URL:

tunefab.com

Full analysis: https://app.any.run/tasks/0f3b7ca9-0aed-4ebf-9d8e-d8618e9f753d
Verdict: Malicious activity
Analysis date: December 04, 2024, 14:34:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
arch-doc
python
Indicators:
MD5:

83BF6DD0BE2154A59F62FC13AD7CA2DD

SHA1:

38BABDDB07638DE3D43A125E530D6CCAE86F5790

SHA256:

E4549672146EE17A5E9A7DEC10EF3CA7201B2AC256D44DC7D19506397C4775B3

SSDEEP:

3:I2n:I2n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • music-converter.exe (PID: 7780)

    • Executable content was dropped or overwritten

      • music-converter.exe (PID: 7780)
      • TuneFab All-in-one Music Converter.exe (PID: 7540)
      • TuneFab All-in-one Music Converter.exe (PID: 1216)
      • vpdl.exe (PID: 3896)
      • TuneFab All-in-one Music Converter.exe (PID: 6032)
      • cmd.exe (PID: 3436)
      • vpdl.exe (PID: 4244)
      • vpdl.exe.downloading (PID: 7864)
      • vpdl.exe.downloading (PID: 1544)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • music-converter.exe (PID: 7780)

    • Drops 7-zip archiver for unpacking

      • music-converter.exe (PID: 7780)

    • Process drops python dynamic module

      • music-converter.exe (PID: 7780)
      • vpdl.exe (PID: 3896)
      • vpdl.exe (PID: 4244)
      • vpdl.exe.downloading (PID: 7864)
      • vpdl.exe.downloading (PID: 1544)

    • Checks Windows Trust Settings

      • music-converter.exe (PID: 7780)

    • The process drops C-runtime libraries

      • music-converter.exe (PID: 7780)
      • vpdl.exe (PID: 3896)
      • vpdl.exe (PID: 4244)
      • cmd.exe (PID: 3436)
      • vpdl.exe.downloading (PID: 7864)
      • vpdl.exe.downloading (PID: 1544)

    • Process drops legitimate windows executable

      • music-converter.exe (PID: 7780)
      • vpdl.exe (PID: 3896)
      • cmd.exe (PID: 3436)
      • vpdl.exe (PID: 4244)
      • vpdl.exe.downloading (PID: 7864)
      • vpdl.exe.downloading (PID: 1544)

    • Starts CMD.EXE for commands execution

      • TuneFab All-in-one Music Converter.exe (PID: 7540)
      • TuneFab All-in-one Music Converter.exe (PID: 1216)
      • cmd.exe (PID: 5640)
      • mshta.exe (PID: 6756)
      • vpdl.exe (PID: 5032)
      • vpdl.exe (PID: 6648)
      • vpdl.exe.downloading (PID: 3744)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7900)
      • cmd.exe (PID: 7896)
      • cmd.exe (PID: 7832)
      • cmd.exe (PID: 236)
      • cmd.exe (PID: 1868)
      • cmd.exe (PID: 5992)
      • cmd.exe (PID: 3552)
      • cmd.exe (PID: 3524)
      • cmd.exe (PID: 7352)
      • cmd.exe (PID: 6412)
      • cmd.exe (PID: 4648)
      • cmd.exe (PID: 7620)
      • cmd.exe (PID: 4972)
      • cmd.exe (PID: 7688)
      • cmd.exe (PID: 1460)
      • cmd.exe (PID: 3840)
      • TuneFab All-in-one Music Converter.exe (PID: 1216)
      • vpdl.exe.downloading (PID: 7864)
      • TuneFab All-in-one Music Converter.exe (PID: 6032)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 7896)
      • cmd.exe (PID: 7900)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7900)
      • cmd.exe (PID: 4648)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 7832)

    • Uses WMIC.EXE to obtain memory chip information

      • cmd.exe (PID: 236)

    • Application launched itself

      • TuneFab All-in-one Music Converter.exe (PID: 7540)
      • cmd.exe (PID: 5640)
      • vpdl.exe (PID: 3896)
      • vpdl.exe (PID: 4244)
      • vpdl.exe.downloading (PID: 7864)

    • Executing commands from a ".bat" file

      • TuneFab All-in-one Music Converter.exe (PID: 1216)
      • cmd.exe (PID: 5640)
      • mshta.exe (PID: 6756)

    • Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)

      • TuneFab All-in-one Music Converter.exe (PID: 1216)
      • TuneFab All-in-one Music Converter.exe (PID: 6032)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 5864)
      • WMIC.exe (PID: 4388)
      • WMIC.exe (PID: 7436)
      • WMIC.exe (PID: 7812)
      • WMIC.exe (PID: 1080)
      • WMIC.exe (PID: 4024)
      • WMIC.exe (PID: 3560)

