General Info

File name

WcInstaller.exe

Full analysis
https://app.any.run/tasks/fba70e80-6e9f-443f-8855-698dca60c8df
Verdict
Malicious activity
Analysis date
8/13/2019, 20:38:02
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

loader

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

3a61797cff12598b31443d5bce21e470

SHA1

90cd8fe538c6eae59aab414182a6eebb0b5ace6e

SHA256

2c8cb61f622f8c4c4babc19ebf9fad759d9913c4ca47ad393448c48bad08d71a

SSDEEP

6144:m1OgDPdkBAFZWjadD4sKxJHbyDOLgI7VDh1R1KiScfwVVM20HdTA:m1OgLdanVwOv7KiwiA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • WcInstaller.exe (PID: 3788)
  • WebCompanionInstaller.exe (PID: 3604)
  • WebCompanionInstaller.exe (PID: 1640)
Loads dropped or rewritten executable
  • WebCompanionInstaller.exe (PID: 1640)
Downloads executable files from the Internet
  • WebCompanionInstaller.exe (PID: 3604)
Creates files in the user directory
  • WebCompanionInstaller.exe (PID: 1640)
Executed as Windows Service
  • PresentationFontCache.exe (PID: 3076)
Reads internet explorer settings
  • WebCompanionInstaller.exe (PID: 1640)
Reads Internet Cache Settings
  • WebCompanionInstaller.exe (PID: 1640)
Executable content was dropped or overwritten
  • WebCompanionInstaller.exe (PID: 3604)
  • WcInstaller.exe (PID: 2916)
  • WcInstaller.exe (PID: 3788)
Creates files in the program directory
  • WebCompanionInstaller.exe (PID: 3604)
Creates files in the Windows directory
  • WebCompanionInstaller.exe (PID: 3604)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (42.2%)
.exe
|   Win64 Executable (generic) (37.3%)
.dll
|   Win32 Dynamic Link Library (generic) (8.8%)
.exe
|   Win32 Executable (generic) (6%)
.exe
|   Generic Win/DOS Executable (2.7%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2010:11:18 17:27:35+01:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
104960
InitializedDataSize:
58880
UninitializedDataSize:
null
EntryPoint:
0x14b04
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
4.7.1987.3881
ProductVersionNumber:
4.7.1987.3881
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Windows NT 32-bit
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Unicode
FileVersion:
4.7.1987.3881
ProductVersion:
4.7.1987.3881
CompanyName:
Lavasoft
FileDescription:
Web Companion Installer
InternalName:
Installer.exe
LegalCopyright:
c Lavasoft Limited. All Rights Reserved.
OriginalFileName:
Installer.exe
ProductName:
Web Companion Installer

Screenshots

Processes

Total processes
42
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

+
drop and start start download and start drop and start wcinstaller.exe no specs wcinstaller.exe webcompanioninstaller.exe wcinstaller.exe webcompanioninstaller.exe presentationfontcache.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2196
CMD
"C:\Users\admin\AppData\Local\Temp\WcInstaller.exe"
Path
C:\Users\admin\AppData\Local\Temp\WcInstaller.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Lavasoft
Description
Web Companion Installer
Version
4.7.1987.3881
Modules
Image
c:\users\admin\appdata\local\temp\wcinstaller.exe
c:\systemroot\system32\ntdll.dll

PID
2916
CMD
"C:\Users\admin\AppData\Local\Temp\WcInstaller.exe"
Path
C:\Users\admin\AppData\Local\Temp\WcInstaller.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Lavasoft
Description
Web Companion Installer
Version
4.7.1987.3881
Modules
Image
c:\users\admin\appdata\local\temp\wcinstaller.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\7zs9f22.tmp\webcompanioninstaller.exe

PID
3604
CMD
.\WebCompanionInstaller.exe --prod
Path
C:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\WebCompanionInstaller.exe
Indicators
Parent process
WcInstaller.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Lavasoft
Description
Web Companion
Version
4.7.1987.3881
Modules
Image
c:\users\admin\appdata\local\temp\7zs9f22.tmp\webcompanioninstaller.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorsec.dll
c:\windows\system32\wintrust.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\windowsbase\cf293040f3a93afa1ea782487acae816\windowsbase.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\presentationcore\2ad23de8284d4594aa658dfb5e667d97\presentationcore.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\presentationframewo#\bfaf8f86e69928fb2f67987c0203f603\presentationframework.ni.dll
c:\windows\assembly\gac_32\presentationcore\3.0.0.0__31bf3856ad364e35\presentationcore.dll
c:\windows\microsoft.net\framework\v3.0\wpf\wpfgfx_v0300.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.servicemodel\e2642bff810609f64343e53dddb6b59c\system.servicemodel.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.servicemodel#\4782a5d2bc7d86895faf404a3470aacb\system.servicemodel.web.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\smdiagnostics\8218dc4808b77f3585fb048c61597af1\smdiagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.web\da5da08245467818759aa44c4eb948e1\system.web.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.runtime.seri#\4a984a9ad59d14063bc6ae64a0c8f62a\system.runtime.serialization.ni.dll
c:\windows\system32\httpapi.dll
c:\windows\system32\pcwum.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.workflowserv#\f0f10d0591d11a36ee2aa8ee2fbdb2bf\system.workflowservices.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.identitymodel\b4c60dd01be760ee0452df2c040de8fc\system.identitymodel.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\temp\wctmp_1097033925\wcinstaller.exe

PID
3788
CMD
"C:\Users\admin\AppData\Local\Temp\wctmp_1097033925\WcInstaller.exe" --nanouniqueid=1565721500210 --prod
Path
C:\Users\admin\AppData\Local\Temp\wctmp_1097033925\WcInstaller.exe
Indicators
Parent process
WebCompanionInstaller.exe
User
admin
Integrity Level
HIGH
Version:
Company
Lavasoft
Description
Web Companion Installer
Version
4.6.1974.3869
Modules
Image
c:\users\admin\appdata\local\temp\wctmp_1097033925\wcinstaller.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\7zsb857.tmp\webcompanioninstaller.exe

PID
1640
CMD
.\WebCompanionInstaller.exe --prod --nanouniqueid=1565721500210 --prod
Path
C:\Users\admin\AppData\Local\Temp\7zSB857.tmp\WebCompanionInstaller.exe
Indicators
Parent process
WcInstaller.exe
User
admin
Integrity Level
HIGH
Version:
Company
Lavasoft
Description
Web Companion
Version
4.6.1974.3869
Modules
Image
c:\users\admin\appdata\local\temp\7zsb857.tmp\webcompanioninstaller.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorsec.dll
c:\windows\system32\wintrust.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\windowsbase\cf293040f3a93afa1ea782487acae816\windowsbase.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\presentationcore\2ad23de8284d4594aa658dfb5e667d97\presentationcore.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\presentationframewo#\bfaf8f86e69928fb2f67987c0203f603\presentationframework.ni.dll
c:\windows\assembly\gac_32\presentationcore\3.0.0.0__31bf3856ad364e35\presentationcore.dll
c:\windows\microsoft.net\framework\v3.0\wpf\wpfgfx_v0300.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.servicemodel\e2642bff810609f64343e53dddb6b59c\system.servicemodel.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.servicemodel#\4782a5d2bc7d86895faf404a3470aacb\system.servicemodel.web.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\smdiagnostics\8218dc4808b77f3585fb048c61597af1\smdiagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.web\da5da08245467818759aa44c4eb948e1\system.web.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.runtime.seri#\4a984a9ad59d14063bc6ae64a0c8f62a\system.runtime.serialization.ni.dll
c:\windows\system32\httpapi.dll
c:\windows\system32\pcwum.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.workflowserv#\f0f10d0591d11a36ee2aa8ee2fbdb2bf\system.workflowservices.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.identitymodel\b4c60dd01be760ee0452df2c040de8fc\system.identitymodel.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\users\admin\appdata\local\temp\7zsb857.tmp\en-us\webcompanioninstaller.resources.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\presentationframewo#\2897c35bf2bc4ef171004bfc2909aaf3\presentationframework.classic.ni.dll
c:\windows\system32\presentationnative_v0300.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\msctfui.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sxs.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\uiautomationprovider\ab8ac659d9525c6a0cd22c6f3734862f\uiautomationprovider.ni.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\mlang.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\jscript.dll
c:\windows\system32\propsys.dll

PID
3076
CMD
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
Path
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
Indicators
No indicators
Parent process
––
User
LOCAL SERVICE
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
PresentationFontCache.exe
Version
3.0.6920.4902 built by: NetFXw7
Modules
Image
c:\windows\microsoft.net\framework\v3.0\wpf\presentationfontcache.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\presentationfontcac#\b3ade8d5c0d4bb5d4940bcafd3453642\presentationfontcache.ni.exe
c:\windows\assembly\nativeimages_v2.0.50727_32\system.serviceproce#\20008c75bb41e2febf84d4d4aea5b4e8\system.serviceprocess.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\windowsbase\cf293040f3a93afa1ea782487acae816\windowsbase.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\presentationcore\2ad23de8284d4594aa658dfb5e667d97\presentationcore.ni.dll
c:\windows\assembly\gac_32\presentationcore\3.0.0.0__31bf3856ad364e35\presentationcore.dll
c:\windows\microsoft.net\framework\v3.0\wpf\wpfgfx_v0300.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll

Registry activity

Total events
623
Read events
570
Write events
52
Delete events
1

Modification events

PID
Process
Operation
Key
Name
Value
3604
WebCompanionInstaller.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
3604
WebCompanionInstaller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Web Companion
MachineId
735550bb-0faf-aab3-c4f6-bbac563dacb9
3604
WebCompanionInstaller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
EnableFileTracing
0
3604
WebCompanionInstaller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
EnableConsoleTracing
0
3604
WebCompanionInstaller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
FileTracingMask
4294901760
3604
WebCompanionInstaller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
ConsoleTracingMask
4294901760
3604
WebCompanionInstaller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
MaxFileSize
1048576
3604
WebCompanionInstaller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
FileDirectory
%windir%\tracing
3604
WebCompanionInstaller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASMANCS
EnableFileTracing
0
3604
WebCompanionInstaller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASMANCS
EnableConsoleTracing
0
3604
WebCompanionInstaller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASMANCS
FileTracingMask
4294901760
3604
WebCompanionInstaller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASMANCS
ConsoleTracingMask
4294901760
3604
WebCompanionInstaller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASMANCS
MaxFileSize
1048576
3604
WebCompanionInstaller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASMANCS
FileDirectory
%windir%\tracing
3604
WebCompanionInstaller.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3604
WebCompanionInstaller.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1640
WebCompanionInstaller.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
1640
WebCompanionInstaller.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
WebCompanionInstaller.exe
1640
WebCompanionInstaller.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1640
WebCompanionInstaller.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1640
WebCompanionInstaller.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1640
WebCompanionInstaller.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
1640
WebCompanionInstaller.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019081320190814
1640
WebCompanionInstaller.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CachePrefix
:2019081320190814:
1640
WebCompanionInstaller.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CacheLimit
8192
1640
WebCompanionInstaller.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CacheOptions
11
1640
WebCompanionInstaller.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CacheRepair
0
1640
WebCompanionInstaller.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019032320190324

Files activity

Executable files
25
Suspicious files
2
Text files
8
Unknown types
1

Dropped files

PID
Process
Filename
Type
2916
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\WebCompanionInstaller.exe
executable
MD5: 983126d093d759abe0a803043a870bfb
SHA256: 14bd9a54ecfb6888500b1b419354bc79406433a563fcec564b630c7b5fb12c3a
2916
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\pt-BR\WebCompanionInstaller.resources.dll
executable
MD5: ef47558677617bf746324d2a9a6ca9d4
SHA256: 66287740e227e901d2fb923d29e72e92c9fa5976c7640974502e96ea18ff19f6
2916
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\zh-CHS\WebCompanionInstaller.resources.dll
executable
MD5: 7158ca8ae5b7af947831f01e6ee23a9e
SHA256: cc0b2a00f9cdbcc1d2ee43326e79afbf928e7a5a0b74dfd80c3913d28a2c03c1
3788
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zSB857.tmp\it-IT\WebCompanionInstaller.resources.dll
executable
MD5: 74028423f00ddd005fcc458e55fde973
SHA256: 61cc645ae60a886b813e09ebbae21e25f652796548f221c1805404712e616fa7
2916
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\fr-CA\WebCompanionInstaller.resources.dll
executable
MD5: ae501e1e38e9441f1676fecac07ec500
SHA256: 71258c049ee312398640c10600e427417277a28df5f4377c9c03c080e90a0d74
2916
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\de-DE\WebCompanionInstaller.resources.dll
executable
MD5: 56074f8728fbbbf61d6fa5c7242364bd
SHA256: 6102c31cd6a2225f2a8dc1a57695f8a5b44f77fa6b980504bcbba5d2dd8b7346
2916
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\ja-JP\WebCompanionInstaller.resources.dll
executable
MD5: 0f8b02aab043304a3eb95672ea5e3b63
SHA256: 9006ffd5085f692047640ab90206fd4b539955c010d7ab0cecce347157866af4
3788
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zSB857.tmp\pt-BR\WebCompanionInstaller.resources.dll
executable
MD5: 9037eda2b234ef8949e954ea58129ca9
SHA256: a63fa4752c59256d721b9f8a9c10717934f0645f2af343eb2e402e73f2634eed
2916
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\ru-RU\WebCompanionInstaller.resources.dll
executable
MD5: b1dc8002ec4e170df7829a406cec8e5e
SHA256: d725df10d4eeaffbd46c418a837973dca8711ce6309a5a3da2f6f170dbbae28c
3788
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zSB857.tmp\ja-JP\WebCompanionInstaller.resources.dll
executable
MD5: c215668c39b9e8b452ffd9a5c02ab14f
SHA256: 6652ede6208b9263924fd1877af505a2398c860fec08ea7643310bbabdf82eaf
2916
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\it-IT\WebCompanionInstaller.resources.dll
executable
MD5: 95c77760e59ae55d66ef3a4ec27196ea
SHA256: 90a5882f805856905b377f16fa92a47bc72b881aafb0ebd0d808c4a7782dc842
2916
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\tr-TR\WebCompanionInstaller.resources.dll
executable
MD5: 570feb77bfe279c7e7f8ae1013a6e03e
SHA256: 4650e5633937201b3be594d9aff796b9906d87f7ddbccac358d40e3897e2dbd1
3788
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zSB857.tmp\en-US\WebCompanionInstaller.resources.dll
executable
MD5: bcea86c657b1a9e88709589ba1b8daf1
SHA256: 1926bd0876246864d963040479fafc39fff09c520648702044bf491d46a7abfd
2916
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\es-ES\WebCompanionInstaller.resources.dll
executable
MD5: 3b1f8153db545af1c33e745751dfc1ea
SHA256: 4057fc8ea6dd8d7e047065f0080a2ad7199737da707707a95c5265c94f7edc89
2916
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\en-US\WebCompanionInstaller.resources.dll
executable
MD5: 8e66595b9ebbc4000f43291272163ddd
SHA256: 955f937a777811b06deed765e247aa36f49ba29a68bd0c48ca0d7bf9bce79951
3788
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zSB857.tmp\es-ES\WebCompanionInstaller.resources.dll
executable
MD5: 78e9ba35d10413b7647ea1dff9b5f2c6
SHA256: 03f7833014a803ace4488ae12d82811f8e72b9d84298f78b50bac9e607a59767
3788
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zSB857.tmp\tr-TR\WebCompanionInstaller.resources.dll
executable
MD5: 5dcb7528f84570a4100896be2b8351a5
SHA256: 28cdf74d37fb969e9b6b87dea06e2b44bfea9da2189a18d1a2320417ffb20155
3788
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zSB857.tmp\WebCompanionInstaller.exe
executable
MD5: 3f16422477412fa12b07d019c6ba7013
