File name:

Nero-BackItUp-2025-3.0.1.8.exe

Full analysis: https://app.any.run/tasks/298f02a0-2255-4aaa-9538-88489ba5033d
Verdict: Malicious activity
Analysis date: July 06, 2025, 05:36:10
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-doc
arch-html
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

BC4A177C57AD2439DE08F86738E026B5

SHA1:

14DFAA2069E01EB0C8973D4DC7043BF2CA153572

SHA256:

FFF7E97A5C76A9C197BA2BA9419BA34162859A265C6A1E568E9022B56EC1B64C

SSDEEP:

98304:zP6KSoi+6TcFr5E36nyyxDRj3GVn+Ul5XSwogze6CYIiTfli2vV9Mh8MRo2w+uUq:bAeWG9+x64GI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • NeroInstaller.exe (PID: 5808)

    • Loads dropped or rewritten executable

      • NeroInfo.exe (PID: 72)
      • NeroPatentActivation.exe (PID: 5992)
      • SpecialOffer.exe (PID: 1204)
      • FileCoAuth.exe (PID: 7580)
      • regsvr32.exe (PID: 8036)
      • regsvr32.exe (PID: 8048)
      • FileCoAuth.exe (PID: 7304)
      • elevate.exe (PID: 7724)
      • icacls.exe (PID: 4820)

  • SUSPICIOUS

    • Reads Internet Explorer settings

      • Nero-BackItUp-2025-3.0.1.8.exe (PID: 7092)
      • NeroInstaller.exe (PID: 5808)
      • NeroInstaller.exe (PID: 1812)
      • NeroInstaller.exe (PID: 3028)
      • NeroKnowHowPLUS.exe (PID: 2124)

    • Reads security settings of Internet Explorer

      • Nero-BackItUp-2025-3.0.1.8.exe (PID: 7092)
      • NeroInstaller.exe (PID: 5808)
      • NeroInstaller.exe (PID: 1812)
      • NeroKnowHowPLUS.exe (PID: 2124)
      • NeroInstaller.exe (PID: 3028)
      • NeroInfo.exe (PID: 72)

    • Executable content was dropped or overwritten

      • Nero-BackItUp-2025-3.0.1.8.exe (PID: 7092)
      • NeroInstaller.exe (PID: 5808)
      • NeroInstaller.exe (PID: 1812)
      • NeroKnowHowPLUS.exe (PID: 2124)
      • NeroInstaller.exe (PID: 3028)
      • NeroInfo.exe (PID: 72)

    • Creates a software uninstall entry

      • NeroInstaller.exe (PID: 5808)
      • NeroInstaller.exe (PID: 3028)

    • Searches for installed software

      • NeroInstaller.exe (PID: 5808)
      • NeroInstaller.exe (PID: 3028)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 4552)
      • regsvr32.exe (PID: 8036)
      • NeroInstaller.exe (PID: 5808)
      • regsvr32.exe (PID: 8076)

    • Starts itself from another location

      • NeroInstaller.exe (PID: 1812)

    • Reads Microsoft Outlook installation path

      • NeroKnowHowPLUS.exe (PID: 2124)

    • There is functionality for taking screenshot (YARA)

      • NeroKnowHowPLUS.exe (PID: 2124)

    • Uses ICACLS.EXE to modify access control lists

      • NeroInstaller.exe (PID: 5808)
      • NeroInstaller.exe (PID: 3028)

    • Starts CMD.EXE for commands execution

      • NeroInstaller.exe (PID: 3028)

    • Process drops legitimate windows executable

      • NeroInfo.exe (PID: 72)
      • NeroInstaller.exe (PID: 5808)

    • The process drops C-runtime libraries

      • NeroInstaller.exe (PID: 5808)

    • The process creates files with name similar to system file names

      • NeroInstaller.exe (PID: 5808)

  • INFO

    • Checks supported languages

      • Nero-BackItUp-2025-3.0.1.8.exe (PID: 7092)
      • NeroInstaller.exe (PID: 5808)
      • NeroInstaller.exe (PID: 1812)
      • NeroKnowHowPLUS.exe (PID: 2124)
      • NeroInstaller.exe (PID: 3028)
      • NeroInfo.exe (PID: 72)
      • NeroInfo.exe (PID: 5020)
      • NeroPatentActivation.exe (PID: 5992)
      • SpecialOffer.exe (PID: 1204)
      • identity_helper.exe (PID: 7668)
      • elevate.exe (PID: 7724)

