Malware analysis https://www.dumpmedia.com/download/dumpmedia-spotify-music-converter.exe Malicious activity

Add for printing

URL:	https://www.dumpmedia.com/download/dumpmedia-spotify-music-converter.exe
Full analysis:	https://app.any.run/tasks/a5a30566-d928-4119-886b-849f07a34896
Verdict:	Malicious activity
Analysis date:	December 11, 2024, 01:11:12
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion arch-doc python
Indicators:
MD5:	7EB2BC98243D09647C516EC0C41E3F65
SHA1:	06C07EDC685A74923126B34C63153E85A0BC4AF5
SHA256:	3B7185A56E4DC4358B282A8ED67783AE3FF3B88C59D38AA97E8DDC9413F7C03E
SSDEEP:	3:N8DSLKFlNL/VwJayIdAq:2OLWlNJwJ9q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - VC_redist.x64.exe (PID: 2200)
SUSPICIOUS
- Malware-specific behavior (creating "System.dll" in Temp)
  - dumpmedia-spotify-music-converter.exe (PID: 1596)
- Executable content was dropped or overwritten
  - dumpmedia-spotify-music-converter.exe (PID: 1596)
  - vc_redist.x64.exe (PID: 2800)
  - vc_redist.x64.exe (PID: 7056)
  - DumpMedia Spotify Music Converter.exe (PID: 7960)
  - DumpMedia Spotify Music Converter.exe (PID: 7992)
  - cmd.exe (PID: 8844)
  - VC_redist.x64.exe (PID: 2200)
  - VC_redist.x64.exe (PID: 9436)
  - VC_redist.x64.exe (PID: 6004)
  - DumpMedia Spotify Music Converter.exe (PID: 7132)
- Reads security settings of Internet Explorer
  - dumpmedia-spotify-music-converter.exe (PID: 1596)
  - vc_redist.x64.exe (PID: 7056)
  - VC_redist.x64.exe (PID: 9436)
- The process creates files with name similar to system file names
  - dumpmedia-spotify-music-converter.exe (PID: 1596)
- Creates a software uninstall entry
  - dumpmedia-spotify-music-converter.exe (PID: 1596)
  - VC_redist.x64.exe (PID: 2200)
- Checks Windows Trust Settings
  - dumpmedia-spotify-music-converter.exe (PID: 1596)
  - msiexec.exe (PID: 9992)
- Drops 7-zip archiver for unpacking
  - dumpmedia-spotify-music-converter.exe (PID: 1596)
- Process drops python dynamic module
  - dumpmedia-spotify-music-converter.exe (PID: 1596)
- Process drops legitimate windows executable
  - dumpmedia-spotify-music-converter.exe (PID: 1596)
  - vc_redist.x64.exe (PID: 2800)
  - vc_redist.x64.exe (PID: 7056)
  - DumpMedia Spotify Music Converter.exe (PID: 7960)
  - cmd.exe (PID: 8844)
  - VC_redist.x64.exe (PID: 2200)
  - msiexec.exe (PID: 9992)
  - VC_redist.x64.exe (PID: 6004)
- The process drops C-runtime libraries
  - dumpmedia-spotify-music-converter.exe (PID: 1596)
  - DumpMedia Spotify Music Converter.exe (PID: 7960)
  - cmd.exe (PID: 8844)
  - msiexec.exe (PID: 9992)
- Starts itself from another location
  - vc_redist.x64.exe (PID: 7056)
- Starts a Microsoft application from unusual location
  - VC_redist.x64.exe (PID: 2200)
  - vc_redist.x64.exe (PID: 7056)
- Executes as Windows Service
  - VSSVC.exe (PID: 4672)
- Searches for installed software
  - vc_redist.x64.exe (PID: 7056)
  - dllhost.exe (PID: 7808)
  - VC_redist.x64.exe (PID: 9436)
  - VC_redist.x64.exe (PID: 6004)
- Starts CMD.EXE for commands execution
  - DumpMedia Spotify Music Converter.exe (PID: 7960)
  - DumpMedia Spotify Music Converter.exe (PID: 7564)
  - DumpMedia Spotify Music Converter.exe (PID: 7992)
  - cmd.exe (PID: 9204)
  - mshta.exe (PID: 8276)
  - DumpMedia Spotify Music Converter.exe (PID: 8900)
  - DumpMedia Spotify Music Converter.exe (PID: 5740)
  - DumpMedia Spotify Music Converter.exe (PID: 6792)
  - DumpMedia Spotify Music Converter.exe (PID: 7132)
  - DumpMedia Spotify Music Converter.exe (PID: 7584)
- Application launched itself
  - DumpMedia Spotify Music Converter.exe (PID: 7960)
  - cmd.exe (PID: 9204)
  - VC_redist.x64.exe (PID: 9436)
  - VC_redist.x64.exe (PID: 9456)
  - DumpMedia Spotify Music Converter.exe (PID: 5740)
- Starts application with an unusual extension
  - cmd.exe (PID: 7276)
  - cmd.exe (PID: 2324)
  - cmd.exe (PID: 7292)
  - cmd.exe (PID: 6336)
  - cmd.exe (PID: 7304)
  - cmd.exe (PID: 4320)
  - cmd.exe (PID: 7912)
  - cmd.exe (PID: 8332)
  - cmd.exe (PID: 8372)
  - cmd.exe (PID: 8348)
  - cmd.exe (PID: 8340)
  - cmd.exe (PID: 8696)
  - cmd.exe (PID: 8868)
  - cmd.exe (PID: 9016)
  - cmd.exe (PID: 1328)
  - cmd.exe (PID: 8320)
  - cmd.exe (PID: 6988)
  - cmd.exe (PID: 6988)
  - cmd.exe (PID: 6448)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 2324)
  - cmd.exe (PID: 7304)
  - cmd.exe (PID: 8340)
  - cmd.exe (PID: 1328)
- Uses SYSTEMINFO.EXE to read the environment
  - cmd.exe (PID: 6336)
  - cmd.exe (PID: 7304)
  - cmd.exe (PID: 8340)
  - cmd.exe (PID: 8332)
  - cmd.exe (PID: 1328)
  - cmd.exe (PID: 8320)
- Uses WMIC.EXE to obtain memory chip information
  - cmd.exe (PID: 4320)
  - cmd.exe (PID: 8372)
- Uses WMIC.EXE to obtain computer system information
  - cmd.exe (PID: 7912)
  - cmd.exe (PID: 8348)
- Executing commands from a ".bat" file
  - DumpMedia Spotify Music Converter.exe (PID: 7992)
  - cmd.exe (PID: 9204)
  - mshta.exe (PID: 8276)
- Uses WMIC.EXE to obtain local storage devices information
  - cmd.exe (PID: 9212)
  - cmd.exe (PID: 6756)
  - cmd.exe (PID: 7220)
  - cmd.exe (PID: 7396)
- Accesses product unique identifier via WMI (SCRIPT)
  - WMIC.exe (PID: 8888)
  - WMIC.exe (PID: 8312)
- Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)
  - DumpMedia Spotify Music Converter.exe (PID: 7992)
  - DumpMedia Spotify Music Converter.exe (PID: 7132)
- Uses WMIC.EXE to obtain Windows Installer data
  - DumpMedia Spotify Music Converter.exe (PID: 7992)
  - DumpMedia Spotify Music Converter.exe (PID: 7132)
- Loads Python modules
  - psshReslover.exe (PID: 8720)
  - psshReslover.exe (PID: 7540)
- Checks for external IP
  - DumpMedia Spotify Music Converter.exe (PID: 7564)
  - DumpMedia Spotify Music Converter.exe (PID: 7992)
  - DumpMedia Spotify Music Converter.exe (PID: 8900)
