| URL: | http://www.pcfreetime.com/public/ffsetuplatest.exe.torrent |
| Full analysis: | https://app.any.run/tasks/0fa9bd07-07a8-4a49-8b78-0ae09d68b1ea |
| Verdict: | Malicious activity |
| Threats: | Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. |
| Analysis date: | September 11, 2019, 15:06:37 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | 4A4AD7A4EBE424E5FEC25845CD778829 |
| SHA1: | 724E7E487D3C229FA74FA0171C9B30BA8B8ACBA1 |
| SHA256: | 7DF5C1FD88A7A166F1DCA38CE6420FF26CA19A0DAF6522416AF03C4A965E72D0 |
| SSDEEP: | 3:N1KJS45nQHJOWARQj4zyCbn:Cc45QHJOWAa4zTn |
MALICIOUS
Application was dropped or rewritten from another process
- stable[1].exe (PID: 3040)
- installer.exe (PID: 4020)
- GenericSetup.exe (PID: 3096)
- Carrier.exe (PID: 2940)
- WebCompanionInstaller.exe (PID: 1520)
- ayoj1qpw.sfn.exe (PID: 316)
- btweb.exe (PID: 2072)
- helper.exe (PID: 3112)
- btweb.exe (PID: 3732)
- WebCompanion.exe (PID: 2828)
- Lavasoft.WCAssistant.WinService.exe (PID: 2836)
Changes settings of System certificates
- GenericSetup.exe (PID: 3096)
- msiexec.exe (PID: 2148)
- WebCompanionInstaller.exe (PID: 1520)
Loads dropped or rewritten executable
- GenericSetup.exe (PID: 3096)
- Carrier.exe (PID: 2940)
- btweb.exe (PID: 2072)
- btweb.exe (PID: 3732)
- WebCompanionInstaller.exe (PID: 1520)
- WebCompanion.exe (PID: 2828)
LAVASOFT was detected
- installer.exe (PID: 4020)
Downloads executable files from the Internet
- GenericSetup.exe (PID: 3096)
Loads the Task Scheduler COM API
- GenericSetup.exe (PID: 3096)
Changes the autorun value in the registry
- btweb.exe (PID: 2072)
- WebCompanion.exe (PID: 2828)
Changes internet zones settings
- WebCompanionInstaller.exe (PID: 1520)
SUSPICIOUS
Uses RUNDLL32.EXE to load library
- chrome.exe (PID: 2884)
Starts Internet Explorer
- rundll32.exe (PID: 3432)
Executed via COM
- FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3920)
Executable content was dropped or overwritten
- stable[1].exe (PID: 3040)
- iexplore.exe (PID: 3764)
- iexplore.exe (PID: 2356)
- Carrier.exe (PID: 2940)
- msiexec.exe (PID: 2148)
- GenericSetup.exe (PID: 3096)
- ayoj1qpw.sfn.exe (PID: 316)
- btweb.exe (PID: 2072)
- WebCompanionInstaller.exe (PID: 1520)
Reads Environment values
- GenericSetup.exe (PID: 3096)
- MsiExec.exe (PID: 940)
Reads the Windows organization settings
- GenericSetup.exe (PID: 3096)
Creates files in the user directory
- Carrier.exe (PID: 2940)
- btweb.exe (PID: 2072)
- MsiExec.exe (PID: 940)
- WebCompanionInstaller.exe (PID: 1520)
Adds / modifies Windows certificates
- GenericSetup.exe (PID: 3096)
- msiexec.exe (PID: 2148)
- WebCompanionInstaller.exe (PID: 1520)
Starts Microsoft Installer
- cmd.exe (PID: 2364)
Starts CMD.EXE for commands execution
- GenericSetup.exe (PID: 3096)
- MsiExec.exe (PID: 940)
- WebCompanionInstaller.exe (PID: 1520)
Reads Windows owner or organization settings
- GenericSetup.exe (PID: 3096)
Reads Internet Cache Settings
- Carrier.exe (PID: 2940)
Modifies the open verb of a shell class
- Carrier.exe (PID: 2940)
Creates a software uninstall entry
- Carrier.exe (PID: 2940)
- WebCompanionInstaller.exe (PID: 1520)
Executed via Task Scheduler
- btweb.exe (PID: 2072)
Removes files from Windows directory
- certutil.exe (PID: 1684)
Creates files in the Windows directory
- certutil.exe (PID: 1684)
Creates files in the program directory
- WebCompanionInstaller.exe (PID: 1520)
- WebCompanion.exe (PID: 2828)
Uses TASKKILL.EXE to kill Browsers
- cmd.exe (PID: 3728)
- cmd.exe (PID: 2640)
- cmd.exe (PID: 3752)
- cmd.exe (PID: 2108)
- cmd.exe (PID: 2272)
Searches for installed software
- GenericSetup.exe (PID: 3096)
Starts SC.EXE for service management
- WebCompanionInstaller.exe (PID: 1520)
Uses NETSH.EXE for network configuration
- cmd.exe (PID: 684)
Executed as Windows Service
- Lavasoft.WCAssistant.WinService.exe (PID: 2836)
Connects to unusual port
- btweb.exe (PID: 2072)
INFO
Reads the hosts file
- chrome.exe (PID: 2884)
- chrome.exe (PID: 2368)
Application launched itself
- chrome.exe (PID: 2884)
- iexplore.exe (PID: 2356)
- msiexec.exe (PID: 2148)
- firefox.exe (PID: 2972)
- firefox.exe (PID: 3844)
Reads Internet Cache Settings
- iexplore.exe (PID: 3764)
- chrome.exe (PID: 2884)
- iexplore.exe (PID: 2176)
- iexplore.exe (PID: 1804)
Changes internet zones settings
- iexplore.exe (PID: 2356)
Reads internet explorer settings
- iexplore.exe (PID: 3764)
- iexplore.exe (PID: 2176)
- iexplore.exe (PID: 1804)
Reads settings of System Certificates
- iexplore.exe (PID: 2356)
Adds / modifies Windows certificates
- iexplore.exe (PID: 2356)
Creates files in the user directory
- iexplore.exe (PID: 3764)
- FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3920)
- firefox.exe (PID: 3844)
Dropped object may contain Bitcoin addresses
- iexplore.exe (PID: 3764)
- WebCompanionInstaller.exe (PID: 1520)
Changes settings of System certificates
- iexplore.exe (PID: 2356)
Creates a software uninstall entry
- msiexec.exe (PID: 2148)
Loads dropped or rewritten executable
- MsiExec.exe (PID: 940)
Manual execution by user
- explorer.exe (PID: 2628)
Reads CPU info
- firefox.exe (PID: 3844)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
115
Monitored processes
60
Malicious processes
16
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 304 | "C:\Program Files\Mozilla Firefox\firefox.exe" -headless -new-tab "https://addons.mozilla.org/en-US/firefox/" | C:\Program Files\Mozilla Firefox\firefox.exe | — | MsiExec.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: HIGH Description: Firefox Exit code: 4294967295 Version: 68.0.1 Modules
| |||||||||||||||
| 308 | "sc.exe" Create "WCAssistantService" binPath= "C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= auto | C:\Windows\system32\sc.exe | — | WebCompanionInstaller.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 316 | "C:\Users\admin\AppData\Local\Temp\ayoj1qpw.sfn.exe" --silent --homepage=1 --search=1 --partner=BT170602 | C:\Users\admin\AppData\Local\Temp\ayoj1qpw.sfn.exe | cmd.exe | ||||||||||||
User: admin Company: Lavasoft Integrity Level: HIGH Description: Web Companion Installer Exit code: 0 Version: 4.8.2078.3950 Modules
| |||||||||||||||
| 684 | "C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone | C:\Windows\System32\cmd.exe | — | WebCompanionInstaller.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 872 | netsh http add urlacl url=http://+:9007/ user=Everyone | C:\Windows\system32\netsh.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 936 | "C:\Program Files\Mozilla Firefox\firefox.exe" -headless -new-tab https://addons.mozilla.org/en-US/firefox/ | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 1 Version: 68.0.1 Modules
| |||||||||||||||
| 940 | C:\Windows\system32\MsiExec.exe -Embedding 43ADC452A51CE1C0D0DEF84DA481DC9F | C:\Windows\system32\MsiExec.exe | msiexec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1364 | taskkill /F /T /IM firefox.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1520 | .\WebCompanionInstaller.exe --partner=BT170602 --version=4.8.2078.3950 --prod --silent --homepage=1 --search=1 --partner=BT170602 | C:\Users\admin\AppData\Local\Temp\7zSA3F0.tmp\WebCompanionInstaller.exe | ayoj1qpw.sfn.exe | ||||||||||||
User: admin Company: Lavasoft Integrity Level: HIGH Description: Web Companion Exit code: 0 Version: 4.8.2078.3950 Modules
| |||||||||||||||