    • Checks proxy server information

      • Nero-BackItUp-2025-3.0.1.8.exe (PID: 7092)
      • NeroInstaller.exe (PID: 5808)
      • NeroInstaller.exe (PID: 1812)
      • NeroInstaller.exe (PID: 3028)
      • NeroKnowHowPLUS.exe (PID: 2124)
      • NeroInfo.exe (PID: 72)
      • slui.exe (PID: 3396)

    • Creates files in the program directory

      • Nero-BackItUp-2025-3.0.1.8.exe (PID: 7092)
      • NeroInstaller.exe (PID: 5808)
      • NeroInstaller.exe (PID: 1812)
      • NeroInstaller.exe (PID: 3028)

    • Reads the computer name

      • Nero-BackItUp-2025-3.0.1.8.exe (PID: 7092)
      • NeroInstaller.exe (PID: 5808)
      • NeroInstaller.exe (PID: 1812)
      • NeroKnowHowPLUS.exe (PID: 2124)
      • NeroInstaller.exe (PID: 3028)
      • NeroInfo.exe (PID: 5020)
      • NeroInfo.exe (PID: 72)
      • identity_helper.exe (PID: 7668)

    • Reads the software policy settings

      • Nero-BackItUp-2025-3.0.1.8.exe (PID: 7092)
      • NeroInstaller.exe (PID: 5808)
      • NeroInstaller.exe (PID: 1812)
      • NeroInstaller.exe (PID: 3028)
      • NeroKnowHowPLUS.exe (PID: 2124)
      • NeroInfo.exe (PID: 72)
      • slui.exe (PID: 3396)

    • The sample compiled with english language support

      • Nero-BackItUp-2025-3.0.1.8.exe (PID: 7092)
      • NeroInstaller.exe (PID: 1812)
      • NeroInstaller.exe (PID: 3028)
      • NeroInfo.exe (PID: 72)
      • NeroInstaller.exe (PID: 5808)

    • Reads the machine GUID from the registry

      • Nero-BackItUp-2025-3.0.1.8.exe (PID: 7092)
      • NeroInstaller.exe (PID: 5808)
      • NeroInstaller.exe (PID: 1812)
      • NeroInstaller.exe (PID: 3028)
      • NeroKnowHowPLUS.exe (PID: 2124)
      • NeroInfo.exe (PID: 72)

    • Create files in a temporary directory

      • Nero-BackItUp-2025-3.0.1.8.exe (PID: 7092)
      • NeroInstaller.exe (PID: 1812)
      • NeroInstaller.exe (PID: 5808)
      • NeroInstaller.exe (PID: 3028)
      • NeroKnowHowPLUS.exe (PID: 2124)
      • NeroInfo.exe (PID: 72)

    • Manual execution by a user

      • NeroInstaller.exe (PID: 6180)
      • NeroInstaller.exe (PID: 1812)
      • NeroKnowHowPLUS.exe (PID: 2124)
      • OpenWith.exe (PID: 432)
      • NeroInfo.exe (PID: 72)
      • OpenWith.exe (PID: 6228)
      • SpecialOffer.exe (PID: 1204)
      • NeroPatentActivation.exe (PID: 5992)
      • iexplore.exe (PID: 5768)
      • WINWORD.EXE (PID: 5140)
      • iexplore.exe (PID: 4768)
      • WINWORD.EXE (PID: 2704)
      • WINWORD.EXE (PID: 8148)
      • WINWORD.EXE (PID: 6512)
      • iexplore.exe (PID: 6368)
      • WINWORD.EXE (PID: 7404)
      • WINWORD.EXE (PID: 2192)
      • rundll32.exe (PID: 7860)
      • rundll32.exe (PID: 7340)
      • elevate.exe (PID: 7724)
      • rundll32.exe (PID: 984)
      • OpenWith.exe (PID: 6836)

    • Process checks computer location settings

      • NeroInstaller.exe (PID: 5808)
      • NeroInstaller.exe (PID: 3028)

    • Creates files or folders in the user directory

      • NeroKnowHowPLUS.exe (PID: 2124)

