File name:

mp3tagv329-x64-setup.exe

Full analysis: https://app.any.run/tasks/89fb46e2-3fad-4b44-8d2d-a20dd99574e7
Verdict: Malicious activity
Analysis date: May 23, 2025, 11:19:53
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

C06A031202D7C6DEA2E9D2AE00132712

SHA1:

4E8F3C35491B7BC4B547FEF7C133950E30E9129C

SHA256:

D18C619868E3170C01DE1DEB059B06DA5B50EF78F79A986A8918D5493177D406

SSDEEP:

98304:ZOvBV1+1DY8zFbOSjBn8zcmN6ePBYFNEdcmIICCL9JK/bPrf4gOLQGH9jLuWk1pP:z8Fp+vQYiU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • mp3tagv329-x64-setup.exe (PID: 2108)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • mp3tagv329-x64-setup.exe (PID: 3888)
      • mp3tagv329-x64-setup.exe (PID: 2108)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • mp3tagv329-x64-setup.exe (PID: 3888)
      • mp3tagv329-x64-setup.exe (PID: 2108)

    • The process creates files with name similar to system file names

      • mp3tagv329-x64-setup.exe (PID: 3888)
      • mp3tagv329-x64-setup.exe (PID: 2108)

    • Reads security settings of Internet Explorer

      • mp3tagv329-x64-setup.exe (PID: 3888)

    • Application launched itself

      • mp3tagv329-x64-setup.exe (PID: 3888)

    • Creates a software uninstall entry

      • mp3tagv329-x64-setup.exe (PID: 2108)

    • There is functionality for taking screenshot (YARA)

      • mp3tagv329-x64-setup.exe (PID: 2108)
      • Mp3tag.exe (PID: 5556)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 1676)

  • INFO

    • Checks supported languages

      • mp3tagv329-x64-setup.exe (PID: 3888)
      • mp3tagv329-x64-setup.exe (PID: 2108)
      • Mp3tag.exe (PID: 5556)

    • Reads the computer name

      • mp3tagv329-x64-setup.exe (PID: 3888)
      • Mp3tag.exe (PID: 5556)
      • mp3tagv329-x64-setup.exe (PID: 2108)

    • The sample compiled with english language support

      • mp3tagv329-x64-setup.exe (PID: 3888)
      • mp3tagv329-x64-setup.exe (PID: 2108)

    • Create files in a temporary directory

      • mp3tagv329-x64-setup.exe (PID: 3888)
      • mp3tagv329-x64-setup.exe (PID: 2108)

    • Process checks computer location settings

      • mp3tagv329-x64-setup.exe (PID: 3888)

    • Creates files in the program directory

      • mp3tagv329-x64-setup.exe (PID: 2108)

    • The sample compiled with german language support

      • mp3tagv329-x64-setup.exe (PID: 2108)

    • Creates files or folders in the user directory

      • Mp3tag.exe (PID: 5556)

    • Checks proxy server information

      • Mp3tag.exe (PID: 5556)
      • slui.exe (PID: 4200)

    • Reads the software policy settings

      • slui.exe (PID: 4200)
      • Mp3tag.exe (PID: 5556)

    • Reads the machine GUID from the registry

      • Mp3tag.exe (PID: 5556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:30 16:55:19+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x3665
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.29.0.0
ProductVersionNumber: 3.29.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Mp3tag Installer
FileVersion: 3.29.0.0
LegalCopyright: Copyright (c) 1999-2025 Florian Heidenreich. All rights reserved.
ProductName: Mp3tag
ProductVersion: v3.29
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mp3tagv329-x64-setup.exe mp3tagv329-x64-setup.exe regsvr32.exe no specs mp3tag.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1676"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files\Mp3tag\Mp3tagShell64.dll"C:\Windows\System32\regsvr32.exemp3tagv329-x64-setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2108"C:\Users\admin\Desktop\mp3tagv329-x64-setup.exe" /UAC:702CC /NCRC C:\Users\admin\Desktop\mp3tagv329-x64-setup.exe
mp3tagv329-x64-setup.exe
User:
admin
Integrity Level:
HIGH
Description:
Mp3tag Installer
Exit code:
0
Version:
3.29.0.0
Modules
Images
c:\users\admin\desktop\mp3tagv329-x64-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3888"C:\Users\admin\Desktop\mp3tagv329-x64-setup.exe" C:\Users\admin\Desktop\mp3tagv329-x64-setup.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Mp3tag Installer
Exit code:
0
Version:
3.29.0.0
Modules
Images
c:\users\admin\desktop\mp3tagv329-x64-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4200C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5556"C:\Program Files\Mp3tag\Mp3tag.exe" C:\Program Files\Mp3tag\Mp3tag.exe
mp3tagv329-x64-setup.exe
User:
admin
Company:
Florian Heidenreich
Integrity Level:
MEDIUM
Description:
Mp3tag - the universal Tag editor
Version:
3.29.0.0
Modules
Images
c:\program files\mp3tag\mp3tag.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
8 156
Read events
8 138
Write events
18
Delete events
0

Modification events

(PID) Process:(2108) mp3tagv329-x64-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mp3tag
Operation:writeName:EstimatedSize
Value:
15628
(PID) Process:(2108) mp3tagv329-x64-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Florian Heidenreich\Mp3tag\Install
Operation:writeName:Start Menu Folder
Value:
Mp3tag
(PID) Process:(1676) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\Mp3tagShell.DLL
Operation:writeName:AppID
Value:
{C4A76138-4C6F-49EB-906C-CE806841A851}
(PID) Process:(1676) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6351E20C-35FA-4BE3-98FB-4CABF1363E12}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
(PID) Process:(1676) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5277B5BA-BAC4-40D9-B5E5-2726D9AE89AA}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(1676) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5277B5BA-BAC4-40D9-B5E5-2726D9AE89AA}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(2108) mp3tagv329-x64-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Florian Heidenreich\Mp3tag\Install
Operation:writeName:InstDir
Value:
C:\Program Files\Mp3tag
(PID) Process:(2108) mp3tagv329-x64-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mp3tag
Operation:writeName:DisplayIcon
Value:
C:\Program Files\Mp3tag\Mp3tag.exe
(PID) Process:(2108) mp3tagv329-x64-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mp3tag
Operation:writeName:DisplayName
Value:
Mp3tag v3.29
(PID) Process:(2108) mp3tagv329-x64-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mp3tag
Operation:writeName:DisplayVersion
Value:
3.29
Executable files
13
Suspicious files
6
Text files
148
Unknown types
0

Dropped files

PID
Process
Filename
Type
3888mp3tagv329-x64-setup.exeC:\Users\admin\AppData\Local\Temp\nsrC671.tmp\nsDialogs.dllexecutable
MD5:B7D61F3F56ABF7B7FF0D4E7DA3AD783D
SHA256:89A82C4849C21DFE765052681E1FAD02D2D7B13C8B5075880C52423DCA72A912
2108mp3tagv329-x64-setup.exeC:\Users\admin\AppData\Local\Temp\nseE766.tmp\modern-wizard.bmpimage
MD5:9E4CD80A60DB6947642677BF31A10906
SHA256:A7B2F12E01CBEA88D4F645F797F2CA6107D76AE13CD1BE6DC532B759BFE0D925
3888mp3tagv329-x64-setup.exeC:\Users\admin\AppData\Local\Temp\nsrC671.tmp\modern-header.bmpimage
MD5:583C38FB0F5AF5FE584D9A9B01D6A3E7
SHA256:4C9E804CE1A391F8E603B7B9C732A6529C1E81BE4D12F125C8562EA9D49095C2
3888mp3tagv329-x64-setup.exeC:\Users\admin\AppData\Local\Temp\nsrC671.tmp\modern-wizard.bmpimage
MD5:9E4CD80A60DB6947642677BF31A10906
SHA256:A7B2F12E01CBEA88D4F645F797F2CA6107D76AE13CD1BE6DC532B759BFE0D925
2108mp3tagv329-x64-setup.exeC:\Users\admin\AppData\Local\Temp\nseE766.tmp\nsDialogs.dllexecutable
MD5:B7D61F3F56ABF7B7FF0D4E7DA3AD783D
SHA256:89A82C4849C21DFE765052681E1FAD02D2D7B13C8B5075880C52423DCA72A912
2108mp3tagv329-x64-setup.exeC:\Users\admin\AppData\Local\Temp\nseE766.tmp\modern-header.bmpimage
MD5:583C38FB0F5AF5FE584D9A9B01D6A3E7
SHA256:4C9E804CE1A391F8E603B7B9C732A6529C1E81BE4D12F125C8562EA9D49095C2
3888mp3tagv329-x64-setup.exeC:\Users\admin\AppData\Local\Temp\nsrC671.tmp\UAC.dllexecutable
MD5:ADB29E6B186DAA765DC750128649B63D
SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08
3888mp3tagv329-x64-setup.exeC:\Users\admin\AppData\Local\Temp\nsrC671.tmp\System.dllexecutable
MD5:192639861E3DC2DC5C08BB8F8C7260D5
SHA256:23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
2108mp3tagv329-x64-setup.exeC:\Users\admin\AppData\Local\Temp\nseE766.tmp\UserInfo.dllexecutable
MD5:F8B6DD1F9620BE4EF2AD1E81FB6B79FA
SHA256:A921CC9CC4AF332BE96186D60D2539CB413DFA44CFD73E85687F9338505FF85E
2108mp3tagv329-x64-setup.exeC:\Users\admin\AppData\Local\Temp\nseE766.tmp\nsProcess.dllexecutable
MD5:F0438A894F3A7E01A4AAE8D1B5DD0289
SHA256:30C6C3DD3CC7FCEA6E6081CE821ADC7B2888542DAE30BF00E881C0A105EB4D11
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
54
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2656
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2656
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.129:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
40.126.31.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.64:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.68:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.31.130:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2656
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2656
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2656
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.110
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
login.live.com
  • 40.126.32.74
  • 20.190.160.4
  • 20.190.160.2
  • 20.190.160.128
  • 20.190.160.22
  • 40.126.32.72
  • 40.126.32.133
  • 20.190.160.66
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
download.mp3tag.de
  • 88.99.27.130
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
mp3tagv329-x64-setup.exe