URL:

https://mp3studio-downloader.software.informer.com/1.3/

Full analysis: https://app.any.run/tasks/2fcf31f5-f43d-4bea-85ef-79909d3ece56
Verdict: Malicious activity
Analysis date: May 06, 2021, 07:45:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
Indicators:
MD5:

E7F5CD15648D7FBD35A38C8542582789

SHA1:

CAE684CDC10A58A18BED2148AE366DF44FDDD0AE

SHA256:

A4E3687798A37B1B596083179EBCA3BF7C1AF5B84F64EAFB54EC9F441EE152A4

SSDEEP:

3:N81XBLI8S9uXiKD9j48N:2V6Y08N

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • MP3StudioDownloader_5_5_5.exe (PID: 3936)
      • MP3StudioDownloader_5_5_5.exe (PID: 2240)
      • MP3StudioDownloader_5_5_5.exe (PID: 3360)
      • Mediadl.Setup.Bootstrapper.exe (PID: 3716)
      • avast_free_antivirus_setup_online.exe (PID: 1708)
      • WcInstaller.exe (PID: 2728)
      • WebCompanionInstaller.exe (PID: 2596)
      • MP3StudioDownloader.exe (PID: 3944)
      • avast_free_antivirus_setup_online.exe (PID: 2820)
      • instup.exe (PID: 912)
      • instup.exe (PID: 3076)
      • sbr.exe (PID: 2804)
      • WebCompanion.exe (PID: 524)
      • Lavasoft.WCAssistant.WinService.exe (PID: 4036)
      • WebCompanion.exe (PID: 2808)
      • SetupInf.exe (PID: 2816)
      • SetupInf.exe (PID: 2376)
      • SetupInf.exe (PID: 3912)
      • SetupInf.exe (PID: 3240)
      • AvEmUpdate.exe (PID: 2144)
      • AvEmUpdate.exe (PID: 3184)
      • AvEmUpdate.exe (PID: 2980)
      • AvEmUpdate.exe (PID: 2816)
      • CCUpdate.exe (PID: 3632)
      • CCUpdate.exe (PID: 2036)
      • CCUpdate.exe (PID: 3708)
      • CCUpdate.exe (PID: 3672)
      • avBugReport.exe (PID: 2768)
      • avBugReport.exe (PID: 3512)
      • SetupInf.exe (PID: 1472)
      • SetupInf.exe (PID: 2552)
      • CCUpdate.exe (PID: 1796)
      • RegSvr.exe (PID: 1800)
      • RegSvr.exe (PID: 2576)
      • AvastNM.exe (PID: 3208)
      • engsup.exe (PID: 2760)
      • overseer.exe (PID: 4016)
      • wsc_proxy.exe (PID: 2464)
      • AvastSvc.exe (PID: 3180)
      • aswToolsSvc.exe (PID: 2448)
      • engsup.exe (PID: 2560)
      • wsc_proxy.exe (PID: 1812)

    • Drops executable file immediately after starts

      • MP3StudioDownloader_5_5_5.exe (PID: 3936)
      • MP3StudioDownloader_5_5_5.exe (PID: 3360)
      • WcInstaller.exe (PID: 2728)
      • CCUpdate.exe (PID: 2036)
      • DrvInst.exe (PID: 1012)

    • Loads dropped or rewritten executable

      • MP3StudioDownloader_5_5_5.exe (PID: 3360)
      • MP3StudioDownloader.exe (PID: 3944)
      • WebCompanionInstaller.exe (PID: 2596)
      • instup.exe (PID: 912)
      • WebCompanion.exe (PID: 524)
      • Lavasoft.WCAssistant.WinService.exe (PID: 4036)
      • WebCompanion.exe (PID: 2808)
      • instup.exe (PID: 3076)
      • AvEmUpdate.exe (PID: 2816)
      • avBugReport.exe (PID: 2768)
      • CCUpdate.exe (PID: 3672)
      • avBugReport.exe (PID: 3512)
      • AvastSvc.exe (PID: 3180)
      • aswToolsSvc.exe (PID: 2448)

    • Changes settings of System certificates

      • MP3StudioDownloader_5_5_5.exe (PID: 3360)
      • avast_free_antivirus_setup_online.exe (PID: 1708)
      • WebCompanionInstaller.exe (PID: 2596)
      • WebCompanion.exe (PID: 524)
      • SetupInf.exe (PID: 2552)

    • Changes the autorun value in the registry

      • MP3StudioDownloader_5_5_5.exe (PID: 3360)
      • Mediadl.Setup.Bootstrapper.exe (PID: 3716)
      • MP3StudioDownloader.exe (PID: 3944)
      • instup.exe (PID: 3076)
      • WebCompanion.exe (PID: 524)

    • Changes internet zones settings

      • WebCompanionInstaller.exe (PID: 2596)

    • Steals credentials from Web Browsers

      • WebCompanion.exe (PID: 524)
      • WebCompanion.exe (PID: 2808)

    • Starts Visual C# compiler

      • WebCompanion.exe (PID: 524)
      • Lavasoft.WCAssistant.WinService.exe (PID: 4036)

    • Actions looks like stealing of personal data

      • WebCompanion.exe (PID: 524)
      • WebCompanion.exe (PID: 2808)

    • Loads the Task Scheduler COM API

      • AvEmUpdate.exe (PID: 2144)
      • AvEmUpdate.exe (PID: 2980)
      • CCUpdate.exe (PID: 3708)
      • CCUpdate.exe (PID: 1796)
      • overseer.exe (PID: 4016)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 1308)
      • MP3StudioDownloader_5_5_5.exe (PID: 3936)
      • MP3StudioDownloader_5_5_5.exe (PID: 3360)
      • Mediadl.Setup.Bootstrapper.exe (PID: 3716)
      • WcInstaller.exe (PID: 2728)
      • avast_free_antivirus_setup_online.exe (PID: 1708)
      • avast_free_antivirus_setup_online.exe (PID: 2820)
      • MP3StudioDownloader.exe (PID: 3944)
      • instup.exe (PID: 912)
      • WebCompanionInstaller.exe (PID: 2596)
      • instup.exe (PID: 3076)
      • AvEmUpdate.exe (PID: 2980)
      • AvEmUpdate.exe (PID: 2816)
      • CCUpdate.exe (PID: 3632)
      • CCUpdate.exe (PID: 3708)
      • CCUpdate.exe (PID: 2036)
      • SetupInf.exe (PID: 2552)
      • DrvInst.exe (PID: 1012)
      • overseer.exe (PID: 4016)
      • AvastSvc.exe (PID: 3180)

    • Creates files in the Windows directory

      • MP3StudioDownloader_5_5_5.exe (PID: 3360)
      • MP3StudioDownloader_5_5_5.exe (PID: 3936)
      • avast_free_antivirus_setup_online.exe (PID: 1708)
      • avast_free_antivirus_setup_online.exe (PID: 2820)
      • instup.exe (PID: 912)
      • instup.exe (PID: 3076)
      • Lavasoft.WCAssistant.WinService.exe (PID: 4036)
      • WebCompanion.exe (PID: 524)
      • WebCompanionInstaller.exe (PID: 2596)
      • csc.exe (PID: 2680)
      • DrvInst.exe (PID: 1012)
      • SetupInf.exe (PID: 2552)
      • AvastSvc.exe (PID: 3180)

    • Reads Environment values

      • MP3StudioDownloader_5_5_5.exe (PID: 3360)
      • MP3StudioDownloader.exe (PID: 3944)

    • Drops a file with too old compile date

      • MP3StudioDownloader_5_5_5.exe (PID: 3360)
      • instup.exe (PID: 3076)

    • Drops a file that was compiled in debug mode

      • chrome.exe (PID: 1308)
      • MP3StudioDownloader_5_5_5.exe (PID: 3936)
      • MP3StudioDownloader_5_5_5.exe (PID: 3360)
      • Mediadl.Setup.Bootstrapper.exe (PID: 3716)
      • avast_free_antivirus_setup_online.exe (PID: 1708)
      • WcInstaller.exe (PID: 2728)
      • avast_free_antivirus_setup_online.exe (PID: 2820)
      • MP3StudioDownloader.exe (PID: 3944)
      • instup.exe (PID: 912)
      • WebCompanionInstaller.exe (PID: 2596)
      • instup.exe (PID: 3076)
      • AvEmUpdate.exe (PID: 2980)
      • AvEmUpdate.exe (PID: 2816)
      • CCUpdate.exe (PID: 3632)
      • CCUpdate.exe (PID: 2036)
      • CCUpdate.exe (PID: 3708)
      • SetupInf.exe (PID: 2552)
      • DrvInst.exe (PID: 1012)
      • overseer.exe (PID: 4016)
      • AvastSvc.exe (PID: 3180)

    • Drops a file with a compile date too recent

      • MP3StudioDownloader_5_5_5.exe (PID: 3360)
      • WcInstaller.exe (PID: 2728)
      • avast_free_antivirus_setup_online.exe (PID: 1708)
      • avast_free_antivirus_setup_online.exe (PID: 2820)
      • instup.exe (PID: 912)
      • WebCompanionInstaller.exe (PID: 2596)
      • instup.exe (PID: 3076)
      • CCUpdate.exe (PID: 3632)
      • CCUpdate.exe (PID: 2036)
      • CCUpdate.exe (PID: 3708)
      • AvEmUpdate.exe (PID: 2980)
      • SetupInf.exe (PID: 2552)
      • DrvInst.exe (PID: 1012)
      • overseer.exe (PID: 4016)
      • AvastSvc.exe (PID: 3180)

    • Adds / modifies Windows certificates

      • MP3StudioDownloader_5_5_5.exe (PID: 3360)
      • avast_free_antivirus_setup_online.exe (PID: 1708)
      • WebCompanionInstaller.exe (PID: 2596)
      • WebCompanion.exe (PID: 524)

    • Creates files in the user directory

      • MP3StudioDownloader_5_5_5.exe (PID: 3360)
      • MP3StudioDownloader.exe (PID: 3944)
      • WebCompanionInstaller.exe (PID: 2596)
      • WebCompanion.exe (PID: 524)
      • WebCompanion.exe (PID: 2808)

    • Starts itself from another location

      • MP3StudioDownloader_5_5_5.exe (PID: 3360)
      • instup.exe (PID: 912)
      • CCUpdate.exe (PID: 2036)

    • Creates files in the program directory

      • Mediadl.Setup.Bootstrapper.exe (PID: 3716)
      • MP3StudioDownloader.exe (PID: 3944)
      • WebCompanionInstaller.exe (PID: 2596)
      • avast_free_antivirus_setup_online.exe (PID: 2820)
      • instup.exe (PID: 912)
      • WebCompanion.exe (PID: 524)
      • Lavasoft.WCAssistant.WinService.exe (PID: 4036)
      • instup.exe (PID: 3076)
      • WebCompanion.exe (PID: 2808)
      • AvEmUpdate.exe (PID: 2144)
      • AvEmUpdate.exe (PID: 2980)
      • CCUpdate.exe (PID: 3632)
      • CCUpdate.exe (PID: 2036)
      • CCUpdate.exe (PID: 3708)
      • CCUpdate.exe (PID: 1796)
      • avBugReport.exe (PID: 2768)
      • AvastNM.exe (PID: 3208)
      • engsup.exe (PID: 2760)
      • wsc_proxy.exe (PID: 2464)
      • overseer.exe (PID: 4016)
      • AvastSvc.exe (PID: 3180)
      • aswToolsSvc.exe (PID: 2448)

    • Creates a software uninstall entry

      • Mediadl.Setup.Bootstrapper.exe (PID: 3716)
      • WebCompanionInstaller.exe (PID: 2596)
      • instup.exe (PID: 3076)
      • AvEmUpdate.exe (PID: 2816)

    • Low-level read access rights to disk partition

      • avast_free_antivirus_setup_online.exe (PID: 1708)
      • instup.exe (PID: 912)
      • avast_free_antivirus_setup_online.exe (PID: 2820)
      • instup.exe (PID: 3076)
      • SetupInf.exe (PID: 2376)
      • SetupInf.exe (PID: 2816)
      • SetupInf.exe (PID: 3912)
      • SetupInf.exe (PID: 3240)
      • AvEmUpdate.exe (PID: 3184)
      • AvEmUpdate.exe (PID: 2816)
      • AvEmUpdate.exe (PID: 2980)
      • CCUpdate.exe (PID: 3632)
      • CCUpdate.exe (PID: 2036)
      • CCUpdate.exe (PID: 3708)
      • CCUpdate.exe (PID: 3672)
      • CCUpdate.exe (PID: 1796)
      • avBugReport.exe (PID: 2768)
      • SetupInf.exe (PID: 1472)
      • SetupInf.exe (PID: 2552)
      • avBugReport.exe (PID: 3512)
      • RegSvr.exe (PID: 1800)
      • RegSvr.exe (PID: 2576)
      • overseer.exe (PID: 4016)
      • wsc_proxy.exe (PID: 2464)
      • aswToolsSvc.exe (PID: 2448)
      • wsc_proxy.exe (PID: 1812)
      • AvastSvc.exe (PID: 3180)

    • Searches for installed software

      • MP3StudioDownloader_5_5_5.exe (PID: 3360)

    • Changes default file association

      • MP3StudioDownloader_5_5_5.exe (PID: 3360)
      • instup.exe (PID: 3076)

    • Creates or modifies windows services

      • instup.exe (PID: 912)
      • instup.exe (PID: 3076)

    • Removes files from Windows directory

      • instup.exe (PID: 912)
      • instup.exe (PID: 3076)
      • Lavasoft.WCAssistant.WinService.exe (PID: 4036)
      • WebCompanionInstaller.exe (PID: 2596)
      • csc.exe (PID: 2680)
      • DrvInst.exe (PID: 1012)
      • SetupInf.exe (PID: 2552)

    • Creates a directory in Program Files

      • WebCompanionInstaller.exe (PID: 2596)
      • instup.exe (PID: 3076)
      • CCUpdate.exe (PID: 3632)
      • CCUpdate.exe (PID: 3708)
      • AvEmUpdate.exe (PID: 2980)
      • engsup.exe (PID: 2760)
      • AvastSvc.exe (PID: 3180)

    • Starts SC.EXE for service management

      • WebCompanionInstaller.exe (PID: 2596)

    • Starts CMD.EXE for commands execution

      • WebCompanionInstaller.exe (PID: 2596)
      • Lavasoft.WCAssistant.WinService.exe (PID: 4036)

    • Executed as Windows Service

      • Lavasoft.WCAssistant.WinService.exe (PID: 4036)
      • PresentationFontCache.exe (PID: 1180)
      • wsc_proxy.exe (PID: 1812)
      • AvastSvc.exe (PID: 3180)
      • aswToolsSvc.exe (PID: 2448)

    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 2476)
      • cmd.exe (PID: 3324)

    • Creates files in the driver directory

      • instup.exe (PID: 3076)
      • DrvInst.exe (PID: 1012)
      • SetupInf.exe (PID: 2552)

    • Creates/Modifies COM task schedule object

      • instup.exe (PID: 3076)
      • RegSvr.exe (PID: 1800)
      • RegSvr.exe (PID: 2576)

    • Application launched itself

      • AvEmUpdate.exe (PID: 2980)
      • CCUpdate.exe (PID: 3708)

    • Checks for external IP

      • CCUpdate.exe (PID: 3632)
      • CCUpdate.exe (PID: 2036)
      • CCUpdate.exe (PID: 3708)
      • CCUpdate.exe (PID: 3672)
      • CCUpdate.exe (PID: 1796)

    • Executed via COM

      • DrvInst.exe (PID: 1012)

  • INFO

    • Application launched itself

      • chrome.exe (PID: 1308)

    • Reads the hosts file

      • chrome.exe (PID: 2460)
      • chrome.exe (PID: 1308)
      • instup.exe (PID: 912)
      • instup.exe (PID: 3076)
      • overseer.exe (PID: 4016)

    • Reads settings of System Certificates

      • chrome.exe (PID: 1308)
      • chrome.exe (PID: 2460)
      • MP3StudioDownloader_5_5_5.exe (PID: 3360)
      • avast_free_antivirus_setup_online.exe (PID: 1708)
      • WebCompanionInstaller.exe (PID: 2596)

    • Dropped object may contain Bitcoin addresses

      • WebCompanionInstaller.exe (PID: 2596)
      • instup.exe (PID: 3076)
      • AvEmUpdate.exe (PID: 2980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
75
Malicious processes
28
Suspicious processes
12

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs mp3studiodownloader_5_5_5.exe no specs chrome.exe no specs mp3studiodownloader_5_5_5.exe mp3studiodownloader_5_5_5.exe mediadl.setup.bootstrapper.exe avast_free_antivirus_setup_online.exe wcinstaller.exe webcompanioninstaller.exe mp3studiodownloader.exe avast_free_antivirus_setup_online.exe instup.exe instup.exe sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs netsh.exe no specs sbr.exe no specs webcompanion.exe lavasoft.wcassistant.winservice.exe csc.exe no specs cmd.exe no specs netsh.exe no specs cvtres.exe no specs webcompanion.exe presentationfontcache.exe no specs csc.exe cvtres.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs avemupdate.exe no specs avemupdate.exe avemupdate.exe avemupdate.exe ccupdate.exe ccupdate.exe ccupdate.exe ccupdate.exe ccupdate.exe avbugreport.exe avbugreport.exe setupinf.exe no specs setupinf.exe drvinst.exe regsvr.exe no specs regsvr.exe no specs avastnm.exe no specs overseer.exe engsup.exe no specs wsc_proxy.exe no specs wsc_proxy.exe no specs avastsvc.exe aswtoolssvc.exe no specs engsup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
524"C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --install --geo= C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe
WebCompanionInstaller.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion
Exit code:
0
Version:
7.0.2417.4248
Modules
Images
c:\program files\lavasoft\web companion\application\webcompanion.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
604"sc.exe" Create "WCAssistantService" binPath= "C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= autoC:\Windows\system32\sc.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
688"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1024,8072353345941389428,16310563317416062233,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5970092325893046421 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
748"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1024,8072353345941389428,16310563317416062233,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=949306279657236433 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
912"C:\Windows\Temp\asw.ade08d032367b60b\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.ade08d032367b60b /edition:1 /prod:ais /guid:eb861e93-1615-4031-90e6-5aa178665823 /ga_clientid:d4b51fe9-6f53-40a8-844a-34ada2dada62 /silent /ws /cookie:mmm_mrk_ppi_004_408_n /ga_clientid:d4b51fe9-6f53-40a8-844a-34ada2dada62 /edat_dir:C:\Windows\Temp\asw.70ce354543100573C:\Windows\Temp\asw.ade08d032367b60b\instup.exe
avast_free_antivirus_setup_online.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Antivirus Installer
Exit code:
0
Version:
21.3.6164.0
Modules
Images
c:\windows\temp\asw.ade08d032367b60b\instup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1012DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{417c9aae-248f-1282-89ec-b91a7f180869}\aswNetNd6.inf" "0" "6128e1ea7" "00000558" "WinSta0\Default" "000005D0" "208" "C:\Program Files\Avast Software\Avast\setup\Inf"C:\Windows\system32\DrvInst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1180C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exeC:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exeservices.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
PresentationFontCache.exe
Exit code:
0
Version:
3.0.6920.4902 built by: NetFXw7
Modules
Images
c:\windows\microsoft.net\framework\v3.0\wpf\presentationfontcache.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1216"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\oc6kvg4s.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeWebCompanion.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1308"C:\Program Files\Google\Chrome\Application\chrome.exe" --disk-cache-dir=null --disk-cache-size=1 --media-cache-size=1 --disable-gpu-shader-disk-cache --disable-background-networking "https://mp3studio-downloader.software.informer.com/1.3/"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1392netsh http add urlacl url=http://+:9007/ user=EveryoneC:\Windows\system32\netsh.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
Total events
8 808
Read events
3 299
Write events
5 486
Delete events
23

Modification events

(PID) Process:(1308) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(1308) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(1308) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(1308) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(1308) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2608) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:writeName:1308-13264760775081000
Value:
259
(PID) Process:(1308) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(1308) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(1308) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:delete valueName:3252-13245750958665039
Value:
0
(PID) Process:(1308) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
Executable files
624
Suspicious files
251
Text files
554
Unknown types
33

Dropped files

PID
Process
Filename
Type
1308chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-60939EC8-51C.pma
MD5:
SHA256:
1308chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\5fe963fa-f587-4e72-aa53-7384658e7554.tmp
MD5:
SHA256:
1308chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000048.dbtmp
MD5:
SHA256:
1308chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:
SHA256:
1308chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF14fb85.TMPtext
MD5:
SHA256:
1308chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT~RF14fc8f.TMPtext
MD5:
SHA256:
1308chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG.oldtext
MD5:
SHA256:
1308chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.oldtext
MD5:
SHA256:
1308chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old
MD5:
SHA256:
1308chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old~RF14fec1.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
72
TCP/UDP connections
214
DNS requests
173
Threats
32

