File name:

dvt-nch_activator.exe

Full analysis: https://app.any.run/tasks/ef4970a9-27c4-49f4-a392-42fd7e4a8b82
Verdict: Malicious activity
Analysis date: August 10, 2024, 10:01:32
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
opendir
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

D2F01DB513FA75CE18D15772380690DE

SHA1:

A449CAA1388AB97BE29C58CBAB073BBD5AC440D4

SHA256:

214FFD060EE6EBAE6727866FB133484F17FF5BEA4CCF233DB3E1E2503D2C6E1A

SSDEEP:

3072:hCYa+0Nu6vQAkQ5S7JmyxCbBKhiTbMG6d7lE1Eu3e6MqpA:uQLi8NiTbF6dpEWu3e6Mqu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • nchsetup.exe (PID: 5116)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • dvt-nch_activator.exe (PID: 6408)
      • designsetup.exe (PID: 2648)
      • nchsetup.exe (PID: 5116)
      • zlib1v3.exe (PID: 3116)
      • infozip3.exe (PID: 1236)

    • Executing commands from a ".bat" file

      • dvt-nch_activator.exe (PID: 6408)

    • Starts CMD.EXE for commands execution

      • dvt-nch_activator.exe (PID: 6408)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6476)

    • Executable content was dropped or overwritten

      • designsetup.exe (PID: 2648)
      • nchsetup.exe (PID: 5116)
      • infozip3.exe (PID: 1236)
      • zlib1v3.exe (PID: 3116)

    • Reads security settings of Internet Explorer

      • nchsetup.exe (PID: 5116)
      • designsetup.exe (PID: 2648)
      • dreamplan.exe (PID: 2080)

    • Reads the date of Windows installation

      • nchsetup.exe (PID: 5116)
      • designsetup.exe (PID: 2648)

    • Checks Windows Trust Settings

      • nchsetup.exe (PID: 5116)

    • Searches for installed software

      • nchsetup.exe (PID: 5116)

    • Creates a software uninstall entry

      • nchsetup.exe (PID: 5116)

    • Starts itself from another location

      • nchsetup.exe (PID: 5116)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6476)

  • INFO

    • Checks supported languages

      • dvt-nch_activator.exe (PID: 6408)
      • mode.com (PID: 6512)
      • chcp.com (PID: 6492)
      • designsetup.exe (PID: 2648)
      • zlib1v3.exe (PID: 3116)
      • nchsetup.exe (PID: 5116)
      • dreamplan.exe (PID: 2080)
      • dreamplan.exe (PID: 3160)
      • infozip3.exe (PID: 1236)
      • identity_helper.exe (PID: 6780)
      • dreamplan.exe (PID: 6552)
      • dreamplan.exe (PID: 6128)

    • Create files in a temporary directory

      • dvt-nch_activator.exe (PID: 6408)
      • designsetup.exe (PID: 2648)
      • zlib1v3.exe (PID: 3116)
      • infozip3.exe (PID: 1236)
      • dreamplan.exe (PID: 2080)
      • dreamplan.exe (PID: 6128)

    • Changes the display of characters in the console

      • chcp.com (PID: 6492)

    • Manual execution by a user

      • designsetup.exe (PID: 6140)
      • designsetup.exe (PID: 2648)
      • dreamplan.exe (PID: 6552)
      • dreamplan.exe (PID: 6128)

    • Reads the computer name

      • designsetup.exe (PID: 2648)
      • nchsetup.exe (PID: 5116)
      • dreamplan.exe (PID: 3160)
      • dreamplan.exe (PID: 2080)
      • dreamplan.exe (PID: 6552)
      • identity_helper.exe (PID: 6780)
      • dreamplan.exe (PID: 6128)

    • Creates files in the program directory

      • nchsetup.exe (PID: 5116)
      • zlib1v3.exe (PID: 3116)
      • infozip3.exe (PID: 1236)
      • dreamplan.exe (PID: 6128)
      • dreamplan.exe (PID: 2080)

    • Process checks computer location settings

      • nchsetup.exe (PID: 5116)
      • designsetup.exe (PID: 2648)

    • Reads the machine GUID from the registry

      • nchsetup.exe (PID: 5116)

