File name:

WebCompanionInstaller.exe

Full analysis: https://app.any.run/tasks/345f0b5a-98d2-49c0-ab89-8398a6364e99
Verdict: Malicious activity
Analysis date: December 15, 2023, 15:59:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

6428F0543B9ABA51EB5AC016C7DFF05B

SHA1:

F686DF1A32F56CB81443590FD2B08976BE640027

SHA256:

BA130C651F7B72875C3A87AAE45F24EADA7B7FA5EF016CDB1A0CBB198B305A81

SSDEEP:

24576:z6VnvKW3IrR6Tq4pvwW1tZ+fonI3Rl/eMMf2zB:z6VnvKiIrR6Tq4pvwQtZ+feI3Rl/eMMe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WebCompanionInstaller.exe (PID: 1152)
      • WebCompanion-Installer.exe (PID: 2424)

    • Steals credentials from Web Browsers

      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Creates a writable file in the system directory

      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)

    • Changes the autorun value in the registry

      • WebCompanion.exe (PID: 2380)

    • Actions looks like stealing of personal data

      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

  • SUSPICIOUS

    • Searches for installed software

      • WebCompanion-Installer.exe (PID: 2424)
      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Reads settings of System Certificates

      • WebCompanion-Installer.exe (PID: 2424)
      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Reads the Internet Settings

      • WebCompanion-Installer.exe (PID: 2424)
      • WebCompanion.exe (PID: 2380)
      • WebCompanion.exe (PID: 3440)

    • Drops 7-zip archiver for unpacking

      • WebCompanion-Installer.exe (PID: 2424)

    • The process creates files with name similar to system file names

      • WebCompanion-Installer.exe (PID: 2424)

    • The process drops C-runtime libraries

      • WebCompanion-Installer.exe (PID: 2424)

    • Process drops legitimate windows executable

      • WebCompanion-Installer.exe (PID: 2424)

    • Checks Windows Trust Settings

      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)
      • WebCompanion.exe (PID: 2380)
      • WebCompanion.exe (PID: 3440)

    • Adds/modifies Windows certificates

      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)

    • Starts SC.EXE for service management

      • WebCompanion-Installer.exe (PID: 2424)

    • Executes as Windows Service

      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)

    • Starts CMD.EXE for commands execution

      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)
      • WebCompanion-Installer.exe (PID: 2424)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 3500)
      • cmd.exe (PID: 3124)

    • Changes internet zones settings

      • WebCompanion-Installer.exe (PID: 2424)

    • Reads security settings of Internet Explorer

      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

  • INFO

    • Create files in a temporary directory

      • WebCompanionInstaller.exe (PID: 1152)
      • WebCompanion-Installer.exe (PID: 2424)

    • Checks supported languages

      • WebCompanionInstaller.exe (PID: 1152)
      • WebCompanion-Installer.exe (PID: 2424)
      • wmpnscfg.exe (PID: 3388)
      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)
      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Reads Environment values

      • WebCompanion-Installer.exe (PID: 2424)
      • WebCompanion.exe (PID: 3440)
      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)
      • WebCompanion.exe (PID: 2380)

    • Reads the machine GUID from the registry

      • WebCompanion-Installer.exe (PID: 2424)
      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)
      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Reads the computer name

      • WebCompanion-Installer.exe (PID: 2424)
      • wmpnscfg.exe (PID: 3388)
      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)
      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Creates files in the program directory

      • WebCompanion-Installer.exe (PID: 2424)
      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)
      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3388)

    • Reads product name

      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Creates files or folders in the user directory