| 1640 | "cmd.exe" /c CertUtil "C:\Users\admin\AppData\Local\Temp\SafeGuard\META-INF\mozilla.rsa" | findstr S=CA | C:\Windows\system32\cmd.exe | — | MsiExec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
6 783
Read events
6 258
Write events
505
Delete events
20
Modification events
| (PID) Process: | (2908) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
| Operation: | write | Name: | 2884-13212688013415000 |
Value: 259 | |||
| (PID) Process: | (2884) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (2884) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (2884) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty |
| Operation: | write | Name: | StatusCodes |
Value: | |||
| (PID) Process: | (2884) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty |
| Operation: | write | Name: | StatusCodes |
Value: 01000000 | |||
| (PID) Process: | (2884) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (2884) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96} |
| Operation: | write | Name: | dr |
Value: 1 | |||
| (PID) Process: | (2884) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome |
| Operation: | write | Name: | UsageStatsInSample |
Value: 0 | |||
| (PID) Process: | (2884) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
| Operation: | delete value | Name: | 1512-13197841398593750 |
Value: 0 | |||
| (PID) Process: | (2884) chrome.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96} |
| Operation: | write | Name: | usagestats |
Value: 0 | |||
Executable files
118
Suspicious files
40
Text files
376
Unknown types
27
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2884 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old | — | |
MD5:— | SHA256:— | |||
| 2884 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old | — | |
MD5:— | SHA256:— | |||
| 2884 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\7f44a812-8df7-4fbc-9457-512e9cc1d8fc.tmp | — | |
MD5:— | SHA256:— | |||
| 2884 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000020.dbtmp | — | |
MD5:— | SHA256:— | |||
| 2884 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG.old | — | |
MD5:— | SHA256:— | |||
| 2884 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG.old~RF16a1b3.TMP | — | |
MD5:— | SHA256:— | |||
| 2884 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 2884 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1 | — | |
MD5:— | SHA256:— | |||
| 2884 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old | text | |
MD5:— | SHA256:— | |||
| 2884 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF169ffe.TMP | text | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
62
TCP/UDP connections
1 750
DNS requests
77
Threats
27
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2072 | btweb.exe | GET | — | 178.79.208.44:80 | http://btinstall-artifacts.bittorrent.com/helper/helper.btinstall | IT | — | — | suspicious |
1520 | WebCompanionInstaller.exe | POST | — | 64.18.87.81:80 | http://wc-tracking.lavasoft.com/Install.asmx | CA | — | — | whitelisted |
3096 | GenericSetup.exe | GET | 200 | 104.17.178.102:80 | http://webcompanion.com/nano_download.php?partner=BT170602 | US | executable | 365 Kb | malicious |
2368 | chrome.exe | GET | 200 | 67.229.68.203:80 | http://www.pcfreetime.com/public/ffsetuplatest.exe.torrent | US | torrent | 14.0 Kb | malicious |
1520 | WebCompanionInstaller.exe | POST | 200 | 64.18.87.81:80 | http://wc-tracking.lavasoft.com/Install.asmx | CA | xml | 294 b | whitelisted |
4020 | installer.exe | POST | 200 | 104.18.87.101:80 | http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart | US | text | 29 b | whitelisted |