    • The sample compiled with german language support

      • NeroKnowHowPLUS.exe (PID: 2124)
      • NeroInstaller.exe (PID: 5808)

    • Disables trace logs

      • NeroKnowHowPLUS.exe (PID: 2124)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 432)
      • OpenWith.exe (PID: 6228)
      • OpenWith.exe (PID: 6836)

    • Application launched itself

      • msedge.exe (PID: 4216)

    • Reads Environment values

      • identity_helper.exe (PID: 7668)

    • The sample compiled with czech language support

      • NeroInstaller.exe (PID: 5808)

    • The sample compiled with Italian language support

      • NeroInstaller.exe (PID: 5808)

    • The sample compiled with spanish language support

      • NeroInstaller.exe (PID: 5808)

    • The sample compiled with french language support

      • NeroInstaller.exe (PID: 5808)

    • The sample compiled with japanese language support

      • NeroInstaller.exe (PID: 5808)

    • The sample compiled with korean language support

      • NeroInstaller.exe (PID: 5808)

    • The sample compiled with polish language support

      • NeroInstaller.exe (PID: 5808)

    • The sample compiled with portuguese language support

      • NeroInstaller.exe (PID: 5808)

    • The sample compiled with russian language support

      • NeroInstaller.exe (PID: 5808)

    • SQLite executable

      • NeroInstaller.exe (PID: 5808)

    • The sample compiled with turkish language support

      • NeroInstaller.exe (PID: 5808)

    • The sample compiled with swedish language support

      • NeroInstaller.exe (PID: 5808)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:10:29 06:01:53+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 1442304
InitializedDataSize: 7006720
UninitializedDataSize: -
EntryPoint: 0x11003a
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.0.1.8
ProductVersionNumber: 3.0.1.8
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Nero AG
FileDescription: NeroInstaller
FileVersion: 3.0.1.8
InternalName: NeroInstaller
LegalCopyright: Copyright (c) 2003-2024 Nero AG and its licensors
OriginalFileName: backitup2025
ProductName: NeroInstaller
ProductVersion: 3.0.1.8
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
189
Monitored processes
66
Malicious processes
5
Suspicious processes
3

Behavior graph

Click at the process to see the details
start nero-backitup-2025-3.0.1.8.exe neroinstaller.exe neroinstaller.exe no specs neroinstaller.exe neroinstaller.exe regsvr32.exe no specs neroknowhowplus.exe openwith.exe no specs slui.exe icacls.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs neroinfo.exe no specs neroinfo.exe openwith.exe no specs specialoffer.exe no specs neropatentactivation.exe no specs conhost.exe no specs iexplore.exe no specs msedge.exe iexplore.exe no specs msedge.exe no specs winword.exe winword.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs ai.exe no specs msedge.exe no specs msedge.exe no specs filecoauth.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs winword.exe no specs filecoauth.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs iexplore.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs elevate.exe no specs conhost.exe no specs rundll32.exe no specs icacls.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs openwith.exe no specs nero-backitup-2025-3.0.1.8.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
72"C:\Users\admin\Desktop\NeroInfo.exe" C:\Users\admin\Desktop\NeroInfo.exe
explorer.exe
User:
admin
Company:
Nero AG
Integrity Level:
MEDIUM
Description:
Nero Info
Exit code:
0
Version:
27,5,1,1
Modules
Images
c:\users\admin\desktop\neroinfo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
432"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\neropackC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
436"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3592,i,2268343986032361071,11221459509707980213,262144 --variations-seed-version --mojo-platform-channel-handle=3608 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
984"C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\Desktop\nero_logo.pngC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
1028"C:\Windows\System32\cmd.exe" /c ""C:\Program Files (x86)\Nero\Nero Apps\NeroInfo\NeroInfo.exe" -createtask"C:\Windows\SysWOW64\cmd.exeNeroInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1180\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeNeroPatentActivation.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1200"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2528,i,2268343986032361071,11221459509707980213,262144 --variations-seed-version --mojo-platform-channel-handle=2704 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1204"C:\Users\admin\Desktop\SpecialOffer.exe" C:\Users\admin\Desktop\SpecialOffer.exeexplorer.exe
User:
admin
Company:
Nero AG
Integrity Level:
MEDIUM
Description:
AdvrCntr Special Module
Exit code:
0
Version:
11.9.5.12
Modules
Images
c:\users\admin\desktop\specialoffer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1652"C:\Windows\System32\icacls.exe" "C:\Users\admin\AppData\Local\Temp\NeroInstaller\backitup2025\NeroStart.zip" /grant Users:M /TC:\Windows\SysWOW64\icacls.exeNeroInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1812"C:\Users\admin\Desktop\NeroInstaller.exe" C:\Users\admin\Desktop\NeroInstaller.exe
explorer.exe
User:
admin
Company:
Nero AG
Integrity Level:
HIGH
Description:
NeroInstaller
Exit code:
4294967295
Version:
3.0.2.1
Modules
Images
c:\users\admin\desktop\neroinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
60 570
Read events
59 713
Write events
749
Delete events
108

Modification events

(PID) Process:(7092) Nero-BackItUp-2025-3.0.1.8.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7092) Nero-BackItUp-2025-3.0.1.8.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7092) Nero-BackItUp-2025-3.0.1.8.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5808) NeroInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Nero\Nero Launcher
Operation:writeName:installPath
Value:
C:\Program Files (x86)\Nero
(PID) Process:(5808) NeroInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Nero\Nero 10\Shared
Operation:writeName:SendUsageStatistics
Value:
1
(PID) Process:(5808) NeroInstaller.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5808) NeroInstaller.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5808) NeroInstaller.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5808) NeroInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Installer\neropack\226
Operation:writeName:C:\Program Files (x86)\Nero\Nero Common\Nero KnowHow PLUS\NeroKnowHowPLUS.exe
Value:
2025-07-06 05:36:41
(PID) Process:(5808) NeroInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL
Operation:writeName:NeroKnowHowPLUS.exe
Value:
1
Executable files
253
Suspicious files
456
Text files
193
Unknown types
2

Dropped files

PID
Process
Filename
Type
7092Nero-BackItUp-2025-3.0.1.8.exeC:\Users\admin\AppData\Local\Temp\NeroInstaller\backitup2025\25_07_06_05-36AM.Logbinary
MD5:FD6CF5D31EF6D91260A117659911B84E
SHA256:A07F2A3999FEFD2A1D8A1DEC13F7C2DDC9449AC9B857B3EF1E6D7F2179846440
7092Nero-BackItUp-2025-3.0.1.8.exeC:\Users\admin\AppData\Local\Temp\NeroInstaller\backitup2025\NeroInstaller.zipcompressed
MD5:6DEB0E4F914724CCB3651A5ABE8B62A3
SHA256:741BE68E766702BCA1C05305F350B9366463BF69627978CA9D357CCC3563E6EF
7092Nero-BackItUp-2025-3.0.1.8.exeC:\Users\admin\AppData\Local\Temp\NeroInstaller\backitup2025\temp\NeroInstaller\NeroInstaller.exeexecutable
MD5:2977B9414237C2DD7982D908C12D10A9
SHA256:AD8B2A1D676AD7620A2FCEED18CD868DE07A756EADE950B9133D9D34DB289C2C
5808NeroInstaller.exeC:\Program Files (x86)\Nero\Nero Common\AdvrCntr6\NeroPatentActivation.exeexecutable
MD5:ACBC93DCAF4A1443A0B0533A3F026944
SHA256:D3681265C9759BB8B6564C5A695F7F1071633256AE65670F1C0445FAA27F52B7
5808NeroInstaller.exeC:\Users\admin\AppData\Local\Temp\NeroInstaller\backitup2025\advrcntr6.zipcompressed
MD5:24EC6AE4342C1CFFACBA193B218F44B8
SHA256:561D672E263A26732DADF23F79C8F32A544E8286010BC371071A6BB9A4F2F1FC
5808NeroInstaller.exeC:\Users\admin\AppData\Local\Temp\NeroInstaller\backitup2025\Guide.zipcompressed
MD5:FDB47AF94B0A266B2005CDA2EFBD3D09
SHA256:59E1A916AFD015A7F73C44C5CF0ED15E39877462620A28F4C932C8A4427D9CD5
5808NeroInstaller.exeC:\Users\admin\AppData\Local\Temp\NeroInstaller\backitup2025\NeroInstaller.inibinary
MD5:9C6E77AA39A42FEE418403AFD131FC96
SHA256:170A9DC2C9AED00878066AC17948A27A45663ED14AFC5ACFC3F93194B2D19F2B
1812NeroInstaller.exeC:\Users\admin\AppData\Local\Temp\NeroInstaller\nerocore\temp\NeroInstaller\NeroInstaller.exeexecutable
MD5:2977B9414237C2DD7982D908C12D10A9