  - DumpMedia Spotify Music Converter.exe (PID: 6792)
  - DumpMedia Spotify Music Converter.exe (PID: 7132)
  - DumpMedia Spotify Music Converter.exe (PID: 7584)
- The process executes via Task Scheduler
  - PLUGScheduler.exe (PID: 3020)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 9992)
INFO
- Reads security settings of Internet Explorer
  - Taskmgr.exe (PID: 7640)
  - explorer.exe (PID: 8104)
  - explorer.exe (PID: 440)
  - WMIC.exe (PID: 7192)
  - WMIC.exe (PID: 3632)
  - WMIC.exe (PID: 8564)
  - WMIC.exe (PID: 8508)
  - WMIC.exe (PID: 8264)
  - WMIC.exe (PID: 8328)
  - WMIC.exe (PID: 8888)
  - WMIC.exe (PID: 8136)
  - WMIC.exe (PID: 2380)
  - WMIC.exe (PID: 8312)
  - WMIC.exe (PID: 9396)
  - WMIC.exe (PID: 9032)
  - WMIC.exe (PID: 7448)
  - WMIC.exe (PID: 7260)
  - WMIC.exe (PID: 7576)
  - WMIC.exe (PID: 7732)
  - WMIC.exe (PID: 7976)
  - WMIC.exe (PID: 8060)
- Reads the computer name
  - identity_helper.exe (PID: 7928)
  - dumpmedia-spotify-music-converter.exe (PID: 1596)
  - curl.exe (PID: 5452)
  - VC_redist.x64.exe (PID: 2200)
  - vc_redist.x64.exe (PID: 7056)
  - DumpMedia Spotify Music Converter.exe (PID: 7960)
  - curl.exe (PID: 7608)
  - DumpMedia Spotify Music Converter.exe (PID: 3092)
  - DumpMedia Spotify Music Converter.exe (PID: 7212)
  - DumpMedia Spotify Music Converter.exe (PID: 7564)
  - DumpMedia Spotify Music Converter.exe (PID: 7992)
  - DumpMedia Spotify Music Converter.exe (PID: 8560)
  - psshReslover.exe (PID: 8720)
  - DumpMedia Spotify Music Converter.exe (PID: 8900)
  - msiexec.exe (PID: 9992)
  - VC_redist.x64.exe (PID: 9436)
  - DumpMedia Spotify Music Converter.exe (PID: 7132)
  - DumpMedia Spotify Music Converter.exe (PID: 6716)
  - DumpMedia Spotify Music Converter.exe (PID: 6620)
  - DumpMedia Spotify Music Converter.exe (PID: 5740)
  - psshReslover.exe (PID: 7540)
  - DumpMedia Spotify Music Converter.exe (PID: 7584)
- Manual execution by a user
  - Taskmgr.exe (PID: 7640)
  - Taskmgr.exe (PID: 7588)
  - DumpMedia Spotify Music Converter.exe (PID: 7960)
  - DumpMedia Spotify Music Converter.exe (PID: 5740)
  - firefox.exe (PID: 7716)
  - msedge.exe (PID: 4784)
  - msedge.exe (PID: 5416)
- Executable content was dropped or overwritten
  - msedge.exe (PID: 6696)
  - msedge.exe (PID: 6408)
  - msiexec.exe (PID: 9992)
- The sample compiled with english language support
  - msedge.exe (PID: 6696)
  - msedge.exe (PID: 6408)
  - dumpmedia-spotify-music-converter.exe (PID: 1596)
  - vc_redist.x64.exe (PID: 2800)
  - vc_redist.x64.exe (PID: 7056)
  - DumpMedia Spotify Music Converter.exe (PID: 7960)
  - cmd.exe (PID: 8844)
  - VC_redist.x64.exe (PID: 2200)
  - msiexec.exe (PID: 9992)
  - VC_redist.x64.exe (PID: 6004)
  - VC_redist.x64.exe (PID: 9436)
- Reads Environment values
  - identity_helper.exe (PID: 7928)
  - DumpMedia Spotify Music Converter.exe (PID: 7960)
