analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://cyan.download.pdfforge.org/op/lsop.exe

Full analysis: https://app.any.run/tasks/ed831600-17fb-4e63-8e4e-da9747812592
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: October 14, 2019, 13:19:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
adware
pua
lavasoft
Indicators:
MD5:

72619119D6075A860A98A784EFCED72A

SHA1:

31ED32EBCD34DD60F23545283B50B3A576FF17CE

SHA256:

2E6A3BA9ED5EB7725AB573A45613CED29674595ECC679700E1467A9DA0F8F0F5

SSDEEP:

3:N1KdcoZKWGSFSkWdA:CeIlGSF3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • lsop[1].exe (PID: 2536)
      • installer.exe (PID: 2860)
      • GenericSetup.exe (PID: 2400)
      • odaoktfg.cnd.exe (PID: 784)
      • OfferInstaller.exe (PID: 4036)
      • odaoktfg.cnd.exe (PID: 3960)
      • odaoktfg.cnd.exe (PID: 3100)
      • WebCompanionInstaller.exe (PID: 3084)
      • WebCompanion.exe (PID: 444)
      • Lavasoft.WCAssistant.WinService.exe (PID: 2112)
      • Ad-Aware Web Companion.exe (PID: 2968)
      • WebCompanion.exe (PID: 2708)
    • Loads dropped or rewritten executable

      • GenericSetup.exe (PID: 2400)
      • OfferInstaller.exe (PID: 4036)
      • WebCompanionInstaller.exe (PID: 3084)
      • WebCompanion.exe (PID: 444)
      • Lavasoft.WCAssistant.WinService.exe (PID: 2112)
      • WebCompanion.exe (PID: 2708)
    • LAVASOFT was detected

      • installer.exe (PID: 2860)
    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3176)
    • Changes internet zones settings

      • WebCompanionInstaller.exe (PID: 3084)
    • Changes the autorun value in the registry

      • WebCompanion.exe (PID: 444)
    • Starts Visual C# compiler

      • WebCompanion.exe (PID: 444)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3176)
      • iexplore.exe (PID: 2344)
      • lsop[1].exe (PID: 2536)
      • OfferInstaller.exe (PID: 4036)
      • odaoktfg.cnd.exe (PID: 3960)
      • WebCompanionInstaller.exe (PID: 3084)
    • Reads the Windows organization settings

      • GenericSetup.exe (PID: 2400)
      • OfferInstaller.exe (PID: 4036)
    • Reads Windows owner or organization settings

      • GenericSetup.exe (PID: 2400)
      • OfferInstaller.exe (PID: 4036)
    • Reads Environment values

      • GenericSetup.exe (PID: 2400)
      • OfferInstaller.exe (PID: 4036)
    • Starts CMD.EXE for commands execution

      • OfferInstaller.exe (PID: 4036)
      • WebCompanionInstaller.exe (PID: 3084)
      • Lavasoft.WCAssistant.WinService.exe (PID: 2112)
    • Creates files in the program directory

      • WebCompanionInstaller.exe (PID: 3084)
      • WebCompanion.exe (PID: 444)
      • Lavasoft.WCAssistant.WinService.exe (PID: 2112)
      • WebCompanion.exe (PID: 2708)
    • Starts SC.EXE for service management

      • WebCompanionInstaller.exe (PID: 3084)
    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 4028)
      • cmd.exe (PID: 292)
    • Creates a software uninstall entry

      • WebCompanionInstaller.exe (PID: 3084)
    • Creates files in the user directory

      • WebCompanionInstaller.exe (PID: 3084)
      • WebCompanion.exe (PID: 444)
    • Creates files in the Windows directory

      • Lavasoft.WCAssistant.WinService.exe (PID: 2112)
      • WebCompanionInstaller.exe (PID: 3084)
      • WebCompanion.exe (PID: 444)
    • Removes files from Windows directory

      • Lavasoft.WCAssistant.WinService.exe (PID: 2112)
      • WebCompanionInstaller.exe (PID: 3084)
    • Executed as Windows Service

      • Lavasoft.WCAssistant.WinService.exe (PID: 2112)
      • PresentationFontCache.exe (PID: 2376)
    • Changes the started page of IE

      • WebCompanion.exe (PID: 444)
    • Searches for installed software

      • OfferInstaller.exe (PID: 4036)
      • GenericSetup.exe (PID: 2400)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2344)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3176)
      • iexplore.exe (PID: 2344)
    • Application launched itself

      • iexplore.exe (PID: 2344)
    • Reads settings of System Certificates

      • GenericSetup.exe (PID: 2400)
    • Dropped object may contain Bitcoin addresses