SHA256:AD8B2A1D676AD7620A2FCEED18CD868DE07A756EADE950B9133D9D34DB289C2C
5808NeroInstaller.exeC:\Program Files (x86)\Nero\Nero Common\AdvrCntr6\Eula_Nero_en-US.rtftext
MD5:32323FDCC22CFBE3F3FD3ED49ADCC368
SHA256:D8CD4C9CEFC18B62DCE1E441C18002328962FEF8FBA2AE890EDE1BA4BDAF2153
5808NeroInstaller.exeC:\Program Files (x86)\Nero\Nero Common\AdvrCntr6\Eula_Nero_es-ES.rtftext
MD5:9258987A0DA2226C409A072394A55E89
SHA256:BE62DE4475BC67D00FEED3430466BA7FC272C8CA487BED5D6FA1CE9D7ADABC54
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
160
TCP/UDP connections
142
DNS requests
53
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
193.24.237.217:443
https://login.nero.com/api/setting/general
unknown
binary
3.23 Kb
whitelisted
GET
302
193.24.239.229:443
https://www.nero.com/download.php?id=0_250320253021_neroinstaller
unknown
GET
200
205.234.175.175:443
https://dl9.nero.com/software/NeroNewInstall/neroinstaller_3.0.2.1.zip
unknown
compressed
5.99 Mb
whitelisted
GET
200
193.24.237.217:443
https://login.nero.com/api/setting/general
unknown
binary
3.23 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
login.nero.com
  • 193.24.237.217
whitelisted
www.nero.com
  • 193.24.239.229
whitelisted
dl9.nero.com
  • 205.234.175.175
whitelisted
s3.neroknowhow.com
  • 193.24.237.217
unknown
neroknowhow.com
  • 193.24.237.217
unknown
www.googletagmanager.com
  • 172.217.16.200
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2200
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Image Sharing Service (imgur.com)
Potentially Bad Traffic
ET INFO Possible Chrome Plugin install
Process
Message
Nero-BackItUp-2025-3.0.1.8.exe
Stub Installer [7004] [2025-07-06 05:36:27.632] Debug "C:\Users\admin\Desktop\Nero-BackItUp-2025-3.0.1.8.exe"
Nero-BackItUp-2025-3.0.1.8.exe
Stub Installer [7004] [2025-07-06 05:36:27.898] Debug Installer ID:backitup2025
Nero-BackItUp-2025-3.0.1.8.exe
Stub Installer [7004] [2025-07-06 05:36:27.898] Debug SilentMode:0 strInstallPath: UseExtension:1
Nero-BackItUp-2025-3.0.1.8.exe
Stub Installer [7004] [2025-07-06 05:36:27.898] Debug Make NTIU Registry Writeable:1
Nero-BackItUp-2025-3.0.1.8.exe
Stub Installer [4984] [2025-07-06 05:36:27.944] Info Start Update Check - url: https://login.nero.com/api/update/check
Nero-BackItUp-2025-3.0.1.8.exe
Stub Installer [4984] [2025-07-06 05:36:28.679] Info Update Check Done, It is force update, update it.
Nero-BackItUp-2025-3.0.1.8.exe
Stub Installer [7004] [2025-07-06 05:36:33.945] Debug File content length: 6284065, Http response Code 200:
Nero-BackItUp-2025-3.0.1.8.exe
Stub Installer [7004] [2025-07-06 05:36:34.116] Debug File https://www.nero.com/download.php?id=0_250320253021_neroinstaller, Http response Code 200:
Nero-BackItUp-2025-3.0.1.8.exe
Stub Installer [7004] [2025-07-06 05:36:34.148] Debug Download self Succ.
NeroInstaller.exe
Stub Installer [4192] [2025-07-06 05:36:34.538] Debug "C:\Users\admin\Desktop\Nero-BackItUp-2025-3.0.1.8.exe" /noselfupdate /installid backitup2025 /nomutexcheck
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Nero-BackItUp-2025-3.0.1.8.exe