Malware analysis free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe Malicious activity

Add for printing

File name:	free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe
Full analysis:	https://app.any.run/tasks/5f4e2de7-602a-4e43-a7fe-ebd9aa559050
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 10, 2025, 22:03:51
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	5DC236FEF4D7557E56677FDD15C11CE6
SHA1:	1EE4AE47EBC5B63711F92D85E87A5B518EEE6969
SHA256:	D5A227107114E4246B98FF87DB3C96173B829C7D32A24FEFABC11594913A5765
SSDEEP:	98304:0pyZEg8pfJo1OE5FsI1DxqbsSLhlxIlce/Unba+O+CB3jD9hlm:8v

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Steals credentials from Web Browsers
  - setup.exe (PID: 7024)
  - setup.exe (PID: 6220)
  - assistant_installer.exe (PID: 6408)
- Actions looks like stealing of personal data
  - setup.exe (PID: 7024)
  - setup.exe (PID: 6220)
  - assistant_installer.exe (PID: 6408)
- Registers / Runs the DLL via REGSVR32.EXE
  - free-m4a-to-mp3-converter-es-2022.1-installer.tmp (PID: 2420)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe (PID: 6240)
  - setup.exe (PID: 7024)
- Executable content was dropped or overwritten
  - OperaSetup.exe (PID: 6992)
  - free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe (PID: 6240)
  - setup.exe (PID: 7048)
  - setup.exe (PID: 7132)
  - setup.exe (PID: 7024)
  - setup.exe (PID: 6220)
  - setup.exe (PID: 4912)
  - free-m4a-to-mp3-converter-es-2022.1-installer.exe (PID: 372)
  - free-m4a-to-mp3-converter-es-2022.1-installer.tmp (PID: 2420)
  - Assistant_116.0.5366.21_Setup.exe_sfx.exe (PID: 2216)
- Application launched itself
  - setup.exe (PID: 7024)
  - setup.exe (PID: 6220)
  - assistant_installer.exe (PID: 6400)
- Starts itself from another location
  - setup.exe (PID: 7024)
- Checks Windows Trust Settings
  - setup.exe (PID: 7024)
- Reads the Windows owner or organization settings
  - free-m4a-to-mp3-converter-es-2022.1-installer.tmp (PID: 2420)
- Creates/Modifies COM task schedule object
  - regsvr32.exe (PID: 5592)
  - regsvr32.exe (PID: 2676)
- Process drops legitimate windows executable
  - Assistant_116.0.5366.21_Setup.exe_sfx.exe (PID: 2216)
INFO
- Reads the machine GUID from the registry
  - free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe (PID: 6240)
  - setup.exe (PID: 7024)
- Reads CPU info
  - free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe (PID: 6240)
- Checks supported languages
  - free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe (PID: 6240)
  - setup.exe (PID: 7024)
  - OperaSetup.exe (PID: 6992)
  - setup.exe (PID: 7048)
  - setup.exe (PID: 6220)
  - setup.exe (PID: 7132)
  - setup.exe (PID: 4912)
  - free-m4a-to-mp3-converter-es-2022.1-installer.tmp (PID: 2420)
  - free-m4a-to-mp3-converter-es-2022.1-installer.exe (PID: 372)
  - audioconverter.exe (PID: 4764)
  - Assistant_116.0.5366.21_Setup.exe_sfx.exe (PID: 2216)
- The sample compiled with english language support
  - OperaSetup.exe (PID: 6992)
  - free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe (PID: 6240)
  - setup.exe (PID: 7024)
  - setup.exe (PID: 7048)
  - setup.exe (PID: 7132)
  - setup.exe (PID: 6220)
  - setup.exe (PID: 4912)
  - free-m4a-to-mp3-converter-es-2022.1-installer.tmp (PID: 2420)
  - Assistant_116.0.5366.21_Setup.exe_sfx.exe (PID: 2216)
- Sends debugging messages
  - free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe (PID: 6240)
  - assistant_installer.exe (PID: 6400)
- Checks proxy server information
  - free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe (PID: 6240)
  - setup.exe (PID: 7024)
- Create files in a temporary directory
  - free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe (PID: 6240)
  - setup.exe (PID: 7048)
  - setup.exe (PID: 7024)
  - setup.exe (PID: 7132)
  - setup.exe (PID: 6220)
  - free-m4a-to-mp3-converter-es-2022.1-installer.tmp (PID: 2420)
  - Assistant_116.0.5366.21_Setup.exe_sfx.exe (PID: 2216)
- Reads the computer name
  - free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe (PID: 6240)
  - setup.exe (PID: 6220)
  - free-m4a-to-mp3-converter-es-2022.1-installer.tmp (PID: 2420)
  - audioconverter.exe (PID: 4764)
- The process uses the downloaded file
  - free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe (PID: 6240)
- Reads the software policy settings
  - free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe (PID: 6240)
  - setup.exe (PID: 7024)
- Creates files or folders in the user directory
  - setup.exe (PID: 7024)
- Process checks computer location settings
  - free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe (PID: 6240)
- Creates files in the program directory
  - free-m4a-to-mp3-converter-es-2022.1-installer.tmp (PID: 2420)
- Creates a software uninstall entry
  - free-m4a-to-mp3-converter-es-2022.1-installer.tmp (PID: 2420)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (18)
.exe	\|	Win32 Executable (generic) (2.9)
.exe	\|	Generic Win/DOS Executable (1.3)
.exe	\|	DOS Executable Generic (1.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:11:10 18:22:24+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.39
CodeSize:	2192384
InitializedDataSize:	2328576
UninitializedDataSize:	-
EntryPoint:	0x1cbfbc
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	3.1.0.11108
ProductVersionNumber:	3.1.0.11108
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Softonic
FileDescription:	Softonic
FileVersion:	3.1.0.11108
LegalCopyright:	(c) Softonic
ProductName:	Softonic
ProductVersion:	3.1.0.11108