SHA256: 26f0e6c994d5cf722110ad4812caa6e7eac6b375bc336b99a283bb0b3f850b7f
2916
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\ICSharpCode.SharpZipLib.dll
executable
MD5: 56d0b6a1915b355d68c3e8d2af082692
SHA256: f32175cd424f7f89fd1405c4e7d40f91ff1f3a647981b1852816ed84847ccb10
3788
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zSB857.tmp\de-DE\WebCompanionInstaller.resources.dll
executable
MD5: d0b53bb9eff62fd3886f618d4439d197
SHA256: d971d6dc60a23c889a843ccc003db9a67e40f941b96ec1346b1ff7b6c355373b
3788
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zSB857.tmp\ru-RU\WebCompanionInstaller.resources.dll
executable
MD5: ecf044b1bfc1929f3fbdfeb2f8c83b97
SHA256: af249b66ca708c8085ba1abc1630d0c9fcce3cb72d344e34d48cffaab24643d5
3788
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zSB857.tmp\ICSharpCode.SharpZipLib.dll
executable
MD5: d38b1d6d43ab0213611d59815efe0194
SHA256: e044844177d08fbea417a35f87df85db64db264eec625a46576052b6a3eb9d33
3604
WebCompanionInstaller.exe
C:\Users\admin\AppData\Local\Temp\wctmp_1097033925\WcInstaller.exe
executable
MD5: f6c0153dc91797b5bb70129054989fea
SHA256: aba95f04591adf8e41fdc9a7ca43a22134355cabdfea0cb28bb3a884c773a0f9
3788
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zSB857.tmp\fr-CA\WebCompanionInstaller.resources.dll
executable
MD5: d91408fa5f319b565ffe70fc5e863697
SHA256: fa6b8ba3ade9d1d6d0371a9bdd09f478de524fc89f4e825bff989d269bde9b25
3788
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zSB857.tmp\zh-CHS\WebCompanionInstaller.resources.dll
executable
MD5: 8dea3e6186f43a8213dd597ccb3f388d
SHA256: f6cbc214b88b7a30594dc0cd0fab8c93dc50b50e441d39fe050720a118013f20
3604
WebCompanionInstaller.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
binary
MD5: ad64855f0bc8ccabd74efc4e1e6ef552
SHA256: e3e52809b5375a94349049da8d6ea3af2ff4a2846798d957cceec79140f36543
3604
WebCompanionInstaller.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new
––
MD5:  ––
SHA256:  ––
1640
WebCompanionInstaller.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 740f8285f150fed76cd0146f382151d3
SHA256: 22037f94b85dbc7612990f9a9b89f188aea3a21c2e346f93b5cda4fba9fee2cf
3604
WebCompanionInstaller.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
binary
MD5: ad64855f0bc8ccabd74efc4e1e6ef552
SHA256: e3e52809b5375a94349049da8d6ea3af2ff4a2846798d957cceec79140f36543
3788
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zSB857.tmp\WebCompanionInstaller.exe.config
xml
MD5: 1d0d9d32fb69c7f2f33b4e56d93e2c6d
SHA256: c022a2b126c1bad1774e7f9d3a5f50f30cb6b3758a2f870fc676160275f69eac
1640
WebCompanionInstaller.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\styles[1].css
text
MD5: 07698ba80b805d772a2ac8ac3375df46
SHA256: 78df154e056b8220fca4cf44526556bd64305e7fc9d25d060119641290f23143
1640
WebCompanionInstaller.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\consent_2[1].htm
html
MD5: c7d30258c4aad3ccb0df8c29a310f476
SHA256: 72910997362904f3dfa7dbf3a764487f5da199a54894d918430e127da8cf1fa5
3604
WebCompanionInstaller.exe
C:\Users\admin\AppData\Local\Temp\WcInstaller.log
text
MD5: 5901354888b31d525771e159f5a4649f
SHA256: 26b85aee6400c51199545e08519d4e5d9b938404b46694bf5a20aabe615170a6
3604
WebCompanionInstaller.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new
––
MD5:  ––
SHA256:  ––
1640
WebCompanionInstaller.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019081320190814\index.dat
dat
MD5: ef8112f62a1a6b356b62cf64d6de0c89
SHA256: 165b134d10f717cb3256cdf0a5932dd727b5a83297c3ad2006f06ae5479f67a4
3604
WebCompanionInstaller.exe
C:\ProgramData\Lavasoft\Web Companion\Options\Statistics.txt
text
MD5: c60d50c6be198f862f0b0f6c06c338b2
SHA256: 1de878a586e6317f595f2304c71268ff7558491c4de98a80ceb8edd6dc31c35f
1640
WebCompanionInstaller.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\jquery-1.11.2.min[1].js
text
MD5: 5790ead7ad3ba27397aedfa3d263b867
SHA256: 2ecd295d295bec062cedebe177e54b9d6b19fc0a841dc5c178c654c9ccff09c0
2916
WcInstaller.exe
C:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\WebCompanionInstaller.exe.config
xml
MD5: 1d0d9d32fb69c7f2f33b4e56d93e2c6d
SHA256: c022a2b126c1bad1774e7f9d3a5f50f30cb6b3758a2f870fc676160275f69eac

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
8
TCP/UDP connections
9
DNS requests
7
Threats
3

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3604 WebCompanionInstaller.exe POST 200 64.18.87.82:80 http://wc-tracking.lavasoft.com/Install.asmx CA
text
xml
whitelisted
3604 WebCompanionInstaller.exe POST 200 64.18.87.82:80 http://wc-update-service.lavasoft.com/update.asmx CA
text
xml
whitelisted
3604 WebCompanionInstaller.exe GET 200 104.18.88.101:80 http://wcdownloadercdn.lavasoft.com/4.6.1974.3869/WcInstaller.exe US
executable
whitelisted
1640 WebCompanionInstaller.exe POST 200 64.18.87.82:80 http://wc-tracking.lavasoft.com/Install.asmx CA
text
xml
whitelisted
1640 WebCompanionInstaller.exe POST 200 64.18.87.82:80 http://wc-update-service.lavasoft.com/update.asmx CA
text
xml
whitelisted
1640 WebCompanionInstaller.exe GET 200 104.17.177.102:80 http://www.webcompanion.com/installer/consent_2?culture=en&hp=1&se=1 US
html
malicious
1640 WebCompanionInstaller.exe GET 200 205.185.208.52:80 http://code.jquery.com/jquery-1.11.2.min.js US
text
whitelisted
1640 WebCompanionInstaller.exe GET 200 104.17.178.102:80 http://webcompanion.com/installer/css/styles.css?1565721530 US
text
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3604 WebCompanionInstaller.exe 64.18.87.82:80 COGECODATA CA unknown
3604 WebCompanionInstaller.exe 104.18.88.101:80 Cloudflare Inc US malicious
1640 WebCompanionInstaller.exe 64.18.87.82:80 COGECODATA CA unknown
1640 WebCompanionInstaller.exe 104.17.177.102:80 Cloudflare Inc US suspicious
1640 WebCompanionInstaller.exe 205.185.208.52:80 Highwinds Network Group, Inc. US unknown
1640 WebCompanionInstaller.exe 104.17.178.102:80 Cloudflare Inc US suspicious

DNS requests

Domain IP Reputation
wc-tracking.lavasoft.com 64.18.87.82
64.18.87.81
whitelisted
wc-update-service.lavasoft.com 64.18.87.82
64.18.87.81
whitelisted
wcdownloadercdn.lavasoft.com 104.18.88.101
104.18.87.101
whitelisted
www.webcompanion.com 104.17.177.102
104.17.178.102
malicious
webcompanion.com 104.17.178.102
104.17.177.102
malicious
code.jquery.com 205.185.208.52
whitelisted

Threats

PID Process Class Message
3604 WebCompanionInstaller.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
3604 WebCompanionInstaller.exe Potentially Bad Traffic ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
1640 WebCompanionInstaller.exe Misc activity SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)

Debug output strings

Process Message
WebCompanionInstaller.exe 8/13/2019 7:38:26 PM :-> Starting installer 4.6.1974.3869 with: .\WebCompanionInstaller.exe --prod --nanouniqueid=1565721500210 --prod, Run as admin: True
WebCompanionInstaller.exe 8/13/2019 7:38:26 PM :-> Starting installer 4.6.1974.3869 with: .\WebCompanionInstaller.exe --prod --nanouniqueid=1565721500210 --prod, Run as admin: True
WebCompanionInstaller.exe 8/13/2019 7:38:26 PM :-> Starting installer 4.6.1974.3869 with: .\WebCompanionInstaller.exe --prod --nanouniqueid=1565721500210 --prod, Run as admin: True
WebCompanionInstaller.exe 8/13/2019 7:38:26 PM :-> Starting installer 4.6.1974.3869 with: .\WebCompanionInstaller.exe --prod --nanouniqueid=1565721500210 --prod, Run as admin: True