Malware analysis Setup.exe Malicious activity | ANY.RUN

Add for printing

File name:	Setup.exe
Full analysis:	https://app.any.run/tasks/1d306bae-ca79-4ff8-9b46-34c976a058e1
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Malware Trends Tracker >>>
Analysis date:	February 14, 2025, 15:20:23
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec arch-scr adware adaware
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	3289861D18B10D81C43FAD3FB74474AE
SHA1:	D20FA8358A21FA8B4F1644C0FF9E32BEE8504917
SHA256:	B4B691E506CCF0BA2230FA9E41DA2C9CD391620840FC2F90EA9C2EC083001BC9
SSDEEP:	24576:s6VnvK6nNCRpBdV8IP+X+welQi2/Hcydn3o20Co4LSRl:s6VnvKSNCRLdV8IP+X+welQiEHc+3o2i

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- ADAWARE has been detected (SURICATA)
  - WebCompanion.exe (PID: 4652)
- Actions looks like stealing of personal data
  - WebCompanion.exe (PID: 4652)
SUSPICIOUS
- Executable content was dropped or overwritten
  - Setup.exe (PID: 1556)
  - WebCompanionInstaller.exe (PID: 3992)
- Reads security settings of Internet Explorer
  - WebCompanionInstaller.exe (PID: 3992)
- Executes as Windows Service
  - PresentationFontCache.exe (PID: 6544)
- Checks Windows Trust Settings
  - WebCompanionInstaller.exe (PID: 3992)
- Process drops legitimate windows executable
  - WebCompanionInstaller.exe (PID: 3992)
- The process drops C-runtime libraries
  - WebCompanionInstaller.exe (PID: 3992)
- Starts CMD.EXE for commands execution
  - WebCompanionInstaller.exe (PID: 3992)
- Access to an unwanted program domain was detected
  - WebCompanion.exe (PID: 4652)
- Suspicious use of NETSH.EXE
  - cmd.exe (PID: 1684)
- Drops 7-zip archiver for unpacking
  - WebCompanionInstaller.exe (PID: 3992)
INFO
- Checks supported languages
  - WebCompanionInstaller.exe (PID: 3992)
  - Setup.exe (PID: 1556)
  - PresentationFontCache.exe (PID: 6544)
- The sample compiled with english language support
  - Setup.exe (PID: 1556)
  - WebCompanionInstaller.exe (PID: 3992)
- Disables trace logs
  - WebCompanionInstaller.exe (PID: 3992)
- Create files in a temporary directory
  - Setup.exe (PID: 1556)
  - WebCompanionInstaller.exe (PID: 3992)
- Checks proxy server information
  - WebCompanionInstaller.exe (PID: 3992)
- Reads the software policy settings
  - WebCompanionInstaller.exe (PID: 3992)
- Reads the machine GUID from the registry
  - WebCompanionInstaller.exe (PID: 3992)
  - PresentationFontCache.exe (PID: 6544)
- Reads the computer name
  - PresentationFontCache.exe (PID: 6544)
- Creates files or folders in the user directory
  - WebCompanionInstaller.exe (PID: 3992)
  - WebCompanion.exe (PID: 4652)
- SQLite executable
  - WebCompanionInstaller.exe (PID: 3992)
- Creates files in the program directory
  - WebCompanion.exe (PID: 4652)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	InstallShield setup (33)
.exe	\|	Win32 Executable MS Visual C++ (generic) (23.9)
.exe	\|	Win64 Executable (generic) (21.2)
.scr	\|	Windows screen saver (10)
.dll	\|	Win32 Dynamic Link Library (generic) (5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2011:04:18 18:54:06+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	104448
InitializedDataSize:	60416
UninitializedDataSize:	-
EntryPoint:	0x148d4
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	10.901.2.519
ProductVersionNumber:	10.901.2.519
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileVersion:	10.901.2.519
ProductVersion:	10.901.2.519
CompanyName:	Lavasoft
FileDescription:	Web Companion Installer
InternalName:	Installer.exe
LegalCopyright:	c Lavasoft Limited. All Rights Reserved.
OriginalFileName:	Installer.exe
ProductName:	Web Companion Installer

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

134

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1556

"C:\Users\admin\AppData\Local\Temp\Setup.exe"

C:\Users\admin\AppData\Local\Temp\Setup.exe

explorer.exe

User:

admin

Company:

Lavasoft

Integrity Level:

MEDIUM

Description:

Web Companion Installer

Version:

10.901.2.519

Modules

Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll

1620

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1684

"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone

C:\Windows\SysWOW64\cmd.exe

—

WebCompanionInstaller.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

3080

netsh http add urlacl url=http://+:9007/ user=Everyone

C:\Windows\SysWOW64\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

3992

.\WebCompanionInstaller.exe --savename=Setup.exe --partner=IN220101 --nonadmin --direct --tych --campaign=20398341592 --version=10.901.2.519

C:\Users\admin\AppData\Local\Temp\7zS416A30B3\WebCompanionInstaller.exe

Setup.exe

User:

admin

Company:

Lavasoft

Integrity Level:

MEDIUM

Description:

Web Companion

Version:

10.901.2.519

Modules

Images
c:\users\admin\appdata\local\temp\7zs416a30b3\webcompanioninstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

4652

"C:\Users\admin\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe" --install --geo=

C:\Users\admin\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe

WebCompanionInstaller.exe

User:

admin

Company:

Lavasoft

Integrity Level:

MEDIUM

Description:

Web Companion

Version:

10.1.2.519

Modules

Images
c:\users\admin\appdata\roaming\lavasoft\web companion\application\webcompanion.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

6544

C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe

—

services.exe

User:

LOCAL SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

PresentationFontCache.exe

Version:

3.0.6920.9141 built by: WinRelRS6

Modules

Images
c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

12 773

Read events

12 726

Write events

Delete events

Modification events


(PID) Process:	(3992) WebCompanionInstaller.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Lavasoft\Web Companion
Operation:	write	Name:	MachineId
Value: ad1f12af-3f36-3c28-b351-2ce4355f42c2
(PID) Process:	(3992) WebCompanionInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(3992) WebCompanionInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(3992) WebCompanionInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(3992) WebCompanionInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(3992) WebCompanionInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(3992) WebCompanionInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(3992) WebCompanionInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(3992) WebCompanionInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WebCompanionInstaller_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(3992) WebCompanionInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WebCompanionInstaller_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1556	Setup.exe	C:\Users\admin\AppData\Local\Temp\7zS416A30B3\pt-BR\WebCompanionInstaller.resources.dll		executable
		MD5:0ADD586EA8B12D274D453BEF1DC09A4B	SHA256:59122B50D3C6CC5C9C3CB6548041F1A468717A44DF38EB8864D95F3B5837448B
1556	Setup.exe	C:\Users\admin\AppData\Local\Temp\7zS416A30B3\ru-RU\WebCompanionInstaller.resources.dll		executable
		MD5:A8EB23DA5A7A026FC40FC80D45773930	SHA256:4CF40997858BC1919BF704B322642A7024D71EB41CD9339D9C62F583CB7B3713
1556	Setup.exe	C:\Users\admin\AppData\Local\Temp\7zS416A30B3\ja-JP\WebCompanionInstaller.resources.dll		executable
		MD5:C93DB8A30F016DDC963592B9EC8DB51A	SHA256:48C6F0C8E5323ACD383BFF4B9407854B1ABE3B7CD88F81E7B41139C88167D73D
1556	Setup.exe	C:\Users\admin\AppData\Local\Temp\7zS416A30B3\tr-TR\WebCompanionInstaller.resources.dll		executable
		MD5:D0B891BDD8A9CB2ECEF467043456B896	SHA256:B6876B549DB6AAACFA023DC9B26730DBA139B44203918CE98A633BF35E4BFA9F
1556	Setup.exe	C:\Users\admin\AppData\Local\Temp\7zS416A30B3\WebCompanionInstaller.exe.config		xml
		MD5:EBACEC1E9929BD429C709A9FD0C210AC	SHA256:AE0E80F5549F5AD5EF0996882A2E0F997FF3724E63A35C9BCA9001B10F58DEE6
1556	Setup.exe	C:\Users\admin\AppData\Local\Temp\7zS416A30B3\fr-CA\WebCompanionInstaller.resources.dll		executable
		MD5:F818537B70C4CB6ABC4949FA6A1AA4A8	SHA256:8D14E0B8847D9C5D71EAB73115F0FBE89798B4B0E84FBC2AD81C411AC2F5AFEC
1556	Setup.exe	C:\Users\admin\AppData\Local\Temp\7zS416A30B3\zh-CHS\WebCompanionInstaller.resources.dll		executable
		MD5:581CC2E4A7B67F04B3736AFE592C3BA5	SHA256:EB2384F4871B5DBA83FD3F5B076442B4AEAD1E57ED10E9095C1E13B45AC8BCC5
1556	Setup.exe	C:\Users\admin\AppData\Local\Temp\7zS416A30B3\es-ES\WebCompanionInstaller.resources.dll		executable
		MD5:09681EF51303E2E6CD5E6713FF294435	SHA256:38EB66E04D8EEF91D6EBF0808D76E55DE1F347D4D464BBD5BF545E11900DE6C6
1556	Setup.exe	C:\Users\admin\AppData\Local\Temp\7zS416A30B3\it-IT\WebCompanionInstaller.resources.dll		executable
		MD5:F2822BA70932056918186EE7AB5EE46A	SHA256:E7FF822CD0E0EE4E9BEFC016EA815AC5835F09C24502A18F6727E579BADCC7B4
1556	Setup.exe	C:\Users\admin\AppData\Local\Temp\7zS416A30B3\Newtonsoft.Json.dll		executable
		MD5:6FE086F542AE0DDE2AB0162A87B63192	SHA256:484A60598618C20E518C0ACB0A2D5296FB64D15DEA2EDDA698A178CABA16CE27

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1176	svchost.exe	GET	200	23.51.98.7:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
3992	WebCompanionInstaller.exe	GET	200	104.16.148.130:80	http://wcdownloadercdn.lavasoft.com/10.1.2.519/WebCompanion-10.1.2.519-prod.zip	unknown	—	—	whitelisted
7040	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
2008	backgroundTaskHost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
4652	WebCompanion.exe	GET	200	64.18.87.81:80	http://wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN220101_wb	unknown	—	—	whitelisted
4652	WebCompanion.exe	GET	200	64.18.87.81:80	http://wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN220101_ab	unknown	—	—	whitelisted
7040	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
4652	WebCompanion.exe	GET	200	64.18.87.81:80	http://wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN220101	unknown	—	—	whitelisted
4652	WebCompanion.exe	GET	200	64.18.87.81:80	http://wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN220101_ac	unknown	—	—	whitelisted
3992	WebCompanionInstaller.exe	GET	200	23.209.209.62:80	http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTLXNCzDvBhHecWjg70iJhBW0InywQUanImetAe733nO2lR1GyNn5ASZqsCEE5A5DdU7eaMAAAAAFHTlH8%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5064	SearchApp.exe	2.19.96.80:443	www.bing.com	Akamai International B.V.	DE	whitelisted
3992	WebCompanionInstaller.exe	23.209.209.62:80	ocsp.entrust.net	PT. Telekomunikasi Selular	ID	whitelisted
1076	svchost.exe	2.19.106.8:443	go.microsoft.com	AKAMAI-AS	DE	whitelisted
1176	svchost.exe	20.190.160.128:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1176	svchost.exe	23.51.98.7:80	ocsp.digicert.com	Akamai International B.V.	US	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5064	SearchApp.exe	23.51.98.7:80	ocsp.digicert.com	Akamai International B.V.	US	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
www.bing.com	2.19.96.80 2.19.96.32 2.19.96.81 2.19.96.26 2.19.96.130 2.19.96.24 2.19.96.34 2.19.96.104 2.19.96.27	whitelisted
ocsp.entrust.net	23.209.209.62	whitelisted
go.microsoft.com	2.19.106.8	whitelisted
login.live.com	20.190.160.128 40.126.32.74 40.126.32.133 40.126.32.136 40.126.32.138 20.190.160.4 20.190.160.17 20.190.160.3	whitelisted
ocsp.digicert.com	23.51.98.7 2.23.77.188	whitelisted
wcdownloadercdn.lavasoft.com	104.16.148.130 104.16.149.130	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted

Threats

PID	Process	Class	Message
3992	WebCompanionInstaller.exe	Potentially Bad Traffic	ET HUNTING Terse Request for Zip File (GET)
4652	WebCompanion.exe	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] Adaware Web Companion
4652	WebCompanion.exe	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] Adaware Web Companion
4652	WebCompanion.exe	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] Adaware Web Companion
4652	WebCompanion.exe	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] Adaware Web Companion

Add for printing

No debug info

General Info

Setup.exe

3289861D18B10D81C43FAD3FB74474AE

D20FA8358A21FA8B4F1644C0FF9E32BEE8504917

B4B691E506CCF0BA2230FA9E41DA2C9CD391620840FC2F90EA9C2EC083001BC9

24576:s6VnvK6nNCRpBdV8IP+X+welQi2/Hcydn3o20Co4LSRl:s6VnvKSNCRLdV8IP+X+welQiEHc+3o2i

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ADAWARE has been detected (SURICATA)

Actions looks like stealing of personal data

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Executes as Windows Service

Checks Windows Trust Settings

Process drops legitimate windows executable

The process drops C-runtime libraries

Starts CMD.EXE for commands execution

Access to an unwanted program domain was detected

Suspicious use of NETSH.EXE

Drops 7-zip archiver for unpacking

INFO

Checks supported languages

The sample compiled with english language support

Disables trace logs

Create files in a temporary directory

Checks proxy server information

Reads the software policy settings

Reads the machine GUID from the registry

Reads the computer name

Creates files or folders in the user directory

SQLite executable

Creates files in the program directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings