File name:

MediaInfo_GUI_24.12_Windows.exe

Full analysis: https://app.any.run/tasks/40ec79f9-2996-491a-8084-ce9c7ce4b45a
Verdict: Malicious activity
Analysis date: December 23, 2024, 11:43:01
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

8644818749031AAE77B66462BFC1CD97

SHA1:

BC1F9C08C165F8EC64B7C85BD14434FC391C7048

SHA256:

7DE8C5D7B7654ACCEB54AA4484014C6FA0D470CDC5A2130E6DFB7B2E2AA15F8F

SSDEEP:

196608:eVqoQvtR+kXXziAeoJjV1EVek26mgUjjT0OvEpvnVP:/oytgkXXzleoFVsVmjjjT0OvEVP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • MediaInfo_GUI_24.12_Windows.exe (PID: 6676)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • MediaInfo_GUI_24.12_Windows.exe (PID: 6676)

    • Creates a software uninstall entry

      • MediaInfo_GUI_24.12_Windows.exe (PID: 6676)

    • Explorer used for Indirect Command Execution

      • explorer.exe (PID: 7052)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • MediaInfo_GUI_24.12_Windows.exe (PID: 6676)

    • The process creates files with name similar to system file names

      • MediaInfo_GUI_24.12_Windows.exe (PID: 6676)

    • Executable content was dropped or overwritten

      • MediaInfo_GUI_24.12_Windows.exe (PID: 6676)

    • Reads security settings of Internet Explorer

      • MediaInfo.exe (PID: 7140)
      • MediaInfo_GUI_24.12_Windows.exe (PID: 6676)

    • Checks Windows Trust Settings

      • MediaInfo_GUI_24.12_Windows.exe (PID: 6676)

  • INFO

    • Checks supported languages

      • MediaInfo_GUI_24.12_Windows.exe (PID: 6676)
      • MediaInfo.exe (PID: 7140)

    • Reads the machine GUID from the registry

      • MediaInfo_GUI_24.12_Windows.exe (PID: 6676)

    • Creates files or folders in the user directory

      • MediaInfo_GUI_24.12_Windows.exe (PID: 6676)
      • MediaInfo.exe (PID: 7140)

    • Reads the software policy settings

      • MediaInfo_GUI_24.12_Windows.exe (PID: 6676)

    • Creates files in the program directory

      • MediaInfo_GUI_24.12_Windows.exe (PID: 6676)

    • The process uses the downloaded file

      • explorer.exe (PID: 7100)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 7100)

    • Reads the computer name

      • MediaInfo.exe (PID: 7140)
      • MediaInfo_GUI_24.12_Windows.exe (PID: 6676)

    • Reads Environment values

      • MediaInfo.exe (PID: 7140)

    • Checks proxy server information

      • MediaInfo_GUI_24.12_Windows.exe (PID: 6676)

    • Create files in a temporary directory

      • MediaInfo_GUI_24.12_Windows.exe (PID: 6676)

    • The sample compiled with english language support

      • MediaInfo_GUI_24.12_Windows.exe (PID: 6676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:30 16:55:19+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x3665
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 24.12.0.0
ProductVersionNumber: 24.12.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Cyrillic
CompanyName: MediaArea.net
FileDescription: All about your audio and video files
FileVersion: 24.12.0.0
LegalCopyright: MediaArea.net
OriginalFileName: MediaInfo_GUI_24.12_Windows.exe
ProductName: MediaInfo
ProductVersion: 24.12.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mediainfo_gui_24.12_windows.exe regsvr32.exe no specs regsvr32.exe no specs explorer.exe no specs explorer.exe no specs mediainfo.exe no specs mediainfo_gui_24.12_windows.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6524"C:\Users\admin\Desktop\MediaInfo_GUI_24.12_Windows.exe" C:\Users\admin\Desktop\MediaInfo_GUI_24.12_Windows.exeexplorer.exe
User:
admin
Company:
MediaArea.net
Integrity Level:
MEDIUM
Description:
All about your audio and video files
Exit code:
3221226540
Version:
24.12.0.0
Modules
Images
c:\users\admin\desktop\mediainfo_gui_24.12_windows.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6676"C:\Users\admin\Desktop\MediaInfo_GUI_24.12_Windows.exe" C:\Users\admin\Desktop\MediaInfo_GUI_24.12_Windows.exe
explorer.exe
User:
admin
Company:
MediaArea.net
Integrity Level:
HIGH
Description:
All about your audio and video files
Exit code:
0
Version:
24.12.0.0
Modules
Images
c:\users\admin\desktop\mediainfo_gui_24.12_windows.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6872"C:\WINDOWS\system32\regsvr32.exe" "C:\Program Files\MediaInfo\MediaInfo_InfoTip.dll" /sC:\Windows\SysWOW64\regsvr32.exeMediaInfo_GUI_24.12_Windows.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
5
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6884 "C:\Program Files\MediaInfo\MediaInfo_InfoTip.dll" /sC:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
5
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
7052"C:\WINDOWS\explorer.exe" "C:\Program Files\MediaInfo\MediaInfo.exe"C:\Windows\explorer.exeMediaInfo_GUI_24.12_Windows.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
7100C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
7140"C:\Program Files\MediaInfo\MediaInfo.exe" C:\Program Files\MediaInfo\MediaInfo.exeexplorer.exe
User:
admin
Company:
MediaArea.net
Integrity Level:
MEDIUM
Description:
MediaInfo
Version:
24.12.0.0
Modules
Images
c:\program files\mediainfo\mediainfo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
5 537
Read events
5 214
Write events
323
Delete events
0

