download:

WcInstaller.exe

Full analysis: https://app.any.run/tasks/ffcc9f6c-28a1-4348-a164-c07c55586ff9
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 10, 2019, 11:49:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

3A61797CFF12598B31443D5BCE21E470

SHA1:

90CD8FE538C6EAE59AAB414182A6EEBB0B5ACE6E

SHA256:

2C8CB61F622F8C4C4BABC19EBF9FAD759D9913C4CA47AD393448C48BAD08D71A

SSDEEP:

6144:m1OgDPdkBAFZWjadD4sKxJHbyDOLgI7VDh1R1KiScfwVVM20HdTA:m1OgLdanVwOv7KiwiA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • WebCompanionInstaller.exe (PID: 2936)

    • Application was dropped or rewritten from another process

      • WebCompanionInstaller.exe (PID: 2936)
      • WebCompanionInstaller.exe (PID: 664)
      • WcInstaller.exe (PID: 3160)
      • Lavasoft.WCAssistant.WinService.exe (PID: 2288)
      • Ad-Aware Web Companion.exe (PID: 3896)
      • WebCompanion.exe (PID: 2212)

    • Changes settings of System certificates

      • WebCompanionInstaller.exe (PID: 2936)

    • Loads dropped or rewritten executable

      • WebCompanionInstaller.exe (PID: 664)
      • WebCompanion.exe (PID: 2212)
      • Lavasoft.WCAssistant.WinService.exe (PID: 2288)

    • Changes internet zones settings

      • WebCompanionInstaller.exe (PID: 664)

    • Changes the autorun value in the registry

      • WebCompanion.exe (PID: 2212)

  • SUSPICIOUS

    • Creates files in the program directory

      • WebCompanionInstaller.exe (PID: 2936)
      • WebCompanionInstaller.exe (PID: 664)
      • WebCompanion.exe (PID: 2212)
      • Lavasoft.WCAssistant.WinService.exe (PID: 2288)

    • Executable content was dropped or overwritten

      • WcInstaller.exe (PID: 3160)
      • WcInstaller.exe (PID: 3752)
      • WebCompanionInstaller.exe (PID: 2936)
      • WebCompanionInstaller.exe (PID: 664)

    • Creates files in the user directory

      • WebCompanionInstaller.exe (PID: 664)
      • WebCompanion.exe (PID: 2212)

    • Adds / modifies Windows certificates

      • WebCompanionInstaller.exe (PID: 2936)

    • Creates a software uninstall entry

      • WebCompanionInstaller.exe (PID: 664)

    • Creates files in the Windows directory

      • WebCompanionInstaller.exe (PID: 2936)
      • Lavasoft.WCAssistant.WinService.exe (PID: 2288)

    • Reads internet explorer settings

      • WebCompanionInstaller.exe (PID: 664)

    • Reads Internet Cache Settings

      • WebCompanionInstaller.exe (PID: 664)

    • Starts SC.EXE for service management

      • WebCompanionInstaller.exe (PID: 664)

    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 4068)
      • cmd.exe (PID: 2744)

    • Starts CMD.EXE for commands execution

      • WebCompanionInstaller.exe (PID: 664)
      • Lavasoft.WCAssistant.WinService.exe (PID: 2288)

    • Removes files from Windows directory

      • Lavasoft.WCAssistant.WinService.exe (PID: 2288)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • WebCompanionInstaller.exe (PID: 664)
      • WebCompanion.exe (PID: 2212)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:11:18 17:27:35+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 104960
InitializedDataSize: 58880
UninitializedDataSize: -
EntryPoint: 0x14b04
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.7.1987.3881
ProductVersionNumber: 4.7.1987.3881
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileVersion: 4.7.1987.3881
ProductVersion: 4.7.1987.3881
CompanyName: Lavasoft
FileDescription: Web Companion Installer
InternalName: Installer.exe
LegalCopyright: c Lavasoft Limited. All Rights Reserved.
OriginalFileName: Installer.exe
ProductName: Web Companion Installer
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
59
Monitored processes
18
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start wcinstaller.exe webcompanioninstaller.exe wcinstaller.exe webcompanioninstaller.exe presentationfontcache.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs netsh.exe no specs webcompanion.exe lavasoft.wcassistant.winservice.exe cmd.exe no specs netsh.exe no specs csc.exe no specs cvtres.exe no specs ad-aware web companion.exe no specs wcinstaller.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
664.\WebCompanionInstaller.exe --prod --nanouniqueid=1557488987674 --prodC:\Users\admin\AppData\Local\Temp\7zS13BA.tmp\WebCompanionInstaller.exe
WcInstaller.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion
Exit code:
0
Version:
4.6.1974.3869
Modules
Images
c:\users\admin\appdata\local\temp\7zs13ba.tmp\webcompanioninstaller.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
1880"sc.exe" Create "WCAssistantService" binPath= "C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= autoC:\Windows\system32\sc.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
2212"C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe" --install --geo= C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe
WebCompanionInstaller.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion
Exit code:
0
Version:
4.6.1974.3869
Modules
Images
c:\program files\lavasoft\web companion\application\webcompanion.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
2288"C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe"C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
SPWindowsService
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\program files\lavasoft\web companion\application\lavasoft.wcassistant.winservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2548"sc.exe" failure WCAssistantService reset= 30 actions= restart/60000C:\Windows\system32\sc.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
2600"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\gftnxmkk.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeWebCompanion.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2644C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESB6D1.tmp" "c:\Users\admin\AppData\Local\Temp\CSCB6D0.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.4940 (Win7SP1.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
2744"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=EveryoneC:\Windows\System32\cmd.exeLavasoft.WCAssistant.WinService.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2808"sc.exe" description "WCAssistantService" "Ad-Aware Web Companion Internet security service"C:\Windows\system32\sc.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
2936.\WebCompanionInstaller.exe --prodC:\Users\admin\AppData\Local\Temp\7zSFD54.tmp\WebCompanionInstaller.exe
WcInstaller.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion
Exit code:
0
Version:
4.7.1987.3881
Modules
Images
c:\users\admin\appdata\local\temp\7zsfd54.tmp\webcompanioninstaller.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
Total events
1 199
Read events
975
Write events
223
Delete events
1

Modification events

(PID) Process:(2936) WebCompanionInstaller.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2936) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Operation:writeName:Blob
Value:
0F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C01400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B812000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
(PID) Process:(2936) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Operation:writeName:Blob
Value:
190000000100000010000000DC73F9B71E16D51D26527D32B11A6A3D03000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B810B000000010000000E00000074006800610077007400650000001D00000001000000100000005B3B67000EEB80022E42605B6B3B72401400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB57485053000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C009000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B060105050703030F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE2000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
(PID) Process:(2936) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Web Companion
Operation:writeName:MachineId
Value:
735550bb-0faf-aab3-c4f6-bbac563dacb9
(PID) Process:(2936) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2936) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2936) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2936) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(2936) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2936) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
87
Suspicious files
9
Text files
135
Unknown types
8