      • WebCompanion.exe (PID: 3440)
      • WebCompanion-Installer.exe (PID: 2424)
      • WebCompanion.exe (PID: 2380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (33)
.exe | Win32 Executable MS Visual C++ (generic) (23.9)
.exe | Win64 Executable (generic) (21.2)
.scr | Windows screen saver (10)
.dll | Win32 Dynamic Link Library (generic) (5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:04:18 20:54:06+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 104448
InitializedDataSize: 60416
UninitializedDataSize: -
EntryPoint: 0x148d4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 12.1.2.982
ProductVersionNumber: 12.1.2.982
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileVersion: 12.1.2.982
ProductVersion: 12.1.2.982
CompanyName: Lavasoft
FileDescription: Web Companion Installer
InternalName: Installer.exe
LegalCopyright: c Lavasoft Limited. All Rights Reserved.
OriginalFileName: Installer.exe
ProductName: Web Companion Installer
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
15
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start webcompanioninstaller.exe webcompanion-installer.exe wmpnscfg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs lavasoft.wcassistant.winservice.exe sc.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs webcompanion.exe webcompanion.exe webcompanioninstaller.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1152"C:\Users\admin\AppData\Local\Temp\WebCompanionInstaller.exe" C:\Users\admin\AppData\Local\Temp\WebCompanionInstaller.exe
explorer.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion Installer
Exit code:
0
Version:
12.1.2.982
Modules
Images
c:\users\admin\appdata\local\temp\webcompanioninstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1556"C:\Users\admin\AppData\Local\Temp\WebCompanionInstaller.exe" C:\Users\admin\AppData\Local\Temp\WebCompanionInstaller.exeexplorer.exe
User:
admin
Company:
Lavasoft
Integrity Level:
MEDIUM
Description:
Web Companion Installer
Exit code:
3221226540
Version:
12.1.2.982
Modules
Images
c:\users\admin\appdata\local\temp\webcompanioninstaller.exe
c:\windows\system32\ntdll.dll
1868"C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe"C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
SPWindowsService
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\program files\lavasoft\web companion\application\lavasoft.wcassistant.winservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2380"C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe" --afterinstall C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe
WebCompanion-Installer.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion
Exit code:
0
Version:
12.1.2.982
Modules
Images
c:\program files\lavasoft\web companion\application\webcompanion.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2424.\WebCompanion-Installer.exe --partner=newwebsite --version=12.1.2.982C:\Users\admin\AppData\Local\Temp\7zS084B5B11\WebCompanion-Installer.exe
WebCompanionInstaller.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion
Exit code:
0
Version:
12.1.2.982
Modules
Images
c:\users\admin\appdata\local\temp\7zs084b5b11\webcompanion-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3124"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=EveryoneC:\Windows\System32\cmd.exeWebCompanion-Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3272netsh http add urlacl url=http://+:9007/ user=EveryoneC:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
3308"sc.exe" Create "WCAssistantService" binPath= "C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= autoC:\Windows\System32\sc.exeWebCompanion-Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3388"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3440"C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe" --install --geo= C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe
WebCompanion-Installer.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion
Exit code:
0
Version:
12.1.2.982
Modules
Images
c:\program files\lavasoft\web companion\application\webcompanion.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
27 969
Read events
27 798
Write events
171
Delete events
0

Modification events

(PID) Process:(2424) WebCompanion-Installer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2424) WebCompanion-Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
Explorer.EXE
(PID) Process:(1868) Lavasoft.WCAssistant.WinService.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1868) Lavasoft.WCAssistant.WinService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4
Operation:writeName:Blob
Value:
7E000000010000000800000000C001B39667D601530000000100000041000000303F3020060A6086480186FA6C0A010230123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C0190000000100000010000000FA46CE7CBB85CFB4310075313A09EE0562000000010000002000000043DF5774B03E7FEF5FE40D931A7BEDF1BB2E6B42738C4E6D3841103D3AA7F3390B000000010000001800000045006E00740072007500730074002E006E006500740000001400000001000000140000006A72267AD01EEF7DE73B6951D46C8D9F901266AB1D0000000100000010000000521B5F4582C1DCAAE381B05E37CA2D340300000001000000140000008CF427FD790C3AD166068DE81E57EFBB932272D40F0000000100000020000000FDE5F2D9CE2026E1E10064C0A468C9F355B90ACF85BAF5CE6F52D4016837FD94090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703087F000000010000002C000000302A060A2B0601040182370A030406082B0601050507030506082B0601050507030606082B060105050703072000000001000000420400003082043E30820326A00302010202044A538C28300D06092A864886F70D01010B05003081BE310B300906035504061302555331163014060355040A130D456E74727573742C20496E632E31283026060355040B131F536565207777772E656E74727573742E6E65742F6C6567616C2D7465726D7331393037060355040B1330286329203230303920456E74727573742C20496E632E202D20666F7220617574686F72697A656420757365206F6E6C793132303006035504031329456E747275737420526F6F742043657274696669636174696F6E20417574686F72697479202D204732301E170D3039303730373137323535345A170D3330313230373137353535345A3081BE310B300906035504061302555331163014060355040A130D456E74727573742C20496E632E31283026060355040B131F536565207777772E656E74727573742E6E65742F6C6567616C2D7465726D7331393037060355040B1330286329203230303920456E74727573742C20496E632E202D20666F7220617574686F72697A656420757365206F6E6C793132303006035504031329456E747275737420526F6F742043657274696669636174696F6E20417574686F72697479202D20473230820122300D06092A864886F70D01010105000382010F003082010A0282010100BA84B672DB9E0C6BE299E93001A776EA32B895411AC9DA614E5872CFFEF68279BF7361060AA527D8B35FD3454E1C72D64E32F2728A0FF78319D06A808000451EB0C7E79ABF1257271CA3682F0A87BD6A6B0E5E65F31C77D5D4858D7021B4B332E78BA2D5863902B1B8D247CEE4C949C43BA7DEFB547D57BEF0E86EC279B23A0B55E250981632135C2F7856C1C294B3F25AE4279A9F24D7C6ECD09B2582E3CCC2C445C58C977A066B2A119FA90A6E483B6FDBD4111942F78F07BFF5535F9C3EF4172CE669AC4E324C6277EAB7E8E5BB34BC198BAE9C51E7B77EB553B13322E56DCF703C1AFAE29B67B683F48DA5AF624C4DE058AC64341203F8B68D946324A4710203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604146A72267AD01EEF7DE73B6951D46C8D9F901266AB300D06092A864886F70D01010B05000382010100799F1D96C6B6793F228D87D3870304606A6B9A2E59897311AC43D1F513FF8D392BC0F2BD4F708CA92FEA17C40B549ED41B9698333CA8AD62A20076AB59696E061D7EC4B9448D98AF12D461DB0A194647F3EBF763C1400540A5D2B7F4B59A36BFA98876880455042B9C877F1A373C7E2DA51AD8D4895ECABDAC3D6CD86DAFD5F3760FCD3B8838229D6C939AC43DBF821B653FA60F5DAAFCE5B215CAB5ADC6BC3DD084E8EA0672B04D393278BF3E119C0BA49D9A21F3F09B0B3078DBC1DC8743FEBC639ACAC5C21CC9C78DFF3B125808E6B63DEC7A2C4EFB8396CE0C3C69875473A473C293FF5110AC155401D8FC05B189A17F74839A49D7DC4E7B8A486F8B45F6
(PID) Process:(1868) Lavasoft.WCAssistant.WinService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4
Operation:writeName:Blob
Value:
0400000001000000100000004BE2C99196650CF40E5A9392A00AFEB27F000000010000002C000000302A060A2B0601040182370A030406082B0601050507030506082B0601050507030606082B06010505070307090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080F0000000100000020000000FDE5F2D9CE2026E1E10064C0A468C9F355B90ACF85BAF5CE6F52D4016837FD940300000001000000140000008CF427FD790C3AD166068DE81E57EFBB932272D41D0000000100000010000000521B5F4582C1DCAAE381B05E37CA2D341400000001000000140000006A72267AD01EEF7DE73B6951D46C8D9F901266AB0B000000010000001800000045006E00740072007500730074002E006E0065007400000062000000010000002000000043DF5774B03E7FEF5FE40D931A7BEDF1BB2E6B42738C4E6D3841103D3AA7F339190000000100000010000000FA46CE7CBB85CFB4310075313A09EE05530000000100000041000000303F3020060A6086480186FA6C0A010230123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C07E000000010000000800000000C001B39667D6012000000001000000420400003082043E30820326A00302010202044A538C28300D06092A864886F70D01010B05003081BE310B300906035504061302555331163014060355040A130D456E74727573742C20496E632E31283026060355040B131F536565207777772E656E74727573742E6E65742F6C6567616C2D7465726D7331393037060355040B1330286329203230303920456E74727573742C20496E632E202D20666F7220617574686F72697A656420757365206F6E6C793132303006035504031329456E747275737420526F6F742043657274696669636174696F6E20417574686F72697479202D204732301E170D3039303730373137323535345A170D3330313230373137353535345A3081BE310B300906035504061302555331163014060355040A130D456E74727573742C20496E632E31283026060355040B131F536565207777772E656E74727573742E6E65742F6C6567616C2D7465726D7331393037060355040B1330286329203230303920456E74727573742C20496E632E202D20666F7220617574686F72697A656420757365206F6E6C793132303006035504031329456E747275737420526F6F742043657274696669636174696F6E20417574686F72697479202D20473230820122300D06092A864886F70D01010105000382010F003082010A0282010100BA84B672DB9E0C6BE299E93001A776EA32B895411AC9DA614E5872CFFEF68279BF7361060AA527D8B35FD3454E1C72D64E32F2728A0FF78319D06A808000451EB0C7E79ABF1257271CA3682F0A87BD6A6B0E5E65F31C77D5D4858D7021B4B332E78BA2D5863902B1B8D247CEE4C949C43BA7DEFB547D57BEF0E86EC279B23A0B55E250981632135C2F7856C1C294B3F25AE4279A9F24D7C6ECD09B2582E3CCC2C445C58C977A066B2A119FA90A6E483B6FDBD4111942F78F07BFF5535F9C3EF4172CE669AC4E324C6277EAB7E8E5BB34BC198BAE9C51E7B77EB553B13322E56DCF703C1AFAE29B67B683F48DA5AF624C4DE058AC64341203F8B68D946324A4710203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604146A72267AD01EEF7DE73B6951D46C8D9F901266AB300D06092A864886F70D01010B05000382010100799F1D96C6B6793F228D87D3870304606A6B9A2E59897311AC43D1F513FF8D392BC0F2BD4F708CA92FEA17C40B549ED41B9698333CA8AD62A20076AB59696E061D7EC4B9448D98AF12D461DB0A194647F3EBF763C1400540A5D2B7F4B59A36BFA98876880455042B9C877F1A373C7E2DA51AD8D4895ECABDAC3D6CD86DAFD5F3760FCD3B8838229D6C939AC43DBF821B653FA60F5DAAFCE5B215CAB5ADC6BC3DD084E8EA0672B04D393278BF3E119C0BA49D9A21F3F09B0B3078DBC1DC8743FEBC639ACAC5C21CC9C78DFF3B125808E6B63DEC7A2C4EFB8396CE0C3C69875473A473C293FF5110AC155401D8FC05B189A17F74839A49D7DC4E7B8A486F8B45F6
(PID) Process:(1868) Lavasoft.WCAssistant.WinService.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1868) Lavasoft.WCAssistant.WinService.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3604) netsh.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2424) WebCompanion-Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2424) WebCompanion-Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
78
Suspicious files
55
Text files
64
Unknown types
0