1520 | WebCompanionInstaller.exe | POST | 200 | 64.18.87.81:80 | http://wc-tracking.lavasoft.com/Install.asmx | CA | xml | 294 b | whitelisted |
1520 | WebCompanionInstaller.exe | POST | 200 | 64.18.87.81:80 | http://wc-tracking.lavasoft.com/Install.asmx | CA | xml | 294 b | whitelisted |
2356 | iexplore.exe | GET | 200 | 13.107.21.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
4020 | installer.exe | POST | 200 | 104.18.87.101:80 | http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart | US | text | 29 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2368 | chrome.exe | 67.229.68.203:80 | www.pcfreetime.com | Krypt Technologies | US | malicious |
2368 | chrome.exe | 172.217.21.196:443 | www.google.com | Google Inc. | US | whitelisted |
2368 | chrome.exe | 172.217.21.227:443 | ssl.gstatic.com | Google Inc. | US | whitelisted |
2356 | iexplore.exe | 13.107.21.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3764 | iexplore.exe | 2.16.186.24:80 | shell.windows.com | Akamai International B.V. | — | whitelisted |
3764 | iexplore.exe | 2.19.38.59:80 | go.microsoft.com | Akamai International B.V. | — | whitelisted |
2368 | chrome.exe | 172.217.18.3:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
2368 | chrome.exe | 172.217.18.110:443 | sb-ssl.google.com | Google Inc. | US | whitelisted |
3764 | iexplore.exe | 172.217.16.202:443 | ajax.googleapis.com | Google Inc. | US | whitelisted |
2368 | chrome.exe | 216.58.207.45:443 | accounts.google.com | Google Inc. | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.pcfreetime.com |
| malicious |
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
sb-ssl.google.com |
| whitelisted |
www.google.com |
| malicious |
ssl.gstatic.com |
| whitelisted |
www.bing.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
shell.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2368 | chrome.exe | Potential Corporate Privacy Violation | ET P2P possible torrent download |
2368 | chrome.exe | Potential Corporate Privacy Violation | ET P2P BitTorrent - Torrent File Downloaded |
4020 | installer.exe | A Network Trojan was detected | ET MALWARE Lavasoft PUA/Adware Client Install |
3096 | GenericSetup.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3096 | GenericSetup.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3096 | GenericSetup.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2940 | Carrier.exe | Potentially Bad Traffic | ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) |
2940 | Carrier.exe | Potentially Bad Traffic | ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) |
2072 | btweb.exe | Potentially Bad Traffic | ET POLICY Executable served from Amazon S3 |
2072 | btweb.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
Process | Message |
|---|---|
WebCompanionInstaller.exe | Detecting windows culture
|
WebCompanionInstaller.exe | 9/11/2019 4:08:24 PM :-> Starting installer 4.8.2078.3950 with: .\WebCompanionInstaller.exe --partner=BT170602 --version=4.8.2078.3950 --prod --silent --homepage=1 --search=1 --partner=BT170602, Run as admin: True
|
WebCompanionInstaller.exe | Preparing for installing Web Companion
|
WebCompanionInstaller.exe | 9/11/2019 4:08:26 PM :-> Generating Machine and Install Id ...
|
WebCompanionInstaller.exe | 9/11/2019 4:08:26 PM :-> Machine Id and Install Id has been generated
|
WebCompanionInstaller.exe | 9/11/2019 4:08:27 PM :-> Checking prerequisites ...
|
WebCompanionInstaller.exe | 9/11/2019 4:08:27 PM :-> Antivirus not detected
|
WebCompanionInstaller.exe | 9/11/2019 4:08:29 PM :-> vm_check False
|
WebCompanionInstaller.exe | 9/11/2019 4:08:57 PM :-> reg_check :False
|
WebCompanionInstaller.exe | 9/11/2019 4:08:57 PM :-> Installed .Net framework is V40
|