Dropped files

PID
Process
Filename
Type
2936WebCompanionInstaller.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new
MD5:
SHA256:
2936WebCompanionInstaller.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new
MD5:
SHA256:
2936WebCompanionInstaller.exeC:\ProgramData\Lavasoft\Web Companion\Options\Statistics.txttext
MD5:
SHA256:
2936WebCompanionInstaller.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cchbinary
MD5:
SHA256:
3752WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSFD54.tmp\en-US\WebCompanionInstaller.resources.dllexecutable
MD5:8E66595B9EBBC4000F43291272163DDD
SHA256:955F937A777811B06DEED765E247AA36F49BA29A68BD0C48CA0D7BF9BCE79951
3752WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSFD54.tmp\tr-TR\WebCompanionInstaller.resources.dllexecutable
MD5:570FEB77BFE279C7E7F8AE1013A6E03E
SHA256:4650E5633937201B3BE594D9AFF796B9906D87F7DDBCCAC358D40E3897E2DBD1
3752WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSFD54.tmp\it-IT\WebCompanionInstaller.resources.dllexecutable
MD5:95C77760E59AE55D66EF3A4EC27196EA
SHA256:90A5882F805856905B377F16FA92A47BC72B881AAFB0EBD0D808C4A7782DC842
3752WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSFD54.tmp\ru-RU\WebCompanionInstaller.resources.dllexecutable
MD5:B1DC8002EC4E170DF7829A406CEC8E5E
SHA256:D725DF10D4EEAFFBD46C418A837973DCA8711CE6309A5A3DA2F6F170DBBAE28C
2936WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\wctmp_1943088878\WcInstaller.exeexecutable
MD5:
SHA256:
2936WebCompanionInstaller.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cchbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
21
DNS requests
12
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
664
WebCompanionInstaller.exe
GET
200
104.17.178.102:80
http://www.webcompanion.com/installer/consent_2?culture=en&hp=1&se=1
US
html
1.33 Kb
malicious
664
WebCompanionInstaller.exe
GET
200
104.17.61.19:80
http://wcdownloadercdn.lavasoft.com/4.6.1974.3869/WebCompanion-4.6.1974.3869-prod.zip
US
compressed
9.06 Mb
whitelisted
2936
WebCompanionInstaller.exe
GET
200
104.17.61.19:80
http://wcdownloadercdn.lavasoft.com/4.6.1974.3869/WcInstaller.exe
US
executable
346 Kb
whitelisted
664
WebCompanionInstaller.exe
POST
200
64.18.87.82:80
http://wc-update-service.lavasoft.com/update.asmx
CA
xml
1.45 Kb
whitelisted
2936
WebCompanionInstaller.exe
POST
200
64.18.87.81:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
664
WebCompanionInstaller.exe
POST
200
64.18.87.81:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
664
WebCompanionInstaller.exe
POST
200
64.18.87.81:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
664
WebCompanionInstaller.exe
GET
200
104.17.177.102:80
http://webcompanion.com/installer/css/styles.css?1557489001
US
text
928 b
malicious
664
WebCompanionInstaller.exe
POST
200
64.18.87.81:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
664
WebCompanionInstaller.exe
POST
200
64.18.87.81:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2936
WebCompanionInstaller.exe
64.18.87.81:80
wc-tracking.lavasoft.com
COGECODATA
CA
unknown
2936
WebCompanionInstaller.exe
64.18.87.82:80
wc-tracking.lavasoft.com
COGECODATA
CA
unknown
104.17.177.102:80
www.webcompanion.com
Cloudflare Inc
US
shared
2288
Lavasoft.WCAssistant.WinService.exe
23.37.43.27:80
s2.symcb.com
Akamai Technologies, Inc.
NL
whitelisted
2936
WebCompanionInstaller.exe
104.17.61.19:80
wcdownloadercdn.lavasoft.com
Cloudflare Inc
US
shared
2212
WebCompanion.exe
64.18.87.4:80
wsgeoip.lavasoft.com
COGECODATA
CA
unknown
664
WebCompanionInstaller.exe
64.18.87.82:80
wc-tracking.lavasoft.com
COGECODATA
CA
unknown
104.17.178.102:80
www.webcompanion.com
Cloudflare Inc
US
shared
2212
WebCompanion.exe
64.18.87.81:80
wc-tracking.lavasoft.com
COGECODATA
CA
unknown
664
WebCompanionInstaller.exe
205.185.208.52:80
code.jquery.com
Highwinds Network Group, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
wc-tracking.lavasoft.com
  • 64.18.87.81
  • 64.18.87.82
whitelisted
wc-update-service.lavasoft.com
  • 64.18.87.82
  • 64.18.87.81
whitelisted
wcdownloadercdn.lavasoft.com
  • 104.17.61.19
  • 104.17.60.19
whitelisted
www.webcompanion.com
  • 104.17.178.102
  • 104.17.177.102
malicious
webcompanion.com
  • 104.17.177.102
  • 104.17.178.102
malicious
code.jquery.com
  • 205.185.208.52
whitelisted
rt.webcompanion.com
  • 104.17.177.102
  • 104.17.178.102
malicious
wc-partners.lavasoft.com
  • 64.18.87.81
  • 64.18.87.82
whitelisted
s2.symcb.com
  • 23.37.43.27
whitelisted
sv.symcd.com
  • 23.37.43.27
shared

Threats

PID
Process
Class
Message
2936
WebCompanionInstaller.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2936
WebCompanionInstaller.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
664
WebCompanionInstaller.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
664
WebCompanionInstaller.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
Process
Message
WebCompanionInstaller.exe
Detecting windows culture
WebCompanionInstaller.exe
5/10/2019 12:49:50 PM :-> Starting installer 4.7.1987.3881 with: .\WebCompanionInstaller.exe --prod, Run as admin: True
WebCompanionInstaller.exe
Detecting windows culture
WebCompanionInstaller.exe
5/10/2019 12:49:53 PM :-> Starting installer 4.6.1974.3869 with: .\WebCompanionInstaller.exe --prod --nanouniqueid=1557488987674 --prod, Run as admin: True
WebCompanionInstaller.exe
Preparing for installing Web Companion
WebCompanionInstaller.exe
5/10/2019 12:50:04 PM :-> Generating Machine and Install Id ...
WebCompanionInstaller.exe
5/10/2019 12:50:04 PM :-> Machine Id and Install Id has been generated
WebCompanionInstaller.exe
5/10/2019 12:50:04 PM :-> Checking prerequisites ...
WebCompanionInstaller.exe
5/10/2019 12:50:04 PM :-> Antivirus not detected
WebCompanionInstaller.exe
5/10/2019 12:50:05 PM :-> vm_check False
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WcInstaller.exe