      • WebCompanionInstaller.exe (PID: 3084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
70
Monitored processes
25
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe lsop[1].exe #LAVASOFT installer.exe genericsetup.exe offerinstaller.exe cmd.exe no specs odaoktfg.cnd.exe no specs odaoktfg.cnd.exe no specs odaoktfg.cnd.exe webcompanioninstaller.exe sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs netsh.exe no specs webcompanion.exe lavasoft.wcassistant.winservice.exe cmd.exe no specs netsh.exe no specs csc.exe no specs cvtres.exe no specs ad-aware web companion.exe no specs webcompanion.exe presentationfontcache.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2344"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3176"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2344 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2536"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\lsop[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\lsop[1].exe
iexplore.exe
User:
admin
Company:
pdfforge GmbH
Integrity Level:
MEDIUM
Description:
PDFCreator is the easy way of creating PDFs.
Exit code:
0
Version:
2.5.2.6324
2860.\installer.exeC:\Users\admin\AppData\Local\Temp\7zS8E913799\installer.exe
lsop[1].exe
User:
admin
Company:
adaware
Integrity Level:
MEDIUM
Description:
PDFCreator is the easy way of creating PDFs.
Exit code:
0
Version:
2.7.2.1576
2400C:\Users\admin\AppData\Local\Temp\7zS8E913799\GenericSetup.exe C:\Users\admin\AppData\Local\Temp\7zS8E913799\GenericSetup.exe
installer.exe
User:
admin
Company:
adaware
Integrity Level:
MEDIUM
Description:
PDFCreator is the easy way of creating PDFs.
Exit code:
0
Version:
2.7.2.1576
4036"C:\Users\admin\AppData\Local\Temp\7zS8E913799\OfferInstaller.exe" C:\Users\admin\AppData\Local\Temp\7zS8E913799\OfferInstaller.exe
GenericSetup.exe
User:
admin
Integrity Level:
MEDIUM
Description:
PDFCreator is the easy way of creating PDFs.
Exit code:
0
Version:
1.0.0.0
3756"C:\Windows\system32\cmd.exe" /C ""C:\Users\admin\AppData\Local\Temp\odaoktfg.cnd.exe" --silent --search=7 --homepage=11 --partner=PF170501"C:\Windows\system32\cmd.exeOfferInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
784"C:\Users\admin\AppData\Local\Temp\odaoktfg.cnd.exe" --silent --search=7 --homepage=11 --partner=PF170501C:\Users\admin\AppData\Local\Temp\odaoktfg.cnd.execmd.exe
User:
admin
Company:
Lavasoft
Integrity Level:
MEDIUM
Description:
Web Companion Installer
Exit code:
3221226540
Version:
4.8.2078.3950
3100"C:\Users\admin\AppData\Local\Temp\odaoktfg.cnd.exe" --silent --search=7 --homepage=11 --partner=PF170501C:\Users\admin\AppData\Local\Temp\odaoktfg.cnd.execmd.exe
User:
admin
Company:
Lavasoft
Integrity Level:
MEDIUM
Description:
Web Companion Installer
Exit code:
3221226540
Version:
4.8.2078.3950
3960"C:\Users\admin\AppData\Local\Temp\odaoktfg.cnd.exe" --silent --search=7 --homepage=11 --partner=PF170501C:\Users\admin\AppData\Local\Temp\odaoktfg.cnd.exe
cmd.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion Installer
Exit code:
0
Version:
4.8.2078.3950
Total events
7 926
Read events
7 600
Write events
0
Delete events
0

Modification events

No data
Executable files
93
Suspicious files
16
Text files
361
Unknown types
10

Dropped files

PID
Process
Filename
Type
2344iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
2344iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2344iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF627D543FC1680882.TMP
MD5:
SHA256:
3176iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:A71DA0F44F601F744AFDAAF1ADD39193
SHA256:25C9F9AAD284E80EBB5654B71509171806F726887B06DA2A234B2141F5475775
2344iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{3BDD9352-EE85-11E9-AB41-5254004A04AF}.datbinary
MD5:16F240F3A81915881FC88060146F813B
SHA256:9FDEFCE20E302EE1B0DFF44293294F37601C8605BD7937669EB78AC05691F6FA
3176iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:62B7B5A4A61CCAE15003D5595B509EF8
SHA256:F8B33A44DB933BDE4D9709C14D578521D501C1C1E535A6C49AC5ACF3B7D14A0D
3176iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019101420191015\index.datdat
MD5:5F02A87E5C5D96AB2F8301AB5DFE8B49
SHA256:3AD72B54BECF19C699EA6AC8876AEBCE4581D2A482EAF6C7BFAC37C55CBC0F69
2344iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019101420191015\index.datdat
MD5:DA2911B14C844B3672A39B3EB65369ED
SHA256:02D8A163AE78191E7649DD7866E619184FEAB29EB9F994AD577960DC0256F5BE
2536lsop[1].exeC:\Users\admin\AppData\Local\Temp\7zS8E913799\GenericSetup.exe.configxml
MD5:70CEAB31E8F473DF3A4C6CAB72DF5DB7
SHA256:386C82F8E573B8151239C6E2EEB58CB9FF912F070AC735A646DA954CBDA195C7
3176iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AMZWKSIK\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
24
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3084
WebCompanionInstaller.exe
POST
200
64.18.87.81:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3084
WebCompanionInstaller.exe
POST
200
64.18.87.81:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
444
WebCompanion.exe
GET
200
104.17.177.102:80
http://rt.webcompanion.com/notifications/download/rt/ActiveFeatures.zip
US
compressed
8.32 Kb
malicious
3084
WebCompanionInstaller.exe
POST
200
64.18.87.81:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3084
WebCompanionInstaller.exe
POST
200
64.18.87.81:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3084
WebCompanionInstaller.exe
POST
200
64.18.87.81:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3084
WebCompanionInstaller.exe
POST
200
64.18.87.81:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3084
WebCompanionInstaller.exe
POST
200
64.18.87.81:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3084
WebCompanionInstaller.exe
GET
200
104.18.87.101:80
http://wcdownloadercdn.lavasoft.com/4.8.2078.3950/WebCompanion-4.8.2078.3950-prod.zip
US
compressed
9.91 Mb
whitelisted
3084
WebCompanionInstaller.exe
POST
64.18.87.81:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3176
iexplore.exe
78.46.92.18:80
cyan.download.pdfforge.org
Hetzner Online GmbH
DE
suspicious
444
WebCompanion.exe
104.16.235.79:443
sos.adaware.com
Cloudflare Inc
US
shared
2400
GenericSetup.exe
104.16.235.79:443
sos.adaware.com
Cloudflare Inc
US
shared
2112
Lavasoft.WCAssistant.WinService.exe
23.37.43.27:80
s2.symcb.com
Akamai Technologies, Inc.
NL
whitelisted
4036
OfferInstaller.exe
104.18.88.101:443
flow.lavasoft.com
Cloudflare Inc
US
shared
2860
installer.exe
104.18.87.101:80
flow.lavasoft.com
Cloudflare Inc
US
shared
3084
WebCompanionInstaller.exe
64.18.87.81:80
wc-tracking.lavasoft.com
COGECODATA
CA
unknown
3084
WebCompanionInstaller.exe
104.18.87.101:80
flow.lavasoft.com
Cloudflare Inc
US
shared
2400
GenericSetup.exe
104.18.88.101:443
flow.lavasoft.com
Cloudflare Inc
US
shared
444
WebCompanion.exe
104.17.177.102:80
webcompanion.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
cyan.download.pdfforge.org
  • 78.46.92.18
suspicious
flow.lavasoft.com
  • 104.18.87.101
  • 104.18.88.101
whitelisted
www.google.com
  • 172.217.16.132
whitelisted
sos.adaware.com
  • 104.16.235.79
  • 104.16.236.79
whitelisted
webcompanion.com
  • 104.17.178.102
  • 104.17.177.102
malicious
wc-tracking.lavasoft.com
  • 64.18.87.81
  • 64.18.87.82
whitelisted
wc-update-service.lavasoft.com
  • 64.18.87.81
  • 64.18.87.82
whitelisted
wcdownloadercdn.lavasoft.com
  • 104.18.87.101
  • 104.18.88.101
whitelisted
rt.webcompanion.com
  • 104.17.177.102
  • 104.17.178.102
malicious

Threats

PID
Process
Class
Message
3176
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2860
installer.exe
A Network Trojan was detected
ET MALWARE Lavasoft PUA/Adware Client Install
Process
Message
GenericSetup.exe
*** Status propagated: -1072365543 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 147
GenericSetup.exe
*** Status propagated: -1072365543 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 147
WebCompanionInstaller.exe
Detecting windows culture
WebCompanionInstaller.exe
10/14/2019 2:19:59 PM :-> Starting installer 4.8.2078.3950 with: .\WebCompanionInstaller.exe --partner=PF170501 --version=4.8.2078.3950 --prod --silent --search=7 --homepage=11 --partner=PF170501, Run as admin: True
WebCompanionInstaller.exe
Preparing for installing Web Companion
WebCompanionInstaller.exe
10/14/2019 2:20:00 PM :-> Generating Machine and Install Id ...
WebCompanionInstaller.exe
10/14/2019 2:20:00 PM :-> Machine Id and Install Id has been generated
WebCompanionInstaller.exe
10/14/2019 2:20:01 PM :-> Checking prerequisites ...
WebCompanionInstaller.exe
10/14/2019 2:20:01 PM :-> Antivirus not detected
WebCompanionInstaller.exe
10/14/2019 2:20:01 PM :-> vm_check False