Malware analysis Setup.exe Malicious activity | ANY.RUN

Add for printing

File name:	Setup.exe
Full analysis:	https://app.any.run/tasks/37158ab5-e7c3-470e-b062-6307ac404a0c
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 18, 2025, 14:55:07
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	adware adaware arch-exec arch-scr webcompanion tool stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	92407C380F366ABB1050D944BEB7746A
SHA1:	942E6606F018028A50345163475BEFA0C3C2326F
SHA256:	9FFA11FB3D0FDBD4CA07C1454E3F2BC0C80658731CC8D3AD79B69DD8878DAE7F
SSDEEP:	24576:/SIe5VvZ0jvUTfPfkSqO6n7KnPC2hWbWaaQJza:/SIe5VvZ0jvUTfPfkSqO6n7KnPC2hWbr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- ADAWARE has been detected (SURICATA)
  - WebCompanion.exe (PID: 5800)
- Changes the autorun value in the registry
  - WebCompanion.exe (PID: 5800)
  - WebCompanion.exe (PID: 7012)
- Actions looks like stealing of personal data
  - WebCompanion.exe (PID: 7012)
SUSPICIOUS
- The process drops C-runtime libraries
  - Setup.exe (PID: 2340)
- Drops 7-zip archiver for unpacking
  - Setup.exe (PID: 2340)
- Executable content was dropped or overwritten
  - Setup.exe (PID: 2340)
- The process creates files with name similar to system file names
  - Setup.exe (PID: 2340)
- Process drops legitimate windows executable
  - Setup.exe (PID: 2340)
- Creates a software uninstall entry
  - Setup.exe (PID: 2340)
- Searches for installed software
  - Setup.exe (PID: 2340)
  - WebCompanion.exe (PID: 5800)
  - WebCompanion.exe (PID: 7012)
- Suspicious use of NETSH.EXE
  - cmd.exe (PID: 4464)
- Starts CMD.EXE for commands execution
  - Setup.exe (PID: 2340)
- Reads security settings of Internet Explorer
  - Setup.exe (PID: 2340)
  - WebCompanion.exe (PID: 7012)
  - WebCompanion.exe (PID: 5800)
- Access to an unwanted program domain was detected
  - WebCompanion.exe (PID: 5800)
- The process checks if it is being run in the virtual environment
  - WebCompanion.exe (PID: 7012)
INFO
- Create files in a temporary directory
  - Setup.exe (PID: 2340)
- Reads the computer name
  - Setup.exe (PID: 2340)
  - WebCompanion.exe (PID: 5800)
  - WebCompanion.exe (PID: 7012)
- Checks proxy server information
  - Setup.exe (PID: 2340)
  - WebCompanion.exe (PID: 7012)
  - WebCompanion.exe (PID: 5800)
- Checks supported languages
  - Setup.exe (PID: 2340)
  - WebCompanion.exe (PID: 5800)
  - WebCompanion.exe (PID: 7012)
- SQLite executable
  - Setup.exe (PID: 2340)
- Reads the machine GUID from the registry
  - Setup.exe (PID: 2340)
  - WebCompanion.exe (PID: 5800)
  - WebCompanion.exe (PID: 7012)
- Creates files or folders in the user directory
  - Setup.exe (PID: 2340)
  - WebCompanion.exe (PID: 5800)
  - WebCompanion.exe (PID: 7012)
- The sample compiled with english language support
  - Setup.exe (PID: 2340)
- Reads the software policy settings
  - WebCompanion.exe (PID: 5800)
  - WebCompanion.exe (PID: 7012)
  - Setup.exe (PID: 2340)
- Creates files in the program directory
  - WebCompanion.exe (PID: 5800)
- Disables trace logs
  - WebCompanion.exe (PID: 5800)
  - WebCompanion.exe (PID: 7012)
  - Setup.exe (PID: 2340)
- Process checks computer location settings
  - Setup.exe (PID: 2340)
- Application launched itself
  - chrome.exe (PID: 2240)
- ADAWAREWEBCOMPANION mutex has been found
  - WebCompanion.exe (PID: 7012)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:05:14 08:46:30+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	702976
InitializedDataSize:	28160
UninitializedDataSize:	-
EntryPoint:	0xad8d6
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	13.900.0.1080
ProductVersionNumber:	13.900.0.1080
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileVersion:	13.900.0.1080
ProductVersion:	13.900.0.1080
FileDescription:	Web Companion
InternalName:	WebCompanion.exe
LegalCopyright:	c Lavasoft Limited. All Rights Reserved.
OriginalFileName:	WebCompanion.exe
ProductName:	Web Companion
AssemblyVersion:	13.900.0.1080
CompanyName:	Lavasoft
LegalTrademarks:	(R) Lavasoft
Comments:	Web Companion protects you against malicious websites and dangerous links found online

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

164

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

644

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2088 --field-trial-handle=1956,i,7565173750927898245,158349218828209789,262144 --variations-seed-version /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1052

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3184 --field-trial-handle=1956,i,7565173750927898245,158349218828209789,262144 --variations-seed-version /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1300

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=6028 --field-trial-handle=1956,i,7565173750927898245,158349218828209789,262144 --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1324

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3168 --field-trial-handle=1956,i,7565173750927898245,158349218828209789,262144 --variations-seed-version /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1512

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3292 --field-trial-handle=1956,i,7565173750927898245,158349218828209789,262144 --variations-seed-version /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2240

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://webcompanion.com/en/install.php?partner=IN250102&campaign=22379554474&

C:\Program Files\Google\Chrome\Application\chrome.exe

Setup.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2340

"C:\Users\admin\AppData\Local\Temp\Setup.exe"

C:\Users\admin\AppData\Local\Temp\Setup.exe

explorer.exe

User:

admin

Company:

Lavasoft

Integrity Level:

MEDIUM

Description:

Web Companion

Exit code:

Version:

13.900.0.1080

Modules

Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

2800

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

2908

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5892 --field-trial-handle=1956,i,7565173750927898245,158349218828209789,262144 --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

4000

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

29 160

Read events

29 096

Write events

Delete events

Modification events


(PID) Process:	(2340) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Lavasoft\Web Companion
Operation:	write	Name:	MachineId
Value: ad1f12af-3f36-3c28-b351-2ce4355f42c2
(PID) Process:	(2340) Setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Setup_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(2340) Setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Setup_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(2340) Setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Setup_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(2340) Setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Setup_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(2340) Setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Setup_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(2340) Setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Setup_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(2340) Setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Setup_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(2340) Setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Setup_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(2340) Setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Setup_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0

Add for printing

Executable files

Suspicious files

145

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2340	Setup.exe	C:\Users\admin\AppData\Local\Temp\WebCompanion.zip		compressed
		MD5:C0A2AAF917E6BC1D951EC481213D4138	SHA256:2F87DCD36A114502A3C80ECF8A8C5F5EF60475951F9C142A1A68BDEC6CAA3E23
2340	Setup.exe	C:\Users\admin\AppData\Roaming\Lavasoft\Web Companion\Application\BCUSDK.dll		executable
		MD5:79AAF194177DC418CFB4D94AF29CDD2A	SHA256:6327ED564E521BB91791EEE54D7C18699BE1DE77DB2B9D6DCDD6FB7077CACB39
2340	Setup.exe	C:\Users\admin\AppData\Local\Temp\App.config		xml
		MD5:9965A5BB6C522F5E1F52EBAB89A9EF69	SHA256:937962C98E0CDBF26416C0A4EA4F5F4F6C26FCD7ADA158883D51602CDF0462E1
2340	Setup.exe	C:\Users\admin\AppData\Roaming\Lavasoft\Web Companion\Options\Statistics.txt		binary
		MD5:72347B4446EEAF9DA5D63849FEC5FA97	SHA256:439BA3036DED0408D6739FFB010F0050709C22E7C3F05E15213993299FAB2DE6
2340	Setup.exe	C:\Users\admin\AppData\Roaming\Lavasoft\Web Companion\Application\BCUEngineS.dll		executable
		MD5:AFCCE3F23C9C31DE19A91FC7D436A516	SHA256:4055E2A085F44DBCD464983F9316E5A33B5056AF8ABED05FD4DFEBFDE162DD77
2340	Setup.exe	C:\Users\admin\AppData\Roaming\Lavasoft\Web Companion\Application\acs17.dll		executable
		MD5:56732B85F3168BA6852CD1EAC84164B0	SHA256:AAAF2F91C0F5172AFBCF15D9F06A706BB23FBBEA40361F64E8552A7D7C96F62D
2340	Setup.exe	C:\Users\admin\AppData\Roaming\Lavasoft\Web Companion\Application\FeatureInstaller.exe.config		xml
		MD5:64B56E0401F35D30E7E33D3FE11DB9EA	SHA256:77348A27DB6505DCC962A97A60C8AFC4F3BBAA4D1C485616407700F6BA901379
2340	Setup.exe	C:\Users\admin\AppData\Roaming\Lavasoft\Web Companion\Application\Interop.IWshRuntimeLibrary.dll		executable
		MD5:AAEBD8816C4A3FC26D5C4FA227EE565C	SHA256:10C6C4B9A94318C4244EC36A0F211D965B10661B0BC76339067AAFB866F115FD
2340	Setup.exe	C:\Users\admin\AppData\Roaming\Lavasoft\Web Companion\Application\Interop.Shell32.dll		executable
		MD5:EE8EE543588B987699DC972027F7C86C	SHA256:7443EC0A10F409C82FD578237E3D7588E9F9A66E8531A1A27822B7BDE5E8BEC8
2340	Setup.exe	C:\Users\admin\AppData\Roaming\Lavasoft\Web Companion\Application\FeatureInstaller.exe		executable
		MD5:70F3C5BB9046EDB9EE0BA0CDF63698DF	SHA256:8EB6D08CCDF88ACC4F7DE252779565A93BB57379591275EF3FA0C33303C60C0E

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5800	WebCompanion.exe	GET	200	104.16.148.130:80	http://geo.lavasoft.com/	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2340	Setup.exe	GET	200	104.16.148.130:80	http://geo.lavasoft.com/	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2340	Setup.exe	GET	200	104.16.148.130:80	http://geo.lavasoft.com/	unknown	—	—	whitelisted
2420	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
2420	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
5800	WebCompanion.exe	GET	200	69.192.162.201:80	http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRr2bwARTxMtEy9aspRAZg5QFhagQQUgrrWPZfOn89x6JI3r%2F2ztWk1V88CEDWvt3udNB9q%2FI%2BERqsxNSs%3D	unknown	—	—	whitelisted
5800	WebCompanion.exe	GET	200	69.192.162.201:80	http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTLXNCzDvBhHecWjg70iJhBW0InywQUanImetAe733nO2lR1GyNn5ASZqsCEE5A5DdU7eaMAAAAAFHTlH8%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	40.126.31.67:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6544	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
2340	Setup.exe	104.16.148.130:80	geo.lavasoft.com	CLOUDFLARENET	—	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.124.78.146 40.127.240.158	whitelisted
crl.microsoft.com	23.48.23.143	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
google.com	216.58.206.46	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
login.live.com	40.126.31.67 40.126.31.128 20.190.159.2 20.190.159.130 40.126.31.129 20.190.159.23 40.126.31.131 20.190.159.4	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
geo.lavasoft.com	104.16.148.130 104.16.149.130	whitelisted
featureflags.lavasoft.com	104.16.149.130 104.16.148.130	whitelisted
flwadw.com	104.18.26.149 104.18.27.149	unknown

Threats

PID	Process	Class	Message
5800	WebCompanion.exe	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] Adaware Web Companion
5800	WebCompanion.exe	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] Adaware Web Companion
5800	WebCompanion.exe	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] Adaware Web Companion
644	chrome.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
644	chrome.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
644	chrome.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
644	chrome.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
644	chrome.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
644	chrome.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
644	chrome.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)

Add for printing

No debug info

General Info

Setup.exe

92407C380F366ABB1050D944BEB7746A

942E6606F018028A50345163475BEFA0C3C2326F

9FFA11FB3D0FDBD4CA07C1454E3F2BC0C80658731CC8D3AD79B69DD8878DAE7F

24576:/SIe5VvZ0jvUTfPfkSqO6n7KnPC2hWbWaaQJza:/SIe5VvZ0jvUTfPfkSqO6n7KnPC2hWbr

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ADAWARE has been detected (SURICATA)

Changes the autorun value in the registry

Actions looks like stealing of personal data

SUSPICIOUS

The process drops C-runtime libraries

Drops 7-zip archiver for unpacking

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Process drops legitimate windows executable

Creates a software uninstall entry

Searches for installed software

Suspicious use of NETSH.EXE

Starts CMD.EXE for commands execution

Reads security settings of Internet Explorer

Access to an unwanted program domain was detected

The process checks if it is being run in the virtual environment

INFO

Create files in a temporary directory

Reads the computer name

Checks proxy server information

Checks supported languages

SQLite executable

Reads the machine GUID from the registry

Creates files or folders in the user directory

The sample compiled with english language support

Reads the software policy settings

Creates files in the program directory

Disables trace logs

Process checks computer location settings

Application launched itself

ADAWAREWEBCOMPANION mutex has been found

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections