File name: | wcupdater.exe.zip |
Full analysis: | https://app.any.run/tasks/64b6d8a8-34b0-4f06-a1be-cc3715a2a944 |
Verdict: | Malicious activity |
Analysis date: | October 14, 2019, 17:13:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | EB2324F88F052366A21CCC8D7025EF55 |
SHA1: | 580917FF4F699FC3A7CA488EA5C7D2549E094783 |
SHA256: | 517EA4284B27CA36F7130E8D0D9831CD7B2DCD220FD3AD7BA3B7257FA1A59B36 |
SSDEEP: | 12288:bsdeY1xpCLQcETNUPCv98qguisAtUQ9XprlAEG3:Id5CLyThxMLAEK |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0009 |
ZipCompression: | Deflated |
ZipModifyDate: | 2017:05:12 19:37:29 |
ZipCRC: | 0xc54e3b2b |
ZipCompressedSize: | 642330 |
ZipUncompressedSize: | 729368 |
ZipFileName: | wcupdater.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2576 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\wcupdater.exe.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1212 | "C:\Users\admin\Desktop\wcupdater.exe" | C:\Users\admin\Desktop\wcupdater.exe | explorer.exe | |
User: admin Company: adaware Integrity Level: MEDIUM Description: WebCompanion Exit code: 0 Version: 1.7.0.0 | ||||
2824 | .\installer.exe | C:\Users\admin\AppData\Local\Temp\7zSCB4DEDF9\installer.exe | wcupdater.exe | |
User: admin Company: adaware Integrity Level: MEDIUM Description: adaware installer Exit code: 0 Version: 1.7.0.116 | ||||
4092 | "C:\Users\admin\AppData\Local\Temp\7zSCB4DEDF9\GenericSetup.exe" | C:\Users\admin\AppData\Local\Temp\7zSCB4DEDF9\GenericSetup.exe | installer.exe | |
User: admin Company: adaware Integrity Level: MEDIUM Description: GenericSetup Exit code: 0 Version: 1.7.0.116 | ||||
1296 | "C:\Users\admin\Desktop\wcupdater.exe" | C:\Users\admin\Desktop\wcupdater.exe | explorer.exe | |
User: admin Company: adaware Integrity Level: MEDIUM Description: WebCompanion Exit code: 0 Version: 1.7.0.0 | ||||
3008 | .\installer.exe | C:\Users\admin\AppData\Local\Temp\7zS0157DCD9\installer.exe | — | wcupdater.exe |
User: admin Company: adaware Integrity Level: MEDIUM Description: adaware installer Exit code: 0 Version: 1.7.0.116 | ||||
2620 | "C:\Users\admin\Desktop\wcupdater.exe" | C:\Users\admin\Desktop\wcupdater.exe | — | explorer.exe |
User: admin Company: adaware Integrity Level: MEDIUM Description: WebCompanion Exit code: 0 Version: 1.7.0.0 | ||||
4028 | .\installer.exe | C:\Users\admin\AppData\Local\Temp\7zSC3AEEA3A\installer.exe | — | wcupdater.exe |
User: admin Company: adaware Integrity Level: MEDIUM Description: adaware installer Exit code: 0 Version: 1.7.0.116 | ||||
3360 | "C:\Users\admin\Desktop\wcupdater.exe" | C:\Users\admin\Desktop\wcupdater.exe | explorer.exe | |
User: admin Company: adaware Integrity Level: MEDIUM Description: WebCompanion Exit code: 0 Version: 1.7.0.0 | ||||
932 | .\installer.exe | C:\Users\admin\AppData\Local\Temp\7zS02D6DDBA\installer.exe | wcupdater.exe | |
User: admin Company: adaware Integrity Level: MEDIUM Description: adaware installer Exit code: 0 Version: 1.7.0.116 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2620 | wcupdater.exe | C:\Users\admin\AppData\Local\Temp\7zSC3AEEA3A\GenericSetup.exe | — | |
MD5:— | SHA256:— | |||
2620 | wcupdater.exe | C:\Users\admin\AppData\Local\Temp\7zSC3AEEA3A\installer.exe | — | |
MD5:— | SHA256:— | |||
2620 | wcupdater.exe | C:\Users\admin\AppData\Local\Temp\7zSC3AEEA3A\DevLib.dll | — | |
MD5:— | SHA256:— | |||
2620 | wcupdater.exe | C:\Users\admin\AppData\Local\Temp\7zSC3AEEA3A\en\DevLib.resources.dll | — | |
MD5:— | SHA256:— | |||
2620 | wcupdater.exe | C:\Users\admin\AppData\Local\Temp\7zSC3AEEA3A\fr\DevLib.resources.dll | — | |
MD5:— | SHA256:— | |||
1212 | wcupdater.exe | C:\Users\admin\AppData\Local\Temp\7zSCB4DEDF9\DevLib.dll | executable | |
MD5:25580DB794E9EC64041D5E6812FFF9FD | SHA256:47733A5820D1292FD1035B8389E19153AD52B0F1C0360B15977CA98FF4F45EB4 | |||
1296 | wcupdater.exe | C:\Users\admin\AppData\Local\Temp\7zS0157DCD9\BundleConfig.xml | text | |
MD5:37FB1F4F67829A62A60D8C714B35600E | SHA256:67044B37218861A0C31C05A00EB762BEEEAA660C89B5E162566C6D5926D13FF6 | |||
1212 | wcupdater.exe | C:\Users\admin\AppData\Local\Temp\7zSCB4DEDF9\BundleConfig.xml | text | |
MD5:37FB1F4F67829A62A60D8C714B35600E | SHA256:67044B37218861A0C31C05A00EB762BEEEAA660C89B5E162566C6D5926D13FF6 | |||
2824 | installer.exe | C:\Users\admin\AppData\Local\Temp\7zSCB4DEDF9\2019.10.14_18.14.28.831625_installer_pid=2824.txt | — | |
MD5:— | SHA256:— | |||
1212 | wcupdater.exe | C:\Users\admin\AppData\Local\Temp\7zSCB4DEDF9\fr\DevLib.resources.dll | executable | |
MD5:0EC41D99A55A3D6403EC9607B296DC3C | SHA256:BF5F114D1BEC733335D511AF7324F57199931E4A8808C0AA902869781D59BCF9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3448 | GenericSetup.exe | POST | — | 104.18.88.101:80 | http://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleProposedOffers | US | — | — | whitelisted |
4092 | GenericSetup.exe | POST | 200 | 104.18.88.101:80 | http://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleInstallComplete | US | text | 29 b | whitelisted |
932 | installer.exe | POST | 200 | 104.18.87.101:80 | http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart | US | text | 29 b | whitelisted |
4092 | GenericSetup.exe | POST | 200 | 104.18.88.101:80 | http://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleOffersApproved | US | text | 29 b | whitelisted |
932 | installer.exe | POST | 200 | 104.18.87.101:80 | http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart | US | text | 29 b | whitelisted |
2824 | installer.exe | POST | 200 | 104.18.87.101:80 | http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart | US | text | 29 b | whitelisted |
3996 | GenericSetup.exe | POST | 200 | 104.18.88.101:80 | http://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleProposedOffers | US | text | 29 b | whitelisted |
4092 | GenericSetup.exe | POST | 200 | 104.18.88.101:80 | http://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleInstallStart | US | text | 29 b | whitelisted |
3448 | GenericSetup.exe | POST | 200 | 104.18.88.101:80 | http://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleInstallStart | US | text | 29 b | whitelisted |
2684 | installer.exe | POST | 200 | 104.18.87.101:80 | http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart | US | text | 29 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2824 | installer.exe | 104.18.87.101:80 | flow.lavasoft.com | Cloudflare Inc | US | shared |
4092 | GenericSetup.exe | 104.18.88.101:80 | flow.lavasoft.com | Cloudflare Inc | US | shared |
4092 | GenericSetup.exe | 104.16.235.79:443 | sos.adaware.com | Cloudflare Inc | US | shared |
3996 | GenericSetup.exe | 104.16.235.79:443 | sos.adaware.com | Cloudflare Inc | US | shared |
932 | installer.exe | 104.18.87.101:80 | flow.lavasoft.com | Cloudflare Inc | US | shared |
3996 | GenericSetup.exe | 104.18.88.101:80 | flow.lavasoft.com | Cloudflare Inc | US | shared |
3448 | GenericSetup.exe | 104.16.235.79:443 | sos.adaware.com | Cloudflare Inc | US | shared |
2684 | installer.exe | 104.18.87.101:80 | flow.lavasoft.com | Cloudflare Inc | US | shared |
3448 | GenericSetup.exe | 104.18.88.101:80 | flow.lavasoft.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
www.google.com |
| whitelisted |
sos.adaware.com |
| whitelisted |
flow.lavasoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2824 | installer.exe | A Network Trojan was detected | ET MALWARE Lavasoft PUA/Adware Client Install |
932 | installer.exe | A Network Trojan was detected | ET MALWARE Lavasoft PUA/Adware Client Install |
2684 | installer.exe | A Network Trojan was detected | ET MALWARE Lavasoft PUA/Adware Client Install |