File name:

WebCompanionInstaller.exe

Full analysis: https://app.any.run/tasks/345f0b5a-98d2-49c0-ab89-8398a6364e99
Verdict: Malicious activity
Analysis date: December 15, 2023, 15:59:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

6428F0543B9ABA51EB5AC016C7DFF05B

SHA1:

F686DF1A32F56CB81443590FD2B08976BE640027

SHA256:

BA130C651F7B72875C3A87AAE45F24EADA7B7FA5EF016CDB1A0CBB198B305A81

SSDEEP:

24576:z6VnvKW3IrR6Tq4pvwW1tZ+fonI3Rl/eMMf2zB:z6VnvKiIrR6Tq4pvwQtZ+feI3Rl/eMMe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WebCompanionInstaller.exe (PID: 1152)
      • WebCompanion-Installer.exe (PID: 2424)

    • Creates a writable file in the system directory

      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)

    • Steals credentials from Web Browsers

      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Changes the autorun value in the registry

      • WebCompanion.exe (PID: 2380)

    • Actions looks like stealing of personal data

      • WebCompanion.exe (PID: 2380)
      • WebCompanion.exe (PID: 3440)

  • SUSPICIOUS

    • Searches for installed software

      • WebCompanion-Installer.exe (PID: 2424)
      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Reads settings of System Certificates

      • WebCompanion-Installer.exe (PID: 2424)
      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Reads the Internet Settings

      • WebCompanion-Installer.exe (PID: 2424)
      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Drops 7-zip archiver for unpacking

      • WebCompanion-Installer.exe (PID: 2424)

    • The process creates files with name similar to system file names

      • WebCompanion-Installer.exe (PID: 2424)

    • Process drops legitimate windows executable

      • WebCompanion-Installer.exe (PID: 2424)

    • The process drops C-runtime libraries

      • WebCompanion-Installer.exe (PID: 2424)

    • Starts SC.EXE for service management

      • WebCompanion-Installer.exe (PID: 2424)

    • Executes as Windows Service

      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)

    • Checks Windows Trust Settings

      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)
      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Adds/modifies Windows certificates

      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 3500)
      • cmd.exe (PID: 3124)

    • Starts CMD.EXE for commands execution

      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)
      • WebCompanion-Installer.exe (PID: 2424)

    • Changes internet zones settings

      • WebCompanion-Installer.exe (PID: 2424)

    • Reads security settings of Internet Explorer

      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

  • INFO

    • Create files in a temporary directory

      • WebCompanionInstaller.exe (PID: 1152)
      • WebCompanion-Installer.exe (PID: 2424)

    • Checks supported languages

      • WebCompanionInstaller.exe (PID: 1152)
      • WebCompanion-Installer.exe (PID: 2424)
      • wmpnscfg.exe (PID: 3388)
      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)
      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Reads the machine GUID from the registry

      • WebCompanion-Installer.exe (PID: 2424)
      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)
      • WebCompanion.exe (PID: 2380)
      • WebCompanion.exe (PID: 3440)

    • