File name:

WebComponents.exe

Full analysis: https://app.any.run/tasks/a3e32cb4-31ac-4297-aba1-d52f8c2b84fa
Verdict: Malicious activity
Analysis date: December 02, 2023, 04:06:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

54A7BC32F60D5E2146446E355766C36D

SHA1:

15D332661010202E81240C93A9C8796DCD55248C

SHA256:

49F13E184A2B7892B3923EC5A2806FAD1B2C443805A67B275B1ADCEB6E718679

SSDEEP:

98304:TmzO0dX0tqppzGM7HncJ1vI7Bkdq3fUNfvv8H63HbnCPFRhkCIEtfO1ky8Sltnxt:Rrnj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WebComponents.exe (PID: 844)
      • WebComponents.exe (PID: 2540)
      • WebComponents.tmp (PID: 3048)

    • Registers / Runs the DLL via REGSVR32.EXE

      • WebComponents.tmp (PID: 3048)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WebComponents.tmp (PID: 3048)

    • Reads the Windows owner or organization settings

      • WebComponents.tmp (PID: 3048)

  • INFO

    • Create files in a temporary directory

      • WebComponents.exe (PID: 844)
      • WebComponents.exe (PID: 2540)
      • WebComponents.tmp (PID: 3048)

    • Reads the computer name

      • WebComponents.tmp (PID: 2644)
      • WebComponents.tmp (PID: 3048)

    • Checks supported languages

      • WebComponents.exe (PID: 844)
      • WebComponents.tmp (PID: 2644)
      • WebComponents.tmp (PID: 3048)
      • WebComponents.exe (PID: 2540)

    • Creates files in the program directory

      • WebComponents.tmp (PID: 3048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (77.7)
.exe | Win32 Executable Delphi generic (10)
.dll | Win32 Dynamic Link Library (generic) (4.6)
.exe | Win32 Executable (generic) (3.1)
.exe | Win16/32 Executable Delphi generic (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:20 00:22:17+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 37888
InitializedDataSize: 14848
UninitializedDataSize: -
EntryPoint: 0x9b24
OSVersion: 1
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.0.6.8
ProductVersionNumber: 3.0.6.8
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: Web Components Setup
FileVersion: 3.0.6.8
LegalCopyright:
ProductName: Web Components
ProductVersion: 3.0.6.8
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start webcomponents.exe no specs webcomponents.tmp no specs webcomponents.exe webcomponents.tmp no specs regsvr32.exe

Process information

PID
CMD
Path
Indicators
Parent process
844"C:\Users\admin\AppData\Local\Temp\WebComponents.exe" C:\Users\admin\AppData\Local\Temp\WebComponents.exeexplorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Web Components Setup
Exit code:
0
Version:
3.0.6.8
Modules
Images
c:\users\admin\appdata\local\temp\webcomponents.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
2464"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Web Components\WebVideoActiveX.ocx"C:\Windows\System32\regsvr32.exe
WebComponents.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2540"C:\Users\admin\AppData\Local\Temp\WebComponents.exe" /SPAWNWND=$1C0158 /NOTIFYWND=$25013A C:\Users\admin\AppData\Local\Temp\WebComponents.exe
WebComponents.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
Web Components Setup
Exit code:
0
Version:
3.0.6.8
Modules
Images
c:\users\admin\appdata\local\temp\webcomponents.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
2644"C:\Users\admin\AppData\Local\Temp\is-NO253.tmp\WebComponents.tmp" /SL5="$25013A,2217563,53760,C:\Users\admin\AppData\Local\Temp\WebComponents.exe" C:\Users\admin\AppData\Local\Temp\is-NO253.tmp\WebComponents.tmpWebComponents.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.50.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-no253.tmp\webcomponents.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3048"C:\Users\admin\AppData\Local\Temp\is-2RENT.tmp\WebComponents.tmp" /SL5="$14019C,2217563,53760,C:\Users\admin\AppData\Local\Temp\WebComponents.exe" /SPAWNWND=$1C0158 /NOTIFYWND=$25013A C:\Users\admin\AppData\Local\Temp\is-2RENT.tmp\WebComponents.tmpWebComponents.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.50.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-2rent.tmp\webcomponents.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
Total events
1 539
Read events
1 539
Write events
0
Delete events
0

Modification events

No data
Executable files
29
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
844WebComponents.exeC:\Users\admin\AppData\Local\Temp\is-NO253.tmp\WebComponents.tmpexecutable
MD5:9D321C7096F4BCAEB6F3D8D1636E1744
SHA256:43202B0DE2E718D35CDF7EB8B34DD35BF3FAE85C0ECD2108830230A121284322
3048WebComponents.tmpC:\Program Files\Web Components\is-6STO2.tmpexecutable
MD5:2357DFBCBC4A0C3EC0DC36F18F280F01
SHA256:135F0D03D60FD102E209B55A93173C3239981F2A8B346AF8F977E8933A26D5FE
3048WebComponents.tmpC:\Users\admin\AppData\Local\Temp\is-17UVH.tmp\_isetup\_RegDLL.tmpexecutable
MD5:0EE914C6F0BB93996C75941E1AD629C6
SHA256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
3048WebComponents.tmpC:\Users\admin\AppData\Local\Temp\is-17UVH.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
3048WebComponents.tmpC:\Program Files\Web Components\is-NEG4O.tmpexecutable
MD5:B0FF349B007B42C1624A213266DE89F7
SHA256:B5014F30967212D14E2D2914DE69FBF323DDE868F0E2F90794C10E1EC7333B33
3048WebComponents.tmpC:\Users\admin\AppData\Local\Temp\is-17UVH.tmp\ISTask.dllexecutable
MD5:86A1311D51C00B278CB7F27796EA442E
SHA256:E916BDF232744E00CBD8D608168A019C9F41A68A7E8390AA48CFB525276C483D
3048WebComponents.tmpC:\Program Files\Web Components\ISTask.dllexecutable
MD5:86A1311D51C00B278CB7F27796EA442E
SHA256:E916BDF232744E00CBD8D608168A019C9F41A68A7E8390AA48CFB525276C483D
3048WebComponents.tmpC:\Program Files\Web Components\is-C4N51.tmpexecutable
MD5:86A1311D51C00B278CB7F27796EA442E
SHA256:E916BDF232744E00CBD8D608168A019C9F41A68A7E8390AA48CFB525276C483D
3048WebComponents.tmpC:\Program Files\Web Components\unins000.exeexecutable
MD5:2357DFBCBC4A0C3EC0DC36F18F280F01
SHA256:135F0D03D60FD102E209B55A93173C3239981F2A8B346AF8F977E8933A26D5FE
3048WebComponents.tmpC:\Program Files\Web Components\is-EJGC4.tmpexecutable
MD5:9915A401A1ED70FC2197F1B7F2F674F8
SHA256:B80C2FBD14EF5A58A3882FF934C5C162320C3D4346ECBC201C3FF5AA475028DD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
regsvr32.exe
[Info]StreamTranClient---version:this RTSP version is asyn..
regsvr32.exe
[Debug]StreamTranClient---Create asyncio queue succ!
regsvr32.exe
[Info]StreamTranClient---version:this RTSP version is 1.1.3.4 2015_11_16..
regsvr32.exe
[Debug]StreamTranClient---Destroy asyncio queue succ!
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WebComponents.exe