File name:

tms-vcl-ui-pack-key-_GTmh40oS02.exe

Full analysis: https://app.any.run/tasks/fd8d95d3-b107-4f9f-8a51-307d6ae3a716
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: May 29, 2024, 06:09:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
downloadassistant
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

18F6F02710700A4152D0639E74EE9789

SHA1:

B9B8D17012ABCCE85318F15D1AA9157EEE6F7D67

SHA256:

0249C9325356891A6E218A8AB849D297FCE0E9D7A5BD2BF246B7CB62A7238E74

SSDEEP:

98304:KExaGpyL71yxGUFoY2Sy6APXSUL2jgcGoZuBMhiR74xZ+Eyh+QtKobQD3YNxQXug:9yxdjGoxMI5+8hSQXOEu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • tms-vcl-ui-pack-key-_GTmh40oS02.exe (PID: 3976)
      • tms-vcl-ui-pack-key-_GTmh40oS02.tmp (PID: 1120)
      • tms-vcl-ui-pack-key-_GTmh40oS02.exe (PID: 928)

    • DOWNLOADASSISTANT has been detected (SURICATA)

      • freeaudioeditor.exe (PID: 1116)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • tms-vcl-ui-pack-key-_GTmh40oS02.exe (PID: 3976)
      • tms-vcl-ui-pack-key-_GTmh40oS02.tmp (PID: 1120)
      • tms-vcl-ui-pack-key-_GTmh40oS02.exe (PID: 928)

    • Reads the Windows owner or organization settings

      • tms-vcl-ui-pack-key-_GTmh40oS02.tmp (PID: 1120)

    • Process drops legitimate windows executable

      • tms-vcl-ui-pack-key-_GTmh40oS02.tmp (PID: 1120)

    • Access to an unwanted program domain was detected

      • freeaudioeditor.exe (PID: 1116)

  • INFO

    • Create files in a temporary directory

      • tms-vcl-ui-pack-key-_GTmh40oS02.tmp (PID: 1120)
      • tms-vcl-ui-pack-key-_GTmh40oS02.exe (PID: 928)
      • tms-vcl-ui-pack-key-_GTmh40oS02.exe (PID: 3976)

    • Reads the computer name

      • tms-vcl-ui-pack-key-_GTmh40oS02.tmp (PID: 1120)
      • tms-vcl-ui-pack-key-_GTmh40oS02.tmp (PID: 3992)
      • freeaudioeditor.exe (PID: 1116)

    • Checks supported languages

      • tms-vcl-ui-pack-key-_GTmh40oS02.tmp (PID: 1120)
      • freeaudioeditor.exe (PID: 1116)
      • tms-vcl-ui-pack-key-_GTmh40oS02.tmp (PID: 3992)
      • tms-vcl-ui-pack-key-_GTmh40oS02.exe (PID: 928)
      • tms-vcl-ui-pack-key-_GTmh40oS02.exe (PID: 3976)

    • Creates files or folders in the user directory

      • tms-vcl-ui-pack-key-_GTmh40oS02.tmp (PID: 1120)

    • Creates a software uninstall entry

      • tms-vcl-ui-pack-key-_GTmh40oS02.tmp (PID: 1120)

    • Reads the machine GUID from the registry

      • freeaudioeditor.exe (PID: 1116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:29 08:15:28+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 40448
InitializedDataSize: 17920
UninitializedDataSize: -
EntryPoint: 0xa5f8
OSVersion: 1
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: Free Audio Editor Setup
FileVersion:
LegalCopyright:
ProductName: Free Audio Editor
ProductVersion:
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start tms-vcl-ui-pack-key-_gtmh40os02.exe tms-vcl-ui-pack-key-_gtmh40os02.tmp no specs tms-vcl-ui-pack-key-_gtmh40os02.exe tms-vcl-ui-pack-key-_gtmh40os02.tmp schtasks.exe no specs #DOWNLOADASSISTANT freeaudioeditor.exe

Process information

PID
CMD
Path
Indicators
Parent process
864"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Free_Audio_Editor_5291"C:\Windows\System32\schtasks.exetms-vcl-ui-pack-key-_GTmh40oS02.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
928"C:\Users\admin\AppData\Local\Temp\tms-vcl-ui-pack-key-_GTmh40oS02.exe" /SPAWNWND=$20134 /NOTIFYWND=$20138 C:\Users\admin\AppData\Local\Temp\tms-vcl-ui-pack-key-_GTmh40oS02.exe
tms-vcl-ui-pack-key-_GTmh40oS02.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
Free Audio Editor Setup
Version:
Modules
Images
c:\users\admin\appdata\local\temp\tms-vcl-ui-pack-key-_gtmh40os02.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1116"C:\Users\admin\AppData\Local\Free Audio Editor\freeaudioeditor.exe" f34a3db2b4351a312ac89330e0844771C:\Users\admin\AppData\Local\Free Audio Editor\freeaudioeditor.exe
tms-vcl-ui-pack-key-_GTmh40oS02.tmp
User:
admin
Integrity Level:
HIGH
Description:
DrawPad Graphic Design Software
Version:
1.0.0.2
Modules
Images
c:\users\admin\appdata\local\free audio editor\freeaudioeditor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
1120"C:\Users\admin\AppData\Local\Temp\is-N1RJU.tmp\tms-vcl-ui-pack-key-_GTmh40oS02.tmp" /SL5="$30130,7695112,56832,C:\Users\admin\AppData\Local\Temp\tms-vcl-ui-pack-key-_GTmh40oS02.exe" /SPAWNWND=$20134 /NOTIFYWND=$20138 C:\Users\admin\AppData\Local\Temp\is-N1RJU.tmp\tms-vcl-ui-pack-key-_GTmh40oS02.tmp
tms-vcl-ui-pack-key-_GTmh40oS02.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-n1rju.tmp\tms-vcl-ui-pack-key-_gtmh40os02.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3976"C:\Users\admin\AppData\Local\Temp\tms-vcl-ui-pack-key-_GTmh40oS02.exe" C:\Users\admin\AppData\Local\Temp\tms-vcl-ui-pack-key-_GTmh40oS02.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Free Audio Editor Setup
Version:
Modules
Images
c:\users\admin\appdata\local\temp\tms-vcl-ui-pack-key-_gtmh40os02.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3992"C:\Users\admin\AppData\Local\Temp\is-Q31SH.tmp\tms-vcl-ui-pack-key-_GTmh40oS02.tmp" /SL5="$20138,7695112,56832,C:\Users\admin\AppData\Local\Temp\tms-vcl-ui-pack-key-_GTmh40oS02.exe" C:\Users\admin\AppData\Local\Temp\is-Q31SH.tmp\tms-vcl-ui-pack-key-_GTmh40oS02.tmptms-vcl-ui-pack-key-_GTmh40oS02.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-q31sh.tmp\tms-vcl-ui-pack-key-_gtmh40os02.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
Total events
3 033
Read events
3 015
Write events
18
Delete events
0