    • Reads Microsoft Office registry keys

      • nchsetup.exe (PID: 5116)
      • dreamplan.exe (PID: 2080)
      • msedge.exe (PID: 1700)
      • msedge.exe (PID: 2340)

    • Creates files or folders in the user directory

      • dreamplan.exe (PID: 2080)

    • Application launched itself

      • msedge.exe (PID: 1700)
      • msedge.exe (PID: 2340)

    • Reads the software policy settings

      • nchsetup.exe (PID: 5116)

    • Reads Environment values

      • identity_helper.exe (PID: 6780)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:07:30 08:52:45+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 70656
InitializedDataSize: 415744
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: Debug, Pre-release, Private build
FileOS: Windows 16-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
ProductName: NCH Software Products Activator
CompanyName: TEAM DVT
LegalCopyright: e!DVT 2k21
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
209
Monitored processes
70
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start dvt-nch_activator.exe conhost.exe no specs cmd.exe no specs chcp.com no specs mode.com no specs designsetup.exe no specs designsetup.exe nchsetup.exe zlib1v3.exe infozip3.exe dreamplan.exe dreamplan.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs dreamplan.exe no specs dreamplan.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs dvt-nch_activator.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
400"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4216 --field-trial-handle=2348,i,9031090901164952492,1392998353148663815,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
400"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4084 --field-trial-handle=2348,i,9031090901164952492,1392998353148663815,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
420"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2792 --field-trial-handle=2512,i,2449964122956513702,18076144454746648327,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
532"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5472 --field-trial-handle=2512,i,2449964122956513702,18076144454746648327,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
640"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6344 --field-trial-handle=2512,i,2449964122956513702,18076144454746648327,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1044"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x290,0x294,0x298,0x288,0x2a0,0x7fffd43d5fd8,0x7fffd43d5fe4,0x7fffd43d5ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1048"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2484 --field-trial-handle=2348,i,9031090901164952492,1392998353148663815,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1120"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4996 --field-trial-handle=2348,i,9031090901164952492,1392998353148663815,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
1168"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4224 --field-trial-handle=2348,i,9031090901164952492,1392998353148663815,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1184"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3452 --field-trial-handle=2512,i,2449964122956513702,18076144454746648327,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
27 342
Read events
27 053
Write events
266
Delete events
23

Modification events

(PID) Process:(2648) designsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2648) designsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2648) designsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2648) designsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(5116) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:DreamPlanInstall
Value:
C:\Users\admin\Desktop\designsetup.exe
(PID) Process:(5116) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\NCH Software\DreamPlan\Software
Operation:writeName:SVar
Value:
DREAMPLANRelatedprogramsfreeon
(PID) Process:(5116) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\NCH Software\DreamPlan\Software
Operation:writeName:SVar
Value:
DREAMPLANRelatedprogramsfreeonDREAMPLANDarkv2off
(PID) Process:(5116) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\NCH Software\DreamPlan\Settings
Operation:writeName:InstalledByAdmin
Value:
1
(PID) Process:(5116) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\NCH Software\DreamPlan\UsageStatsChoice
Operation:writeName:llinad
Value:
1
(PID) Process:(5116) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
14
Suspicious files
389
Text files
153
Unknown types
20

