File name:

CyberLink_PowerDVD_Downloader.exe

Full analysis: https://app.any.run/tasks/efe92151-aeef-4270-9b28-d7c19b860e94
Verdict: Malicious activity
Analysis date: May 24, 2018, 10:11:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

E94ABAD8C61EAC9E639B49E3C96920C6

SHA1:

BC621E60AAE6784372AA31F9B8766D2445C9837D

SHA256:

BF9044CC2E229B3AFEC52F2D334CA8073F334EC53C6B76D8A96E985379914D1B

SSDEEP:

24576:7tVBliLOutw5sL866phzOBynxrEq6iKeOx6rjKEYLy:3iLOuqkyyCxrD6iKVqjKty

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates files in the user directory

      • CyberLink_PowerDVD_Downloader.exe (PID: 3556)
      • CyberLink_PowerDVD_Downloader.exe (PID: 2720)

    • Creates files in the program directory

      • CyberLink_PowerDVD_Downloader.exe (PID: 2720)
      • CyberLink_PowerDVD_Downloader.exe (PID: 3556)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:11 09:58:09+02:00
PEType: PE32
LinkerVersion: 8
CodeSize: 557056
InitializedDataSize: 409600
UninitializedDataSize: -
EntryPoint: 0x7294b
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.9.1.4011
ProductVersionNumber: 2.9.1.4011
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: CyberLink
FileDescription: CyberLink Downloader
FileVersion: 2.9.1.4011
InternalName: CLDownloader
LegalCopyright: Copyright (C) CyberLink Corporation. All rights reserved
OriginalFileName: CLDownloader.exe
ProductName: CLDownloader
ProductVersion: 2.9.1.4011
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cyberlink_powerdvd_downloader.exe cyberlink_powerdvd_downloader.exe

Process information

PID
CMD
Path
Indicators
Parent process
2720"C:\Users\admin\AppData\Local\Temp\CyberLink_PowerDVD_Downloader.exe" C:\Users\admin\AppData\Local\Temp\CyberLink_PowerDVD_Downloader.exe
explorer.exe
User:
admin
Company:
CyberLink
Integrity Level:
MEDIUM
Description:
CyberLink Downloader
Exit code:
0
Version:
2.9.1.4011
Modules
Images
c:\users\admin\appdata\local\temp\cyberlink_powerdvd_downloader.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3556"C:\Users\admin\AppData\Local\Temp\CyberLink_PowerDVD_Downloader.exe" C:\Users\admin\AppData\Local\Temp\CyberLink_PowerDVD_Downloader.exe
explorer.exe
User:
admin
Company:
CyberLink
Integrity Level:
MEDIUM
Description:
CyberLink Downloader
Exit code:
0
Version:
2.9.1.4011
Modules
Images
c:\users\admin\appdata\local\temp\cyberlink_powerdvd_downloader.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
790
Read events
723
Write events
67
Delete events
0

Modification events

(PID) Process:(3556) CyberLink_PowerDVD_Downloader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CyberLink_PowerDVD_Downloader_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3556) CyberLink_PowerDVD_Downloader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CyberLink_PowerDVD_Downloader_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3556) CyberLink_PowerDVD_Downloader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CyberLink_PowerDVD_Downloader_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3556) CyberLink_PowerDVD_Downloader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CyberLink_PowerDVD_Downloader_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3556) CyberLink_PowerDVD_Downloader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CyberLink_PowerDVD_Downloader_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3556) CyberLink_PowerDVD_Downloader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CyberLink_PowerDVD_Downloader_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3556) CyberLink_PowerDVD_Downloader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CyberLink_PowerDVD_Downloader_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3556) CyberLink_PowerDVD_Downloader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CyberLink_PowerDVD_Downloader_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3556) CyberLink_PowerDVD_Downloader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CyberLink_PowerDVD_Downloader_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3556) CyberLink_PowerDVD_Downloader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CyberLink_PowerDVD_Downloader_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
0
Suspicious files
0
Text files
8
Unknown types
17

Dropped files

PID
Process
Filename
Type
3556CyberLink_PowerDVD_Downloader.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[1].txt
MD5:
SHA256:
3556CyberLink_PowerDVD_Downloader.exeC:\Users\admin\AppData\Local\Temp\f6c5622b-9193-4a51-91d4-72ee6b66d051.xml
MD5:
SHA256:
3556CyberLink_PowerDVD_Downloader.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\hggh073w.default\cookies.sqlite-shm
MD5:
SHA256:
3556CyberLink_PowerDVD_Downloader.exeC:\ProgramData\CyberLink\EvoParser\PowerDVD\13.0\UNO\uno.db-journal
MD5:
SHA256:
3556CyberLink_PowerDVD_Downloader.exe\Device\HarddiskVolume2\ProgramData\CyberLink\EvoParser\PowerDVD\13.0\UNO\f6c5622b-9193-4a51-91d4-72ee6b66d051.xml
MD5:
SHA256:
3556CyberLink_PowerDVD_Downloader.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2LKO8ICX\sendlog[1].jsp
MD5:
SHA256:
3556CyberLink_PowerDVD_Downloader.exeC:\Users\admin\AppData\Local\Temp\acf4fd83-3827-454a-926b-ddb31a271f83.xml
MD5:
SHA256:
3556CyberLink_PowerDVD_Downloader.exe\Device\HarddiskVolume2\ProgramData\CyberLink\EvoParser\PowerDVD\13.0\UNO\acf4fd83-3827-454a-926b-ddb31a271f83.xml
MD5:
SHA256:
3556CyberLink_PowerDVD_Downloader.exeC:\Users\admin\AppData\Local\Temp\6793c535-3cd0-4ee9-bd37-525fd7a202d1.xml
MD5:
SHA256:
3556CyberLink_PowerDVD_Downloader.exe\Device\HarddiskVolume2\ProgramData\CyberLink\EvoParser\PowerDVD\13.0\UNO\6793c535-3cd0-4ee9-bd37-525fd7a202d1.xml
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
19
DNS requests
4
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3556
CyberLink_PowerDVD_Downloader.exe
POST
203.73.25.244:80
http://dna.cyberlink.com/dna/sendlog.jsp
TW
suspicious
3556
CyberLink_PowerDVD_Downloader.exe
POST
203.73.25.244:80
http://dna.cyberlink.com/dna/sendlog.jsp
TW
suspicious
3556
CyberLink_PowerDVD_Downloader.exe
POST
203.73.25.244:80
http://dna.cyberlink.com/dna/sendlog.jsp
TW
suspicious
3556
CyberLink_PowerDVD_Downloader.exe
POST
203.73.25.244:80
http://dna.cyberlink.com/dna/sendlog.jsp
TW
suspicious
3556
CyberLink_PowerDVD_Downloader.exe
GET
200
54.228.247.52:80
http://downloader.cyberlink.com/prog/util/downloader/trial.jsp?PRODUCTNAME=PowerDVD&PRODUCTVERSION=13.0&MAJORVER=13&MINORVER=0&BUILDNO=&CHANNEL=iSales&VERSIONTYPE=Trial%20BD%20(with%20Dolby)&VENDORNAME=2581&SR=DVD130327-04&BU=&OSREGION=&DEVICE=&SYSTEMLOCALE=&VID=2.9.1.4011&TokenID=E21B3BDA-B831-47C8-9F80-ACEABA33D984&LANGUAGE=ENU&Locale=USA&Format=ENU&UUID=S-1-5-21-1302019708-1500728564-335382590-1000&platform=x86
IE
text
107 b
malicious
3556
CyberLink_PowerDVD_Downloader.exe
POST
203.73.25.244:80
http://dna.cyberlink.com/dna/sendlog.jsp
TW
suspicious
3556
CyberLink_PowerDVD_Downloader.exe
POST
203.73.25.244:80
http://dna.cyberlink.com/dna/sendlog.jsp
TW
suspicious
3556
CyberLink_PowerDVD_Downloader.exe
POST
203.73.25.244:80
http://dna.cyberlink.com/dna/sendlog.jsp
TW
suspicious
3556
CyberLink_PowerDVD_Downloader.exe
POST
203.73.25.244:80
http://dna.cyberlink.com/dna/sendlog.jsp
TW
suspicious
2720
CyberLink_PowerDVD_Downloader.exe
POST
203.73.25.244:80
http://dna.cyberlink.com/dna/sendlog.jsp
TW
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3556
CyberLink_PowerDVD_Downloader.exe
172.217.23.164:80
www.google.com
Google Inc.
US
whitelisted
3556
CyberLink_PowerDVD_Downloader.exe
203.73.25.244:80
dna.cyberlink.com
Digital United Inc.
TW
suspicious
3556
CyberLink_PowerDVD_Downloader.exe
54.228.247.52:80
downloader.cyberlink.com
Amazon.com, Inc.
IE
unknown
2720
CyberLink_PowerDVD_Downloader.exe
172.217.23.164:80
www.google.com
Google Inc.
US
whitelisted
2720
CyberLink_PowerDVD_Downloader.exe
203.73.25.244:80
dna.cyberlink.com
Digital United Inc.
TW
suspicious

DNS requests

Domain
IP
Reputation
www.google.com
  • 172.217.23.164
malicious
dna.cyberlink.com
  • 203.73.25.244
suspicious
downloader.cyberlink.com
  • 54.228.247.52
malicious

Threats

PID
Process
Class
Message
3556
CyberLink_PowerDVD_Downloader.exe
A Network Trojan was detected
ET POLICY User Agent Ryeol HTTP Client Class
3556
CyberLink_PowerDVD_Downloader.exe
A Network Trojan was detected
ET POLICY User Agent Ryeol HTTP Client Class
3556
CyberLink_PowerDVD_Downloader.exe
A Network Trojan was detected
ET POLICY User Agent Ryeol HTTP Client Class
3556
CyberLink_PowerDVD_Downloader.exe
A Network Trojan was detected
ET POLICY User Agent Ryeol HTTP Client Class
3556
CyberLink_PowerDVD_Downloader.exe
A Network Trojan was detected
ET POLICY User Agent Ryeol HTTP Client Class
3556
CyberLink_PowerDVD_Downloader.exe
A Network Trojan was detected
ET POLICY User Agent Ryeol HTTP Client Class
3556
CyberLink_PowerDVD_Downloader.exe
A Network Trojan was detected
ET POLICY User Agent Ryeol HTTP Client Class
3556
CyberLink_PowerDVD_Downloader.exe
A Network Trojan was detected
ET POLICY User Agent Ryeol HTTP Client Class
3556
CyberLink_PowerDVD_Downloader.exe
A Network Trojan was detected
ET POLICY User Agent Ryeol HTTP Client Class
3556
CyberLink_PowerDVD_Downloader.exe
A Network Trojan was detected
ET POLICY User Agent Ryeol HTTP Client Class
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CyberLink_PowerDVD_Downloader.exe