Dropped files

PID
Process
Filename
Type
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\fr-CA\WebCompanion-Installer.resources.dllexecutable
MD5:1A9D0979F853135929A8CFA929632BB3
SHA256:53962528A7010070152E63DB2ACF4C91D217DD99C089D48104694976BF6D882F
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\it-IT\WebCompanion-Installer.resources.dllexecutable
MD5:F8C5B4D8FA3F40BB4DA31992C36EA06B
SHA256:16E12D225CAB30748774AF8D49755C15FAE7A486639AE191BE49B25FC7CCB7B3
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\WebCompanion-Installer.exe.configxml
MD5:D9F815916A197AC939570FB46F30A7E0
SHA256:DFDBEDA30F14EC52BA098CEC25FBDE8E96B4B2C0EE7A978C79BCC226D3A397DA
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\es-ES\WebCompanion-Installer.resources.dllexecutable
MD5:72E902BAD3C552E4A5B663B88E3361F2
SHA256:853290F914866C44710B0034066E56E32E3C2AF0C6B90C9CA566BC64BBB418C8
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\ru-RU\WebCompanion-Installer.resources.dllexecutable
MD5:6D49F12C73CD9ED8B21553D22700D228
SHA256:3B2292C476DC538590BE02AC5C63B52BD5B4F03F6197EDB9BC7360F5D9AD80FE
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\de-DE\WebCompanion-Installer.resources.dllexecutable
MD5:1ADA2B0FC2B5BB93F12A5AC00094BCFF
SHA256:2F243BB7615BC6C0C86D08754B28FCD994220188D5D82704A7848A3986125569
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\pt-BR\WebCompanion-Installer.resources.dllexecutable
MD5:9E388123D11B03496D87CA20DB2DF304
SHA256:0DE57F6026FF2F5BD595040C91BC024D57446DB9C504A861206CF64FCD5055D9
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\ICSharpCode.SharpZipLib.dllexecutable
MD5:FF32EC84E050CDF0B99282966343FF00
SHA256:B5E8D075ACEFD6C471F0AD1BB38C3E3A27A64D8F217A6AEDC2314DE544DAD427
2424WebCompanion-Installer.exeC:\Program Files\Lavasoft\Web Companion\Application\7za.exeexecutable
MD5:7F18B06038A1137C789E4C4C093A0826
SHA256:73DEC2865C2F91F984DB2E08AAA8747ADFF7A7D92A208F14C54BBCB1011A3008
2424WebCompanion-Installer.exeC:\Program Files\Lavasoft\Web Companion\Application\acs17.dllexecutable
MD5:98569B9CFF55B316724FED6BA9E4D2E6
SHA256:F357609323D678BEC28F5709B5472C0C42CA381552E30F874B960B1BF8E83F1C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
21
DNS requests
12
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2424
WebCompanion-Installer.exe
GET
104.17.9.52:80
http://geo.lavasoft.com/
unknown
unknown
2424
WebCompanion-Installer.exe
GET
200
104.17.9.52:80
http://geo.lavasoft.com/
unknown
binary
54 b
unknown
GET
200
104.17.9.52:80
http://geo.lavasoft.com/
unknown
binary
50 b
unknown
2424
WebCompanion-Installer.exe
GET
200
104.17.9.52:80
http://wcdownloadercdn.lavasoft.com/12.1.2.982/WebCompanion-12.1.2.982-prod.zip
unknown
compressed
10.0 Mb
unknown
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c452aca4c9f2d951
unknown
compressed
4.66 Kb
unknown
1868
Lavasoft.WCAssistant.WinService.exe
GET
200
72.246.170.45:80
http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTLXNCzDvBhHecWjg70iJhBW0InywQUanImetAe733nO2lR1GyNn5ASZqsCEE5A5DdU7eaMAAAAAFHTlH8%3D
unknown
binary
1.55 Kb
unknown
1868
Lavasoft.WCAssistant.WinService.exe
GET
200
72.246.170.45:80
http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRr2bwARTxMtEy9aspRAZg5QFhagQQUgrrWPZfOn89x6JI3r%2F2ztWk1V88CEDWvt3udNB9q%2FI%2BERqsxNSs%3D
unknown
binary
812 b
unknown
1868
Lavasoft.WCAssistant.WinService.exe
GET
200
72.246.170.45:80
http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRp%2BmQDKauE4nIg%2FgknZHuBlLkfKgQUzolPglGqFaKEYsoxI2HSYfv4%2FngCEHTvSjTpoGUpJ37OBzkq8uU%3D
unknown
binary
806 b
unknown
3440
WebCompanion.exe
GET
200
64.18.87.81:80
http://wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=newwebsite_ab
unknown
binary
205 b
unknown
3440
WebCompanion.exe
GET
200
64.18.87.81:80
http://wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=newwebsite_wb
unknown
binary
205 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
2424
WebCompanion-Installer.exe
104.17.9.52:80
geo.lavasoft.com
CLOUDFLARENET
shared
2424
WebCompanion-Installer.exe
104.17.8.52:443
geo.lavasoft.com
CLOUDFLARENET
shared
2588
svchost.exe
239.255.255.250:1900
whitelisted
2424
WebCompanion-Installer.exe
104.18.26.149:443
flwadw.com
CLOUDFLARENET
shared
1868
Lavasoft.WCAssistant.WinService.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
1868
Lavasoft.WCAssistant.WinService.exe
72.246.170.45:80
ocsp.entrust.net
AKAMAI-AS
DE
unknown
3440
WebCompanion.exe
104.17.9.52:80
geo.lavasoft.com
CLOUDFLARENET
shared