    • Checks for external IP

      • TuneFab All-in-one Music Converter.exe (PID: 7540)

    • Uses WMIC.EXE

      • cmd.exe (PID: 5992)

    • Uses WMIC.EXE to obtain Windows Installer data

      • TuneFab All-in-one Music Converter.exe (PID: 1216)
      • TuneFab All-in-one Music Converter.exe (PID: 6032)

    • Process uses IPCONFIG to clear DNS cache

      • cmd.exe (PID: 3524)

    • Process uses IPCONFIG to discover network configuration

      • cmd.exe (PID: 7352)

    • Uses NSLOOKUP.EXE to check DNS info

      • cmd.exe (PID: 3552)
      • cmd.exe (PID: 6412)

    • Loads Python modules

      • vpdl.exe (PID: 5032)
      • vpdl.exe (PID: 6648)
      • vpdl.exe.downloading (PID: 3744)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7688)
      • cmd.exe (PID: 4972)

  • INFO

    • Checks supported languages

      • identity_helper.exe (PID: 8052)
      • music-converter.exe (PID: 7780)
      • curl.exe (PID: 3524)
      • curl.exe (PID: 7532)
      • TuneFab All-in-one Music Converter.exe (PID: 7540)
      • chcp.com (PID: 6244)
      • TuneFab All-in-one Music Converter.exe (PID: 1216)
      • TuneFab All-in-one Music Converter.exe (PID: 4672)
      • vpdl.exe (PID: 4244)
      • chcp.com (PID: 1856)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 6284)
      • msedge.exe (PID: 6640)

    • Reads the computer name

      • identity_helper.exe (PID: 8052)
      • curl.exe (PID: 7532)
      • curl.exe (PID: 3524)
      • curl.exe (PID: 7776)
      • vpdl.exe (PID: 4244)

    • Reads Environment values

      • identity_helper.exe (PID: 8052)
      • TuneFab All-in-one Music Converter.exe (PID: 7540)

    • Process checks computer location settings

      • music-converter.exe (PID: 7780)
      • TuneFab All-in-one Music Converter.exe (PID: 1216)

    • Execution of CURL command

      • music-converter.exe (PID: 7780)

    • The process uses the downloaded file

      • music-converter.exe (PID: 7780)

    • Reads the machine GUID from the registry

      • music-converter.exe (PID: 7780)

    • Create files in a temporary directory

      • music-converter.exe (PID: 7780)
      • TuneFab All-in-one Music Converter.exe (PID: 7540)

    • Checks proxy server information

      • music-converter.exe (PID: 7780)
      • TuneFab All-in-one Music Converter.exe (PID: 7540)
      • mshta.exe (PID: 6756)

    • Reads the software policy settings

      • music-converter.exe (PID: 7780)
      • TuneFab All-in-one Music Converter.exe (PID: 7784)

    • Creates files in the program directory

      • music-converter.exe (PID: 7780)

    • Manual execution by a user

      • TuneFab All-in-one Music Converter.exe (PID: 7540)

    • Application launched itself

      • msedge.exe (PID: 6284)

    • Reads product name

      • TuneFab All-in-one Music Converter.exe (PID: 7540)

    • Changes the display of characters in the console

      • cmd.exe (PID: 7896)
      • cmd.exe (PID: 7900)
      • cmd.exe (PID: 7832)
      • cmd.exe (PID: 236)
      • cmd.exe (PID: 1868)
      • cmd.exe (PID: 5992)
      • cmd.exe (PID: 3552)
      • cmd.exe (PID: 3524)
      • cmd.exe (PID: 7352)
      • cmd.exe (PID: 6412)
      • cmd.exe (PID: 7688)
      • cmd.exe (PID: 1460)
      • cmd.exe (PID: 4972)
      • cmd.exe (PID: 3840)
      • cmd.exe (PID: 4648)
      • cmd.exe (PID: 7620)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6248)
      • WMIC.exe (PID: 5864)
      • WMIC.exe (PID: 6648)
      • WMIC.exe (PID: 1412)
      • WMIC.exe (PID: 7876)

    • Creates files or folders in the user directory

      • TuneFab All-in-one Music Converter.exe (PID: 7540)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 6756)

    • Checks operating system version

      • vpdl.exe (PID: 5032)
      • vpdl.exe (PID: 6648)
      • vpdl.exe.downloading (PID: 3744)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
340
Monitored processes
203
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs music-converter.exe no specs music-converter.exe curl.exe conhost.exe no specs curl.exe conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs curl.exe conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs tunefab all-in-one music converter.exe cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs chcp.com no specs chcp.com no specs chcp.com no specs systeminfo.exe no specs systeminfo.exe no specs findstr.exe no specs chcp.com no specs wmic.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs reg.exe no specs tunefab all-in-one music converter.exe curl.exe conhost.exe no specs tunefab all-in-one music converter.exe explorer.exe no specs vpdl.exe conhost.exe no specs wmic.exe no specs conhost.exe no specs explorer.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs msedge.exe no specs wmic.exe no specs conhost.exe no specs msedge.exe no specs wmic.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs tunefab all-in-one music converter.exe wmic.exe no specs tunefab all-in-one music converter.exe no specs tunefab all-in-one music converter.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tiworker.exe no specs cmd.exe no specs chcp.com no specs mshta.exe no specs vpdl.exe conhost.exe no specs nslookup.exe wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs ipconfig.exe no specs cmd.exe cmd.exe no specs conhost.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs chcp.com no specs ipconfig.exe no specs vpdl.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs nslookup.exe wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs cmd.exe no specs vpdl.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs chcp.com no specs cmd.exe no specs reg.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs chcp.com no specs chcp.com no specs reg.exe no specs reg.exe no specs chcp.com no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs chcp.com no specs reg.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs reg.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs vpdl.exe.downloading conhost.exe no specs vpdl.exe.downloading no specs cmd.exe no specs vpdl.exe.downloading conhost.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188chcp 65001 C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
236C:\WINDOWS\system32\cmd.exe /d /s /c "chcp 65001 | wmic memorychip get Capacity"C:\Windows\System32\cmd.exeTuneFab All-in-one Music Converter.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
624\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
624\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
644"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3920 --field-trial-handle=2276,i,4249573709317218240,910546008428808341,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
716"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5352 --field-trial-handle=2276,i,4249573709317218240,910546008428808341,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
732chcp 65001 C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
848wmic csproduct get IdentifyingNumberC:\Windows\System32\wbem\WMIC.exeTuneFab All-in-one Music Converter.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
880\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
880\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exevpdl.exe.downloading
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
32 279
Read events
32 200
Write events
61
Delete events
18

Modification events

(PID) Process:(6284) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(6284) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(6284) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(6284) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(6284) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
880C42F508872F00
(PID) Process:(6284) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
25715FF508872F00
(PID) Process:(6284) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328532
Operation:writeName:WindowTabManagerFileMappingId
Value:
{B69A64E0-E6A9-40B9-8291-A3E9965CDD5B}
(PID) Process:(6284) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328532
Operation:writeName:WindowTabManagerFileMappingId
Value:
{D92D2B4A-821A-4FAF-A335-16BD72DCE1BD}
(PID) Process:(6284) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328532
Operation:writeName:WindowTabManagerFileMappingId
Value:
{E8BCAF16-524F-4B32-AF05-324FDDE9448A}
(PID) Process:(6284) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328532
Operation:writeName:WindowTabManagerFileMappingId
Value:
{16C886CD-F18D-49A8-A135-4A9C567ED668}
Executable files
573
Suspicious files
544
Text files
180
Unknown types
6

Dropped files

PID
Process
Filename
Type
6284msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF135e7f.TMP
MD5:
SHA256:
6284msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6284msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF135e8e.TMP
MD5:
SHA256:
6284msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6284msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF135e9e.TMP
MD5:
SHA256:
6284msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF135e9e.TMP
MD5:
SHA256:
6284msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
6284msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
6284msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF135ecd.TMP
MD5:
SHA256:
6284msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
204
DNS requests
200
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2624
svchost.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2624
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
760
lsass.exe
GET
200
184.24.77.44:80
http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgSMu2adil0CKmgwUPVoWjkhIg%3D%3D
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7780
music-converter.exe
GET
200
18.66.145.213:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkpLy9ROx7U76vGUhC06D6E%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2624
svchost.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2624
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4428
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6640
msedge.exe
188.114.97.3:443
tunefab.com
malicious
6284
msedge.exe
239.255.255.250:1900
whitelisted
6640
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 23.32.238.112
  • 23.32.238.107
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
tunefab.com
  • 188.114.97.3
  • 188.114.96.3
malicious
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
www.tunefab.com
  • 188.114.97.3
  • 188.114.96.3
malicious

Threats

PID
Process
Class
Message
7540
TuneFab All-in-one Music Converter.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
tunefab.com