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2460
chrome.exe
GET
302
87.250.250.119:80
http://mc.yandex.ru/metrika/watch.js
RU
whitelisted
1708
avast_free_antivirus_setup_online.exe
POST
142.250.184.206:80
http://www.google-analytics.com/collect
US
whitelisted
2596
WebCompanionInstaller.exe
GET
104.18.87.101:80
http://wcdownloadercdn.lavasoft.com/7.0.2417.4248/WebCompanion-7.0.2417.4248-prod.zip
US
whitelisted
3360
MP3StudioDownloader_5_5_5.exe
POST
142.250.186.78:80
http://www.google-analytics.com/collect
US
whitelisted
2596
WebCompanionInstaller.exe
POST
104.18.88.101:80
http://flow.lavasoft.com/v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1
US
whitelisted
2460
chrome.exe
GET
301
54.173.41.122:80
http://e.informer.com/o/mp3.studio/AA022575
US
suspicious
3944
MP3StudioDownloader.exe
POST
142.250.184.206:80
http://www.google-analytics.com/collect
US
whitelisted
2820
avast_free_antivirus_setup_online.exe
GET
142.250.184.206:80
http://www.google-analytics.com/collect?aiid=mmm_mrk_ppi_004_408_n&an=Free&av=21.3.6164&cd=stub-extended&cd3=Online&cid=eb861e93-1615-4031-90e6-5aa178665823&dt=Installation&t=screenview&tid=UA-58120669-3&v=1
US
whitelisted
1708
avast_free_antivirus_setup_online.exe
GET
23.32.238.98:80
http://iavs9x.u.avast.com/iavs9x/avast_free_antivirus_setup_online.exe
US
whitelisted
2596
WebCompanionInstaller.exe
POST
104.18.88.101:80
http://flow.lavasoft.com/v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2460
chrome.exe
100.25.93.238:443
mp3studio-downloader.software.informer.com
US
unknown
2460
chrome.exe
142.250.186.130:443
Google Inc.
US
whitelisted
2460
chrome.exe
74.117.179.74:443
art-u2.infcdn.net
WZ Communications Inc.
US
unknown
2460
chrome.exe
208.88.224.98:443
i.informer.com
WZ Communications Inc.
US
unknown
2460
chrome.exe
74.117.179.70:443
img.informer.com
WZ Communications Inc.
US
suspicious
2460
chrome.exe
173.194.222.156:443
partner.googleadservices.com
Google Inc.
US
unknown
2460
chrome.exe
142.250.186.98:443
www.googletagservices.com
Google Inc.
US
suspicious
2460
chrome.exe
172.217.20.2:443
googleads.g.doubleclick.net
Google Inc.
US
unknown
2460
chrome.exe
173.194.220.138:443
www.google-analytics.com
Google Inc.
US
whitelisted
2460
chrome.exe
142.250.185.202:443
fonts.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
mp3studio-downloader.software.informer.com
  • 100.25.93.238
suspicious
accounts.google.com
  • 109.73.171.242
shared
img.informer.com
  • 74.117.179.70
whitelisted
pagead2.googlesyndication.com
  • 13.107.13.80
whitelisted
art-u1.infcdn.net
  • 131.253.33.200
  • 13.107.22.200
suspicious
art-u3.infcdn.net
  • 131.253.33.200
  • 13.107.22.200
suspicious
www.google-analytics.com
  • 173.194.220.138
  • 173.194.220.102
  • 173.194.220.101
  • 173.194.220.100
  • 173.194.220.139
  • 173.194.220.113
  • 142.250.186.78
  • 142.250.184.206
whitelisted
i.informer.com
  • 208.88.224.98
whitelisted
hits.informer.com
  • 204.155.159.109
unknown
software.informer.com
  • 100.25.93.238
whitelisted

Threats

PID
Process
Class
Message
3360
MP3StudioDownloader_5_5_5.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
3360
MP3StudioDownloader_5_5_5.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3360
MP3StudioDownloader_5_5_5.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3360
MP3StudioDownloader_5_5_5.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3944
MP3StudioDownloader.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
1708
avast_free_antivirus_setup_online.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2980
AvEmUpdate.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3632
CCUpdate.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup (avast .com)
2036
CCUpdate.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup (avast .com)
3708
CCUpdate.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
14 ETPRO signatures available at the full report
Process
Message
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
AvastSvc.exe
[2021-05-06 07:51:22.891] [error ] [tasks ] [ 3180: 2548] task asw::settings::SettingsModule::OnPropertyChanged: failed without a caller check. Exception: asw::event_routing::rpc::GenericEventSender: rpcEndpoint is NULL.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://mp3studio-downloader.software.informer.com/1.3/