DNS requests

Domain
IP
Reputation
geo.lavasoft.com
  • 104.17.9.52
  • 104.17.8.52
unknown
featureflags.lavasoft.com
  • 104.17.8.52
  • 104.17.9.52
unknown
flwadw.com
  • 104.18.26.149
  • 104.18.27.149
unknown
wcdownloadercdn.lavasoft.com
  • 104.17.9.52
  • 104.17.8.52
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.entrust.net
  • 72.246.170.45
whitelisted
wc-partners.lavasoft.com
  • 64.18.87.81
  • 64.18.87.82
whitelisted
webcompanion.com
  • 104.18.212.25
  • 104.18.211.25
unknown
staging-partner-info.lavasoft.net
unknown
sg-bitmask.adaware.com
  • 104.18.67.73
  • 104.18.68.73
unknown

Threats

PID
Process
Class
Message
2424
WebCompanion-Installer.exe
Potentially Bad Traffic
ET HUNTING Terse Request for Zip File (GET)
Process
Message
WebCompanion-Installer.exe
Detecting windows culture
WebCompanion-Installer.exe
Preparing request for featureflag: {"Geo":"NL","Partner":"newwebsite","Campaign":"NA","InstallDate":"20231215","TriggerType":"install","TriggerEvent":"installer","Version":"12.1.2.982","featurewp":true,"featureal":true}
WebCompanion-Installer.exe
Getting response from featureflag: [{"sectionCode":"WAC","code":"WAC","configuration":"{\"Icon\": \"https://webcompanion.com/images/favicon.ico\", \"AppName\": \"Web Companion\", \"Settings\": [\"WCAutoUpdate\", \"EnableGranularity\", \"PostRunV2Action\", \"PostRunTimerAction\", \"EnableTelemetryScan\", \"EnableWebProtection\", \"EnableDynamicNotification\"], \"CompanyName\": \"Lavasoft\", \"ConfigVersion\": \"v1\", \"CurrentVersion\": \"9.3.0\"}","targetId":301},{"sectionCode":"WFAI","code":"WCP","configuration":"{\"Version\": \"3.0.2.12\", \"FilePath\": \"https://rt.webcompanion.com/notifications/download/rt/dci/latest/Webprotection.zip\", \"BlackList\": \"https://acs.lavasoft.com/api/v2/url/blacklist\", \"WhiteList\": \"https://acs.lavasoft.com/api/v2/url/permanentwhitelist\", \"DisplayName\": \"Web Protection\", \"FeatureName\": \"WebProtection\"}","targetId":241}]
WebCompanion-Installer.exe
12/15/2023 3:59:40 PM :-> Start
WebCompanion-Installer.exe
12/15/2023 3:59:40 PM :-> Starting installer 12.1.2.982 with: .\WebCompanion-Installer.exe --partner=newwebsite --version=12.1.2.982, Run as admin: True
WebCompanion-Installer.exe
Failed to report progress in SendPostRequest: System.Net.WebException: The remote server returned an error: (400) Bad Request. at System.Net.HttpWebRequest.GetResponse() at WebCompanionInstaller.Utils.RestUtils.SendPostRequest(String url, String body)
WebCompanion-Installer.exe
SecurityProtocol set toTls, Tls11, Tls12, Tls13
WebCompanion-Installer.exe
Preparing for installing Web Companion
WebCompanion-Installer.exe
Failed to report progress in SendPostRequest: System.Net.WebException: The underlying connection was closed: A connection that was expected to be kept alive was closed by the server. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags) at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size) --- End of inner exception stack trace --- at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size) at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count) at System.Net.Security._SslStream.StartFrameHeader(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security._SslStream.StartReading(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security._SslStream.ProcessRead(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.TlsStream.Read(Byte[] buffer, Int32 offset, Int32 size) at System.Net.PooledStream.Read(Byte[] buffer, Int32 offset, Int32 size) at System.Net.Connection.SyncRead(HttpWebRequest request, Boolean userRetrievedStream, Boolean probeRead) --- End of inner exception stack trace --- at System.Net.HttpWebRequest.GetResponse() at WebCompanionInstaller.Utils.RestUtils.SendPostRequest(String url, String body)
WebCompanion-Installer.exe
12/15/2023 4:00:09 PM :-> Generating Machine and Install Id ...
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WebCompanionInstaller.exe