Modification events

(PID) Process:(1120) tms-vcl-ui-pack-key-_GTmh40oS02.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
6004000076C44CBB8EB1DA01
(PID) Process:(1120) tms-vcl-ui-pack-key-_GTmh40oS02.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
D2002676B220CF34B2BB9F6FF946BA5250994E34388BFF287ED7B2DC9A0C9B5E
(PID) Process:(1120) tms-vcl-ui-pack-key-_GTmh40oS02.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(1120) tms-vcl-ui-pack-key-_GTmh40oS02.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Users\admin\AppData\Local\Free Audio Editor\libgcc_s_dw2-1.dll
(PID) Process:(1120) tms-vcl-ui-pack-key-_GTmh40oS02.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
228DC6F3A64F889B64604E614A69431E3874A2EFC357C4312BC4489B4C1C267B
(PID) Process:(1120) tms-vcl-ui-pack-key-_GTmh40oS02.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Free Audio Editor_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.5.7 (a)
(PID) Process:(1120) tms-vcl-ui-pack-key-_GTmh40oS02.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Free Audio Editor_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Users\admin\AppData\Local\Free Audio Editor
(PID) Process:(1120) tms-vcl-ui-pack-key-_GTmh40oS02.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Free Audio Editor_is1
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\Free Audio Editor\
(PID) Process:(1120) tms-vcl-ui-pack-key-_GTmh40oS02.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Free Audio Editor_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Free Audio Editor
(PID) Process:(1120) tms-vcl-ui-pack-key-_GTmh40oS02.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Free Audio Editor_is1
Operation:writeName:Inno Setup: User
Value:
admin
Executable files
49
Suspicious files
1
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
1120tms-vcl-ui-pack-key-_GTmh40oS02.tmpC:\Users\admin\AppData\Local\Temp\is-KIFRB.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
3976tms-vcl-ui-pack-key-_GTmh40oS02.exeC:\Users\admin\AppData\Local\Temp\is-Q31SH.tmp\tms-vcl-ui-pack-key-_GTmh40oS02.tmpexecutable
MD5:EF85DAD0481A331E4A3CFB91F29D0F8E
SHA256:9F300A0304DFA41D3727C32D5AC2A87506ED06020427820C9F3D7F44F51E1F72
928tms-vcl-ui-pack-key-_GTmh40oS02.exeC:\Users\admin\AppData\Local\Temp\is-N1RJU.tmp\tms-vcl-ui-pack-key-_GTmh40oS02.tmpexecutable
MD5:EF85DAD0481A331E4A3CFB91F29D0F8E
SHA256:9F300A0304DFA41D3727C32D5AC2A87506ED06020427820C9F3D7F44F51E1F72
1120tms-vcl-ui-pack-key-_GTmh40oS02.tmpC:\Users\admin\AppData\Local\Free Audio Editor\qt.conftext
MD5:3BB131D6862FDB57979F6C859C7AF30E
SHA256:3F63CC3979F035E87C272F895B24B107ACE6A9265EA362A49EC823F333693D14
1120tms-vcl-ui-pack-key-_GTmh40oS02.tmpC:\Users\admin\AppData\Local\Free Audio Editor\unins000.exeexecutable
MD5:23BA4B54A434A4BA60836418B12776A2
SHA256:8DFFDC00EC7717C78AE9D2366E9838C0475EC7B1A4EF7B541AE69785378F2699
1120tms-vcl-ui-pack-key-_GTmh40oS02.tmpC:\Users\admin\AppData\Local\Free Audio Editor\is-JP7EU.tmpexecutable
MD5:FADDE43C97607E4445A6F924D851F04E
SHA256:F0614835136413217ED3BAEC9BA22AAAC4C37956AFCB0209F1F89B7676AE86BC
1120tms-vcl-ui-pack-key-_GTmh40oS02.tmpC:\Users\admin\AppData\Local\Temp\is-KIFRB.tmp\_isetup\_iscrypt.dllexecutable
MD5:A69559718AB506675E907FE49DEB71E9
SHA256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
1120tms-vcl-ui-pack-key-_GTmh40oS02.tmpC:\Users\admin\AppData\Local\Free Audio Editor\libgcc_s_dw2-1.dllexecutable
MD5:FADDE43C97607E4445A6F924D851F04E
SHA256:F0614835136413217ED3BAEC9BA22AAAC4C37956AFCB0209F1F89B7676AE86BC
1120tms-vcl-ui-pack-key-_GTmh40oS02.tmpC:\Users\admin\AppData\Local\Free Audio Editor\is-BDB42.tmptext
MD5:3BB131D6862FDB57979F6C859C7AF30E
SHA256:3F63CC3979F035E87C272F895B24B107ACE6A9265EA362A49EC823F333693D14
1120tms-vcl-ui-pack-key-_GTmh40oS02.tmpC:\Users\admin\AppData\Local\Free Audio Editor\is-KC13U.tmpexecutable
MD5:23BA4B54A434A4BA60836418B12776A2
SHA256:8DFFDC00EC7717C78AE9D2366E9838C0475EC7B1A4EF7B541AE69785378F2699
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
4
DNS requests
1
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1116
freeaudioeditor.exe
POST
172.67.164.12:80
http://soneservice.shop/new/net_api
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1116
freeaudioeditor.exe
172.67.164.12:80
soneservice.shop
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
soneservice.shop
  • 172.67.164.12
  • 104.21.74.224
unknown

Threats

PID
Process
Class
Message
1116
freeaudioeditor.exe
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] DownloadAssistant HTTP POST Request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
tms-vcl-ui-pack-key-_GTmh40oS02.exe