Modification events

(PID) Process:(6676) MediaInfo_GUI_24.12_Windows.exeKey:HKEY_CURRENT_USER\SOFTWARE\MediaArea\MediaInfo
Operation:writeName:InstallCount
Value:
1
(PID) Process:(6676) MediaInfo_GUI_24.12_Windows.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6676) MediaInfo_GUI_24.12_Windows.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6676) MediaInfo_GUI_24.12_Windows.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6676) MediaInfo_GUI_24.12_Windows.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaInfo
Operation:writeName:DisplayName
Value:
MediaInfo 24.12
(PID) Process:(6676) MediaInfo_GUI_24.12_Windows.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaInfo
Operation:writeName:Publisher
Value:
MediaArea.net
(PID) Process:(6676) MediaInfo_GUI_24.12_Windows.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaInfo
Operation:writeName:UninstallString
Value:
C:\Program Files\MediaInfo\uninst.exe
(PID) Process:(6676) MediaInfo_GUI_24.12_Windows.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaInfo
Operation:writeName:DisplayIcon
Value:
C:\Program Files\MediaInfo\MediaInfo.exe
(PID) Process:(6676) MediaInfo_GUI_24.12_Windows.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaInfo
Operation:writeName:DisplayVersion
Value:
24.12
(PID) Process:(6676) MediaInfo_GUI_24.12_Windows.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaInfo
Operation:writeName:URLInfoAbout
Value:
http://MediaArea.net/MediaInfo
Executable files
10
Suspicious files
3
Text files
121
Unknown types
0

Dropped files

PID
Process
Filename
Type
6676MediaInfo_GUI_24.12_Windows.exeC:\Users\admin\AppData\Local\Temp\nsf9679.tmp\System.dllexecutable
MD5:192639861E3DC2DC5C08BB8F8C7260D5
SHA256:23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
6676MediaInfo_GUI_24.12_Windows.exeC:\Users\admin\AppData\Local\Temp\nsf9679.tmp\INetC.dllexecutable
MD5:40D7ECA32B2F4D29DB98715DD45BFAC5
SHA256:85E03805F90F72257DD41BFDAA186237218BBB0EC410AD3B6576A88EA11DCCB9
6676MediaInfo_GUI_24.12_Windows.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MediaInfo.lnkbinary
MD5:06C48BF7F8E2CC95363A58EAD846C0F9
SHA256:226C66CDFA22A5333B1435CD86CAD40A0FD82227794B1D78C12F92A99FE10433
6676MediaInfo_GUI_24.12_Windows.exeC:\Program Files\MediaInfo\MediaInfo.exeexecutable
MD5:FE81E47578CAC10D2B287765DDDE40CF
SHA256:E55A809DCDE7E073117451F6CFB953167C84B88BD5F77FBAD371076C0BB5329C
6676MediaInfo_GUI_24.12_Windows.exeC:\Program Files\MediaInfo\Plugin\Custom\Example.csvtext
MD5:3D10242A6FB504C9FBEB9B56B9E33198
SHA256:A785697B761AEA39467134EC4E0FBD39218685B295553773EF5E5D707B025AB9
6676MediaInfo_GUI_24.12_Windows.exeC:\Program Files\MediaInfo\MediaInfo.dllexecutable
MD5:97DB94B8BD4748767F273F0E572754B8
SHA256:E2C364FB046826787D6EB32A11F2C4741D52CA204E2C1021361C8CBEA4B1A8B6
6676MediaInfo_GUI_24.12_Windows.exeC:\Program Files\MediaInfo\LIBCURL.DLLexecutable
MD5:AD257F17355AF93B8D706C4FFAD68E55
SHA256:22B972F008AB8BB5BC225889A8BE60683B2BF7546B8E0D699B5B4186BDBB7CC1
6676MediaInfo_GUI_24.12_Windows.exeC:\Program Files\MediaInfo\Plugin\Custom\Table by fields, short (HTML).csvhtml
MD5:2FDDA620B24C981F004A60532BE7C95A
SHA256:D213026162C0610F833B4C72760E8AA0B3630FCF52D96A118068ECB8A3C51908
6676MediaInfo_GUI_24.12_Windows.exeC:\Users\admin\AppData\Local\Temp\nsf9679.tmp\temp.txttext
MD5:1CE7A409B6B5FE83A917E8774587F4A2
SHA256:DBEA19FE105F3B1221259B70038C30704FA19EA2735D2B4966DD04740271FD19
6676MediaInfo_GUI_24.12_Windows.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\24.12.0[1].0text
MD5:1CE7A409B6B5FE83A917E8774587F4A2
SHA256:DBEA19FE105F3B1221259B70038C30704FA19EA2735D2B4966DD04740271FD19
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
19
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5160
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5160
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
51.75.207.234:443
https://mediaarea.net/install/MediaInfo/24.12.0.0
unknown
text
9 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
104.126.37.171:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5160
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5160
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 104.126.37.171
  • 104.126.37.162
  • 104.126.37.163
  • 104.126.37.155
  • 104.126.37.137
  • 104.126.37.178
  • 104.126.37.179
  • 104.126.37.146
  • 104.126.37.154
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 172.217.18.110
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
mediaarea.net
  • 51.75.207.234
whitelisted
self.events.data.microsoft.com
  • 20.189.173.9
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MediaInfo_GUI_24.12_Windows.exe