Dropped files

PID
Process
Filename
Type
6408dvt-nch_activator.exeC:\Users\admin\AppData\Local\Temp\533C.tmp\533D.tmp\533E.battext
MD5:40CD0589E94A4467629DBE364D7B43CE
SHA256:0F1E3B46AD6991541D6F8FB064F60E785E094F189DBD4AA59642879DB6536432
6408dvt-nch_activator.exeC:\Users\admin\AppData\Local\Temp\533C.tmp\header.txttext
MD5:49AB74166AA726680559F3EEAA10DCCE
SHA256:B267830CFE058135F3C59CEC9A1B74867FDDEF2B3E4792767DC5B0C1AAF5FB88
2648designsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchdata.cabcompressed
MD5:8D6E7AF2B9A38A70F56B9D78D73E3452
SHA256:151591AA29E3A823F6FDDC0D478C703DE0AC3CD2DFFC68F0D4D09CE6F8EBB4AE
2648designsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchsetup.cabcompressed
MD5:F570F7CE82E2C62437D9476CF9740424
SHA256:3F3C20FFC59189419A98A79309EA0D3CB4C8DFD73B23AC42DB4C5E9D73DB8DCD
5116nchsetup.exeC:\ProgramData\NCH Software\DreamPlan\engine\SkyDome2.3dnbinary
MD5:75B9B6AD4EF8783F040C88F5B9B3ACD8
SHA256:3B622AFDDF3DD817102E8FBB5D24EE10B3548B2CC5E19F724DD89B150F24B901
5116nchsetup.exeC:\Program Files (x86)\NCH Software\DreamPlan\dreamplan.exeexecutable
MD5:85529F888D2C01CFCCC491A001A479CA
SHA256:6AFC5154FFCAA2B1274B2AC5D11F53D79E9B6817C997AFF778A0CA1B71E16F5D
5116nchsetup.exeC:\Program Files (x86)\NCH Software\DreamPlan\shellmenu.dllexecutable
MD5:0FD64AB08FC8FE46C3B95B67324F9A17
SHA256:AD9A025170647C578F08B787F1307D1F41B7F63978F8F76887F13C4FBA4C05FD
5116nchsetup.exeC:\ProgramData\NCH Software\DreamPlan\engine\ball.3dnbinary
MD5:ABA051A545063F117EA63A125A3D4D20
SHA256:F6DCC867293AA75FCC09BF095DCD81EEC550594DF0445596A35D6A4251CC877D
5116nchsetup.exeC:\Program Files (x86)\NCH Software\DreamPlan\shellmenub.msixcompressed
MD5:CAF0E9FA3575934D0B405F8966944DDB
SHA256:923716C343CEC0DF7A43CBC50FBC921E58C9C8201A94DBC3BD9FC8E38A8339AC
5116nchsetup.exeC:\ProgramData\NCH Software\DreamPlan\engine\pen.3dnbinary
MD5:43C7C47F67F58CEF0228240869DB54B4
SHA256:D83571267CEB0C7622EC44270DDB46E5495DF96EB5152419875FD46E39046307
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
132
DNS requests
130
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2272
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
2272
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6796
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
2080
dreamplan.exe
GET
200
66.39.83.117:80
http://www.audiochannel.net/stock/dreamplan/textures/textures.csv
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6872
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
2080
dreamplan.exe
GET
200
66.39.83.117:80
http://www.audiochannel.net/stock/dreamplan/dod/newobjects.db
unknown
whitelisted
1748
svchost.exe
HEAD
200
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/f5dc880b-35b4-464e-b485-1acfdbbc27fa?P1=1723881240&P2=404&P3=2&P4=d%2b9VrJ3UKlJr9KUqjQ7TQfQgjKVeQZ3P771kECmSEVxeguxgeVeuNQA2I5%2fUwJrPg8DzSKemjOoaMAgbsbWfHQ%3d%3d
unknown
whitelisted
6128
dreamplan.exe
GET
200
66.39.83.117:80
http://www.audiochannel.net/stock/dreamplan/textures/textures.csv
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5240
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4100
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5240
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5336
SearchApp.exe
104.126.37.178:443
www.bing.com
Akamai International B.V.
DE
unknown
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2272
svchost.exe
20.190.160.17:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.46
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
www.bing.com
  • 104.126.37.178
  • 104.126.37.155
  • 104.126.37.123
  • 104.126.37.162
  • 104.126.37.171
  • 104.126.37.177
  • 104.126.37.161
  • 104.126.37.160
  • 104.126.37.163
  • 204.79.197.200
  • 13.107.21.200
  • 104.126.37.144
  • 104.126.37.131
  • 104.126.37.186
  • 104.126.37.139
  • 104.126.37.153
  • 104.126.37.128
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.160.17
  • 20.190.160.14
  • 40.126.32.74
  • 40.126.32.133
  • 40.126.32.68
  • 20.190.160.20
  • 40.126.32.136
  • 40.126.32.140
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
th.bing.com
  • 104.126.37.144
  • 104.126.37.128
  • 104.126.37.162
  • 104.126.37.155
  • 104.126.37.137
  • 104.126.37.160
  • 104.126.37.153
  • 104.126.37.123
  • 104.126.37.161
whitelisted
fd.api.iris.microsoft.com
  • 20.31.169.57
whitelisted
arc.msn.com
  • 20.74.47.205
whitelisted
slscr.update.microsoft.com
  • 40.127.169.103
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dvt-nch_activator.exe