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

142

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

5628

"C:\Users\admin\AppData\Local\Temp\free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe"

C:\Users\admin\AppData\Local\Temp\free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe

—

explorer.exe

User:

admin

Company:

Softonic

Integrity Level:

MEDIUM

Description:

Softonic

Exit code:

3221226540

Version:

3.1.0.11108

Modules

Images
c:\users\admin\appdata\local\temp\free-m4a-to-mp3-converter-es-2022.1-installer_zv-70a1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

6240

"C:\Users\admin\AppData\Local\Temp\free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe"

C:\Users\admin\AppData\Local\Temp\free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe

explorer.exe

User:

admin

Company:

Softonic

Integrity Level:

HIGH

Description:

Softonic

Exit code:

Version:

3.1.0.11108

Modules

Images
c:\users\admin\appdata\local\temp\free-m4a-to-mp3-converter-es-2022.1-installer_zv-70a1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

6992

"C:\Users\admin\AppData\Local\Temp\ISV5FA7.tmp\OperaSetup\OperaSetup.exe" --silent --allusers=0 --otd=utm.medium:pb,utm.source:ais,utm.campaign:opera_reengaged

C:\Users\admin\AppData\Local\Temp\ISV5FA7.tmp\OperaSetup\OperaSetup.exe

free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe

User:

admin

Integrity Level:

HIGH

Description:

Opera installer SFX

Version:

115.0.5322.119

Modules

Images
c:\users\admin\appdata\local\temp\isv5fa7.tmp\operasetup\operasetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

7024

C:\Users\admin\AppData\Local\Temp\7zS05B91DD3\setup.exe --silent --allusers=0 --otd=utm.medium:pb,utm.source:ais,utm.campaign:opera_reengaged --server-tracking-blob=NDg5MmM0M2NiZmYxOTc2MjY3ZDE3MGIyMzA3NGYyODVjNDZhOGNmNjg5YTA1ZDg5NTRhNThiN2MxZWIzZDk4OTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cyIsInRpbWVzdGFtcCI6IjE3MzUwMzgwMTIuNzc0NSIsInVzZXJhZ2VudCI6InB5dGhvbi1yZXF1ZXN0cy8yLjMyLjMiLCJ1dG0iOnt9LCJ1dWlkIjoiYWFmNjZmNDQtNWMyYy00ZmJmLTg0YmQtN2Y2OTE0MGY0MGRiIn0=