  - DumpMedia Spotify Music Converter.exe (PID: 7564)
  - DumpMedia Spotify Music Converter.exe (PID: 7992)
  - DumpMedia Spotify Music Converter.exe (PID: 8900)
  - DumpMedia Spotify Music Converter.exe (PID: 7132)
- The process uses the downloaded file
  - msedge.exe (PID: 7776)
  - dumpmedia-spotify-music-converter.exe (PID: 1596)
  - vc_redist.x64.exe (PID: 7056)
  - VC_redist.x64.exe (PID: 9436)
- Checks supported languages
  - dumpmedia-spotify-music-converter.exe (PID: 1596)
  - identity_helper.exe (PID: 7928)
  - curl.exe (PID: 5452)
  - vc_redist.x64.exe (PID: 2800)
  - VC_redist.x64.exe (PID: 2200)
  - vc_redist.x64.exe (PID: 7056)
  - curl.exe (PID: 7608)
  - DumpMedia Spotify Music Converter.exe (PID: 7212)
  - DumpMedia Spotify Music Converter.exe (PID: 3092)
  - DumpMedia Spotify Music Converter.exe (PID: 7960)
  - chcp.com (PID: 4536)
  - DumpMedia Spotify Music Converter.exe (PID: 7564)
  - chcp.com (PID: 2676)
  - chcp.com (PID: 1888)
  - chcp.com (PID: 7372)
  - chcp.com (PID: 188)
  - chcp.com (PID: 7316)
  - chcp.com (PID: 2736)
  - DumpMedia Spotify Music Converter.exe (PID: 7992)
  - chcp.com (PID: 8500)
  - chcp.com (PID: 8516)
  - chcp.com (PID: 8524)
  - chcp.com (PID: 8752)
  - chcp.com (PID: 8916)
  - DumpMedia Spotify Music Converter.exe (PID: 9024)
  - chcp.com (PID: 9140)
  - chcp.com (PID: 8492)
  - DumpMedia Spotify Music Converter.exe (PID: 8560)
  - psshReslover.exe (PID: 8720)
  - DumpMedia Spotify Music Converter.exe (PID: 8900)
  - chcp.com (PID: 8348)
  - chcp.com (PID: 8360)
  - msiexec.exe (PID: 9992)
  - DumpMedia Spotify Music Converter.exe (PID: 10232)
  - VC_redist.x64.exe (PID: 9436)
  - PLUGScheduler.exe (PID: 3020)
  - DumpMedia Spotify Music Converter.exe (PID: 5740)
  - DumpMedia Spotify Music Converter.exe (PID: 6656)
  - DumpMedia Spotify Music Converter.exe (PID: 7052)
  - DumpMedia Spotify Music Converter.exe (PID: 7132)
  - DumpMedia Spotify Music Converter.exe (PID: 6620)
  - chcp.com (PID: 6988)
  - psshReslover.exe (PID: 7540)
- Process checks computer location settings
  - dumpmedia-spotify-music-converter.exe (PID: 1596)
  - vc_redist.x64.exe (PID: 7056)
  - DumpMedia Spotify Music Converter.exe (PID: 7960)
  - DumpMedia Spotify Music Converter.exe (PID: 7564)
  - DumpMedia Spotify Music Converter.exe (PID: 7992)
  - DumpMedia Spotify Music Converter.exe (PID: 9024)
  - DumpMedia Spotify Music Converter.exe (PID: 8900)
  - DumpMedia Spotify Music Converter.exe (PID: 10232)
  - VC_redist.x64.exe (PID: 9436)
  - DumpMedia Spotify Music Converter.exe (PID: 5740)
  - DumpMedia Spotify Music Converter.exe (PID: 7132)
- Checks proxy server information
  - dumpmedia-spotify-music-converter.exe (PID: 1596)
  - DumpMedia Spotify Music Converter.exe (PID: 7960)
  - reg.exe (PID: 8764)
  - reg.exe (PID: 8924)
  - reg.exe (PID: 9148)
  - mshta.exe (PID: 8276)
  - DumpMedia Spotify Music Converter.exe (PID: 5740)
  - reg.exe (PID: 6536)
- Creates files or folders in the user directory
  - dumpmedia-spotify-music-converter.exe (PID: 1596)
  - DumpMedia Spotify Music Converter.exe (PID: 7960)
  - DumpMedia Spotify Music Converter.exe (PID: 3092)
  - DumpMedia Spotify Music Converter.exe (PID: 7992)
  - DumpMedia Spotify Music Converter.exe (PID: 5740)
  - DumpMedia Spotify Music Converter.exe (PID: 6716)
- Create files in a temporary directory
  - dumpmedia-spotify-music-converter.exe (PID: 1596)
  - vc_redist.x64.exe (PID: 7056)
  - DumpMedia Spotify Music Converter.exe (PID: 7960)
  - VC_redist.x64.exe (PID: 2200)
  - DumpMedia Spotify Music Converter.exe (PID: 5740)
  - DumpMedia Spotify Music Converter.exe (PID: 7132)
- Application launched itself
  - msedge.exe (PID: 6408)
  - firefox.exe (PID: 7716)
  - firefox.exe (PID: 7592)
  - msedge.exe (PID: 4784)
- Execution of CURL command
  - dumpmedia-spotify-music-converter.exe (PID: 1596)
- Reads the software policy settings
  - dumpmedia-spotify-music-converter.exe (PID: 1596)
  - DumpMedia Spotify Music Converter.exe (PID: 7960)
  - msiexec.exe (PID: 9992)
  - DumpMedia Spotify Music Converter.exe (PID: 5740)
- Reads the machine GUID from the registry
  - dumpmedia-spotify-music-converter.exe (PID: 1596)
  - DumpMedia Spotify Music Converter.exe (PID: 7960)
  - psshReslover.exe (PID: 8720)
  - DumpMedia Spotify Music Converter.exe (PID: 7992)
  - msiexec.exe (PID: 9992)
  - VC_redist.x64.exe (PID: 2200)
  - psshReslover.exe (PID: 7540)
  - DumpMedia Spotify Music Converter.exe (PID: 7132)
- Creates files in the program directory
  - dumpmedia-spotify-music-converter.exe (PID: 1596)
  - VC_redist.x64.exe (PID: 2200)
  - PLUGScheduler.exe (PID: 3020)
- Reads product name
  - DumpMedia Spotify Music Converter.exe (PID: 7960)
  - DumpMedia Spotify Music Converter.exe (PID: 7564)
  - DumpMedia Spotify Music Converter.exe (PID: 7992)
  - DumpMedia Spotify Music Converter.exe (PID: 8900)
  - DumpMedia Spotify Music Converter.exe (PID: 7132)
- Changes the display of characters in the console
  - cmd.exe (PID: 7276)
  - cmd.exe (PID: 7292)
  - cmd.exe (PID: 2324)
  - cmd.exe (PID: 6336)
  - cmd.exe (PID: 7304)
  - cmd.exe (PID: 7912)
  - cmd.exe (PID: 4320)
  - cmd.exe (PID: 8372)
  - cmd.exe (PID: 8348)
  - cmd.exe (PID: 8340)
  - cmd.exe (PID: 8332)
  - cmd.exe (PID: 8696)
  - cmd.exe (PID: 8868)
  - cmd.exe (PID: 9016)
  - cmd.exe (PID: 1328)
  - cmd.exe (PID: 8320)
  - cmd.exe (PID: 6988)
  - cmd.exe (PID: 6988)
  - cmd.exe (PID: 6448)
- Reads Internet Explorer settings
  - mshta.exe (PID: 8276)
- Manages system restore points
  - SrTasks.exe (PID: 9912)
- Creates a software uninstall entry
  - msiexec.exe (PID: 9992)
- Sends debugging messages
  - msiexec.exe (PID: 9992)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

566

Monitored processes

287

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

188

chcp 65001

C:\Windows\System32\chcp.com

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Change CodePage Utility

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll

440

C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\explorer.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

1073807364

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll

796

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6348 --field-trial-handle=2328,i,3441730239168456510,446104909274455299,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

PWA Identity Proxy Host

Exit code:

3221226029

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll

960

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2324 --field-trial-handle=2328,i,3441730239168456510,446104909274455299,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1164

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4528 -childID 2 -isForBrowser -prefsHandle 4560 -prefMapHandle 4556 -prefsLen 36588 -prefMapSize 244583 -jsInitHandle 1468 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15aefec8-d099-4db0-94a3-3b717083678b} 7592 "\\.\pipe\gecko-crash-server-pipe.7592" 20fd6559690 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

1168

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4356 --field-trial-handle=2328,i,3441730239168456510,446104909274455299,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1172

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1256

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3488 --field-trial-handle=2328,i,3441730239168456510,446104909274455299,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1328

C:\WINDOWS\system32\cmd.exe /d /s /c "chcp 65001 | systeminfo | findstr ;"

C:\Windows\System32\cmd.exe

—

DumpMedia Spotify Music Converter.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

1596

"C:\Users\admin\Downloads\dumpmedia-spotify-music-converter.exe"

C:\Users\admin\Downloads\dumpmedia-spotify-music-converter.exe

msedge.exe

User:

admin

Company:

DumpMedia

Integrity Level:

HIGH

Description:

DumpMedia Spotify Music Converter

Exit code:

Version:

3.1.35

Modules

Images
c:\users\admin\downloads\dumpmedia-spotify-music-converter.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

Add for printing

Total events

88 519

Read events

87 410

Write events

704

Delete events

405

Modification events


(PID) Process:	(5200) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5200) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5200) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(5200) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:	write	Name:	CompatibilityFlags
Value: 0
(PID) Process:	(5200) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:	write	Name:	SecuritySafe
Value: 1
(PID) Process:	(5200) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:	write	Name:	DisableFirstRunCustomize
Value: 1
(PID) Process:	(6408) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\524798
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {D5D79B17-B160-4E29-BCED-9431A2B92A5D}
(PID) Process:	(6408) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(6408) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(6408) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1

Add for printing

Executable files

278

Suspicious files

1 495

Text files

356

Unknown types

Dropped files

PID	Process	Filename		Type
6408	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF1358e1.TMP		—
		MD5:—	SHA256:—
6408	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1358e1.TMP		—
		MD5:—	SHA256:—
6408	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
6408	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1358e1.TMP		—
		MD5:—	SHA256:—
6408	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
6408	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
6408	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1358e1.TMP		—
		MD5:—	SHA256:—
6408	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
6408	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF135900.TMP		—
		MD5:—	SHA256:—
6408	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

471

DNS requests

420

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1596	dumpmedia-spotify-music-converter.exe	GET	200	172.217.16.195:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted
1596	dumpmedia-spotify-music-converter.exe	GET	200	18.66.145.213:80	http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkpLy9ROx7U76vGUhC06D6E%3D	unknown	—	—	unknown
1596	dumpmedia-spotify-music-converter.exe	GET	200	172.217.16.195:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted
760	lsass.exe	GET	200	23.53.40.161:80	http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgTXdiOsRTk%2BPG%2Fd33%2BsOSw%2BIw%3D%3D	unknown	—	—	whitelisted
6236	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
2164	svchost.exe	HEAD	200	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e74ec02c-7f50-4b67-9a51-6cc67399bc04?P1=1733893124&P2=404&P3=2&P4=SJCtn2PPxLxYGzredEom09QCMHNtjgzuuQBiINrLtY8LIhwBGIz712gnr8whNHclXCVPd5BaP%2bGvBgRnTgvuwg%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
2040	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5064	SearchApp.exe	104.126.37.144:443	www.bing.com	Akamai International B.V.	DE	whitelisted
1176	svchost.exe	20.190.159.23:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1176	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
6408	msedge.exe	239.255.255.250:1900	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 20.73.194.208	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	184.30.21.171 95.101.149.131	whitelisted
google.com	142.250.185.206	whitelisted
www.bing.com	104.126.37.144 104.126.37.129 104.126.37.128 104.126.37.131 104.126.37.137 104.126.37.130 104.126.37.185 104.126.37.123 104.126.37.155 104.126.37.178 104.126.37.163 104.126.37.160 104.126.37.162 104.126.37.170 2.23.209.187 2.23.209.133 2.23.209.130 2.23.209.182 2.23.209.149 2.23.209.140	whitelisted
login.live.com	20.190.159.23 20.190.159.75 20.190.159.2 40.126.31.71 20.190.159.4 40.126.31.73 20.190.159.68 20.190.159.71 40.126.32.72 20.190.160.14 40.126.32.136 40.126.32.74 20.190.160.17 40.126.32.134 20.190.160.20 40.126.32.140 20.190.159.64 20.190.159.0	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
www.dumpmedia.com	188.114.97.3 188.114.96.3	malicious
config.edge.skype.com	13.107.42.16	whitelisted
edge.microsoft.com	13.107.21.239 204.79.197.239	whitelisted

Threats

PID	Process	Class	Message
7564	DumpMedia Spotify Music Converter.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup)
7992	DumpMedia Spotify Music Converter.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup)
2192	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] An application monitoring request to sentry .io
8900	DumpMedia Spotify Music Converter.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup)
7564	DumpMedia Spotify Music Converter.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup)
6792	DumpMedia Spotify Music Converter.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup)
2192	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] An application monitoring request to sentry .io
7132	DumpMedia Spotify Music Converter.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup)
7584	DumpMedia Spotify Music Converter.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup)

Add for printing

Process	Message
msiexec.exe	Failed to release Service

General Info

https://www.dumpmedia.com/download/dumpmedia-spotify-music-converter.exe

7EB2BC98243D09647C516EC0C41E3F65

06C07EDC685A74923126B34C63153E85A0BC4AF5

3B7185A56E4DC4358B282A8ED67783AE3FF3B88C59D38AA97E8DDC9413F7C03E

3:N8DSLKFlNL/VwJayIdAq:2OLWlNJwJ9q

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

The process creates files with name similar to system file names

Creates a software uninstall entry

Checks Windows Trust Settings

Drops 7-zip archiver for unpacking

Process drops python dynamic module

Process drops legitimate windows executable

The process drops C-runtime libraries

Starts itself from another location

Starts a Microsoft application from unusual location

Executes as Windows Service

Searches for installed software

Starts CMD.EXE for commands execution

Application launched itself

Starts application with an unusual extension

Using 'findstr.exe' to search for text patterns in files and output

Uses SYSTEMINFO.EXE to read the environment

Uses WMIC.EXE to obtain memory chip information

Uses WMIC.EXE to obtain computer system information

Executing commands from a ".bat" file

Uses WMIC.EXE to obtain local storage devices information

Accesses product unique identifier via WMI (SCRIPT)

Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)

Uses WMIC.EXE to obtain Windows Installer data

Loads Python modules

Checks for external IP

The process executes via Task Scheduler

Reads the Windows owner or organization settings

INFO

Reads security settings of Internet Explorer

Reads the computer name

Manual execution by a user

Executable content was dropped or overwritten

The sample compiled with english language support

Reads Environment values

The process uses the downloaded file

Checks supported languages

Process checks computer location settings

Checks proxy server information

Creates files or folders in the user directory

Create files in a temporary directory

Application launched itself

Execution of CURL command

Reads the software policy settings

Reads the machine GUID from the registry

Creates files in the program directory

Reads product name

Changes the display of characters in the console

Reads Internet Explorer settings

Manages system restore points

Creates a software uninstall entry

Sends debugging messages

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information