dvt-nch_activator.exe conhost.exe no specs cmd.exe no specs chcp.com no specs mode.com no specs designsetup.exe no specs designsetup.exe nchsetup.exe zlib1v3.exe infozip3.exe dreamplan.exe dreamplan.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs dreamplan.exe no specs dreamplan.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs dvt-nch_activator.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
400"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4216 --field-trial-handle=2348,i,9031090901164952492,1392998353148663815,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
400"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4084 --field-trial-handle=2348,i,9031090901164952492,1392998353148663815,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
420"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2792 --field-trial-handle=2512,i,2449964122956513702,18076144454746648327,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
532"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5472 --field-trial-handle=2512,i,2449964122956513702,18076144454746648327,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
640"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6344 --field-trial-handle=2512,i,2449964122956513702,18076144454746648327,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1044"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x290,0x294,0x298,0x288,0x2a0,0x7fffd43d5fd8,0x7fffd43d5fe4,0x7fffd43d5ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1048"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2484 --field-trial-handle=2348,i,9031090901164952492,1392998353148663815,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1120"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4996 --field-trial-handle=2348,i,9031090901164952492,1392998353148663815,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
1168"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4224 --field-trial-handle=2348,i,9031090901164952492,1392998353148663815,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1184"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3452 --field-trial-handle=2512,i,2449964122956513702,18076144454746648327,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
27 342
Read events
27 053
Write events
266
Delete events
23

Modification events

(PID) Process:(2648) designsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2648) designsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2648) designsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2648) designsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(5116) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:DreamPlanInstall
Value:
C:\Users\admin\Desktop\designsetup.exe
(PID) Process:(5116) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\NCH Software\DreamPlan\Software
Operation:writeName:SVar
Value:
DREAMPLANRelatedprogramsfreeon
(PID) Process:(5116) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\NCH Software\DreamPlan\Software
Operation:writeName:SVar
Value:
DREAMPLANRelatedprogramsfreeonDREAMPLANDarkv2off
(PID) Process:(5116) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\NCH Software\DreamPlan\Settings
Operation:writeName:InstalledByAdmin
Value:
1
(PID) Process:(5116) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\NCH Software\DreamPlan\UsageStatsChoice
Operation:writeName:llinad
Value:
1
(PID) Process:(5116) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
14
Suspicious files
389
Text files
153
Unknown types
20

Dropped files

PID
Process
Filename
Type
6408dvt-nch_activator.exeC:\Users\admin\AppData\Local\Temp\533C.tmp\533D.tmp\533E.battext
MD5:40CD0589E94A4467629DBE364D7B43CE
SHA256:0F1E3B46AD6991541D6F8FB064F60E785E094F189DBD4AA59642879DB6536432
6408dvt-nch_activator.exeC:\Users\admin\AppData\Local\Temp\533C.tmp\header_success.txttext
MD5:03668F06A5AB6FE4017AB4DD68F4E21F
SHA256:364C6698D8F8E2BEAE6E4BD1F07A592CCC2FB31B4EAC80B07D013D065D7CBF67
6408dvt-nch_activator.exeC:\Users\admin\AppData\Local\Temp\533C.tmp\header.txttext
MD5:49AB74166AA726680559F3EEAA10DCCE
SHA256:B267830CFE058135F3C59CEC9A1B74867FDDEF2B3E4792767DC5B0C1AAF5FB88
6408dvt-nch_activator.exeC:\Users\admin\AppData\Local\Temp\533C.tmp\smenu.txttext
MD5:34BD49CFA90AA231615721FCC1264D55
SHA256:4DDEA2D66A94FA6DF14832D669858C637F79511965A66A43FCC39F6B3087B370
2648designsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchdata.cabcompressed
MD5:8D6E7AF2B9A38A70F56B9D78D73E3452
SHA256:151591AA29E3A823F6FDDC0D478C703DE0AC3CD2DFFC68F0D4D09CE6F8EBB4AE
2648designsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchsetup.cabcompressed
MD5:F570F7CE82E2C62437D9476CF9740424
SHA256:3F3C20FFC59189419A98A79309EA0D3CB4C8DFD73B23AC42DB4C5E9D73DB8DCD
2648designsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exeexecutable
MD5:85529F888D2C01CFCCC491A001A479CA
SHA256:6AFC5154FFCAA2B1274B2AC5D11F53D79E9B6817C997AFF778A0CA1B71E16F5D
2648designsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchdata.datexecutable
MD5:FB51AB09763C048B1418EBD1800BF4B4
SHA256:0EF55B6A24DAE285EC4FEFB60529F03F2B0317FC47ECB7EE8EC2324EB317E172
5116nchsetup.exeC:\Program Files (x86)\NCH Software\DreamPlan\dreamplan.exeexecutable
MD5:85529F888D2C01CFCCC491A001A479CA
SHA256:6AFC5154FFCAA2B1274B2AC5D11F53D79E9B6817C997AFF778A0CA1B71E16F5D
5116nchsetup.exeC:\ProgramData\NCH Software\DreamPlan\engine\SkyDome2.3dnbinary
MD5:75B9B6AD4EF8783F040C88F5B9B3ACD8
SHA256:3B622AFDDF3DD817102E8FBB5D24EE10B3548B2CC5E19F724DD89B150F24B901
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
132
DNS requests
130
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
2272
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2272
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6872
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6796
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
2080
dreamplan.exe
GET
200
66.39.83.117:80
http://www.audiochannel.net/stock/dreamplan/dod/newobjects.db
unknown
whitelisted
2080
dreamplan.exe
GET
200
66.39.83.117:80
http://www.audiochannel.net/stock/dreamplan/textures/textures.csv
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1748
svchost.exe
HEAD
200
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/f5dc880b-35b4-464e-b485-1acfdbbc27fa?P1=1723881240&P2=404&P3=2&P4=d%2b9VrJ3UKlJr9KUqjQ7TQfQgjKVeQZ3P771kECmSEVxeguxgeVeuNQA2I5%2fUwJrPg8DzSKemjOoaMAgbsbWfHQ%3d%3d
unknown
whitelisted
6128
dreamplan.exe
GET
200
66.39.83.117:80
http://www.audiochannel.net/stock/dreamplan/dod/newobjects.db
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5240
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4100
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5240
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5336
SearchApp.exe
104.126.37.178:443
www.bing.com
Akamai International B.V.
DE
unknown
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2272
svchost.exe
20.190.160.17:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.46
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
www.bing.com
  • 104.126.37.178
  • 104.126.37.155
  • 104.126.37.123
  • 104.126.37.162
  • 104.126.37.171
  • 104.126.37.177
  • 104.126.37.161
  • 104.126.37.160
  • 104.126.37.163
  • 204.79.197.200
  • 13.107.21.200
  • 104.126.37.144
  • 104.126.37.131
  • 104.126.37.186
  • 104.126.37.139
  • 104.126.37.153
  • 104.126.37.128
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.160.17
  • 20.190.160.14
  • 40.126.32.74
  • 40.126.32.133
  • 40.126.32.68
  • 20.190.160.20
  • 40.126.32.136
  • 40.126.32.140
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
th.bing.com
  • 104.126.37.144
  • 104.126.37.128
  • 104.126.37.162
  • 104.126.37.155
  • 104.126.37.137
  • 104.126.37.160
  • 104.126.37.153
  • 104.126.37.123
  • 104.126.37.161
whitelisted
fd.api.iris.microsoft.com
  • 20.31.169.57
whitelisted
arc.msn.com
  • 20.74.47.205
whitelisted
slscr.update.microsoft.com
  • 40.127.169.103
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dvt-nch_activator.exe