C:\Users\admin\AppData\Local\Temp\7zS05B91DD3\setup.exe

OperaSetup.exe

User:

admin

Company:

Opera Software

Integrity Level:

HIGH

Description:

Opera Installer

Version:

115.0.5322.119

Modules

Images
c:\users\admin\appdata\local\temp\7zs05b91dd3\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll

7048

C:\Users\admin\AppData\Local\Temp\7zS05B91DD3\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.119 --initial-client-data=0x330,0x334,0x338,0x30c,0x33c,0x731a9d44,0x731a9d50,0x731a9d5c

C:\Users\admin\AppData\Local\Temp\7zS05B91DD3\setup.exe

setup.exe

User:

admin

Company:

Opera Software

Integrity Level:

HIGH

Description:

Opera Installer

Version:

115.0.5322.119

Modules

Images
c:\users\admin\appdata\local\temp\7zs05b91dd3\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll

7132

"C:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version

C:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe

setup.exe

User:

admin

Company:

Opera Software

Integrity Level:

HIGH

Description:

Opera Installer

Exit code:

Version:

115.0.5322.119

Modules

Images
c:\users\admin\appdata\local\temp\.opera\opera installer temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll

6220

"C:\Users\admin\AppData\Local\Temp\7zS05B91DD3\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=7024 --package-dir-prefix="C:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20250110220420" --session-guid=bb63636f-57b9-4f52-8dc2-98664d614ca9 --server-tracking-blob=NmUzYTQxMDMwNTg1MjYxOWQ1ZjA4ZGU2MjNiYWJlNDE2MTc1ZmRhNjcyZTc4NmJlNWNiZGIzZDM1MjA0NTY4Njp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTczNTAzODAxMi43NzQ1IiwidXNlcmFnZW50IjoicHl0aG9uLXJlcXVlc3RzLzIuMzIuMyIsInV0bSI6eyJjYW1wYWlnbiI6Im9wZXJhX3JlZW5nYWdlZCIsIm1lZGl1bSI6InBiIiwic291cmNlIjoiYWlzIn0sInV1aWQiOiJhYWY2NmY0NC01YzJjLTRmYmYtODRiZC03ZjY5MTQwZjQwZGIifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=3806000000000000

C:\Users\admin\AppData\Local\Temp\7zS05B91DD3\setup.exe

setup.exe

User:

admin

Company:

Opera Software

Integrity Level:

HIGH

Description:

Opera Installer

Version:

115.0.5322.119

Modules

Images
c:\users\admin\appdata\local\temp\7zs05b91dd3\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll

4912

C:\Users\admin\AppData\Local\Temp\7zS05B91DD3\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.119 --initial-client-data=0x33c,0x340,0x344,0x308,0x348,0x72529d44,0x72529d50,0x72529d5c

C:\Users\admin\AppData\Local\Temp\7zS05B91DD3\setup.exe

setup.exe

User:

admin

Company:

Opera Software

Integrity Level:

HIGH

Description:

Opera Installer

Version:

115.0.5322.119

Modules

Images
c:\users\admin\appdata\local\temp\7zs05b91dd3\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll

372

"C:\Users\admin\Downloads\free-m4a-to-mp3-converter-es-2022.1-installer.exe"

C:\Users\admin\Downloads\free-m4a-to-mp3-converter-es-2022.1-installer.exe

free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe

User:

admin

Company:

dvdvideomedia, Inc.

Integrity Level:

HIGH

Description:

Free Audio Converter Setup

Exit code:

Version:

Modules

Images
c:\users\admin\downloads\free-m4a-to-mp3-converter-es-2022.1-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

2420

"C:\Users\admin\AppData\Local\Temp\is-6D65R.tmp\free-m4a-to-mp3-converter-es-2022.1-installer.tmp" /SL5="$60308,5149579,121344,C:\Users\admin\Downloads\free-m4a-to-mp3-converter-es-2022.1-installer.exe"

C:\Users\admin\AppData\Local\Temp\is-6D65R.tmp\free-m4a-to-mp3-converter-es-2022.1-installer.tmp

free-m4a-to-mp3-converter-es-2022.1-installer.exe

User:

admin

Integrity Level:

HIGH

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-6d65r.tmp\free-m4a-to-mp3-converter-es-2022.1-installer.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

Add for printing

Total events

5 467

Read events

5 420

Write events

Delete events

Modification events


(PID) Process:	(6240) free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Operation:	write	Name:	Implementing
Value: 1C00000001000000E907010005000A001600040012001603010000001E768127E028094199FEB9D127C57AFE
(PID) Process:	(6240) free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Operation:	write	Name:	Implementing
Value: 1C00000001000000E907010005000A001600040012001903010000001E768127E028094199FEB9D127C57AFE
(PID) Process:	(6240) free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:	write	Name:	{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value: 0100000000000000140A9498AB63DB01
(PID) Process:	(7024) setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7024) setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7024) setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6220) setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Opera Software
Operation:	write	Name:	Last Stable Install Path
Value: C:\Users\admin\AppData\Local\Programs\Opera\
(PID) Process:	(2676) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4B11047-79C1-44C5-B6F2-8A868755ABE5}\InprocServer32
Operation:	write	Name:	ThreadingModel
Value: Both
(PID) Process:	(2676) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{A4B11047-79C1-44C5-B6F2-8A868755ABE5}
Operation:	write	Name:	FriendlyName
Value: TrackSwitch
(PID) Process:	(2676) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{A4B11047-79C1-44C5-B6F2-8A868755ABE5}
Operation:	write	Name:	CLSID
Value: {A4B11047-79C1-44C5-B6F2-8A868755ABE5}

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6240	free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe	C:\Users\admin\AppData\Local\Temp\ISV5FA7.tmp\OperaSetup.zip		compressed
		MD5:93E74A1DFA2153FB7C32CBB1D6065517	SHA256:72EED7F97751D0159D216B68D2A29E56C8502F00E3ED40219E9D8B4C97A3E69E
6240	free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe	C:\Users\admin\AppData\Local\Temp\ISV5FA7.tmp\OperaSetup\OperaSetup.exe		executable
		MD5:7576A1BF33EDB92CE3CAC344DE107AFB	SHA256:BCA7E687A39AC52D8DDB0E95F0886BA3D194FF55A11CDF09FC2B0DA9EBBAD572
7024	setup.exe	C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat		binary
		MD5:9D493CF71C19FECC8532896FACEF94F5	SHA256:EF042E3C076B082E66C50DFE2A3C8454768B591AAFB1E1D578713CEC5B1D6FDC
7024	setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\59D76868C250B3240414CE3EFBB12518_9AD8E6D69BA520C5190A9B86E29789D5		binary
		MD5:9B4622A3EFA556AFAFD3EBCDC676073D	SHA256:A59933A96A02F3342EB2670A610307242DC9915244FDC05064EF3143DBA45A79
7024	setup.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\features[1].json		binary
		MD5:D32C9616AD3FBCC151596FD0F4E4F8CD	SHA256:BDF567FF5F5CB7B980C41C754BCAE29209EC25C19426D897DA44AAB2EBDB2714
7024	setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04		binary
		MD5:671D034283D391F6BC00E184D19A9E1E	SHA256:B5256BAF2637C6121DE90485DC138EE6C5F0278524737A28C35E594F0349B8BF
7024	setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\59D76868C250B3240414CE3EFBB12518_9AD8E6D69BA520C5190A9B86E29789D5		binary
		MD5:B6A40AA73200B08F8F0719AE6E9534C6	SHA256:40DC2F15BA7652617B01B7FEA3BC6863350049B9197FA811361313C0FFD1CFEF
6240	free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe	C:\Users\admin\Downloads\free-m4a-to-mp3-converter-es-2022.1-installer.exe		executable
		MD5:AF922ED8A82746D3075C445FEA4EC641	SHA256:620890DEE4647E0729979440A7EFAC1F5FC974332B0EC921CDE3A27B516022BF
7024	setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419		binary
		MD5:1ED7F7F95A9D4744FCD73E637FBC992A	SHA256:5F9035BD8932EFA7131449873CC4A17CC0F1273488FDB2A0A89669E9FCCCFF3A
7048	setup.exe	C:\Users\admin\AppData\Local\Temp\Opera_installer_2501102204196847048.dll		executable
		MD5:41DAEDCDA16A5341463070DBAC45624A	SHA256:733701D47B47B544D0B96343B521266702BD8E43EDCB7C799C9CBAF07C7E3838

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	304	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.147:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7024	setup.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnxLiz3Fu1WB6n1%2FE6xWn1b0jXiQQUdIWAwGbH3zfez70pN6oDHb7tzRcCEA17ZgsSl63KHstWnAbUez0%3D	unknown	—	—	whitelisted
7024	setup.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAkd76%2BHl%2BdEje5x5DkdF8w%3D	unknown	—	—	whitelisted
7024	setup.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D	unknown	—	—	whitelisted
4624	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.48.23.147:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4624	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	23.48.23.147:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.147:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5064	SearchApp.exe	104.126.37.144:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
4712	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5780	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	142.250.186.110	whitelisted
crl.microsoft.com	23.48.23.147 23.48.23.158 23.48.23.176 23.48.23.167 23.48.23.162 23.48.23.169 23.48.23.166 23.48.23.145 23.48.23.141	whitelisted
www.bing.com	104.126.37.144 104.126.37.147 104.126.37.153 104.126.37.185 104.126.37.179 104.126.37.130 104.126.37.145 104.126.37.123 104.126.37.155	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
di7e1j5f1plfo.cloudfront.net	18.245.78.188 18.245.78.145 18.245.78.212 18.245.78.185	whitelisted
images.sftcdn.net	146.75.121.91	whitelisted
login.live.com	20.190.159.75 40.126.31.67 20.190.159.2 20.190.159.0 20.190.159.73 20.190.159.68 40.126.31.69 20.190.159.71	whitelisted
gsf-fl.softonic.com	146.75.121.91	whitelisted

Threats

No threats detected

Add for printing

Process	Message
free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe	LoadingPage
free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe	WelcomePage
free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe	ProductPage
free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe	DownloadPageDLM
free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe	FinishPageDLM
assistant_installer.exe	[0110/220450.611:INFO:assistant_installer_main.cc(168)] Running assistant installer with command line "C:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501102204201\assistant\assistant_installer.exe" --version

General Info

free-m4a-to-mp3-converter-es-2022.1-installer_Zv-70A1.exe

5DC236FEF4D7557E56677FDD15C11CE6

1EE4AE47EBC5B63711F92D85E87A5B518EEE6969

D5A227107114E4246B98FF87DB3C96173B829C7D32A24FEFABC11594913A5765

98304:0pyZEg8pfJo1OE5FsI1DxqbsSLhlxIlce/Unba+O+CB3jD9hlm:8v

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Steals credentials from Web Browsers

Actions looks like stealing of personal data

Registers / Runs the DLL via REGSVR32.EXE

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Application launched itself

Starts itself from another location

Checks Windows Trust Settings

Reads the Windows owner or organization settings

Creates/Modifies COM task schedule object

Process drops legitimate windows executable

INFO

Reads the machine GUID from the registry

Reads CPU info

Checks supported languages

The sample compiled with english language support

Sends debugging messages

Checks proxy server information

Create files in a temporary directory

Reads the computer name

The process uses the downloaded file

Reads the software policy settings

Creates files or folders in the user directory

Process checks computer location settings

Creates files in the program directory

Creates a software uninstall entry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings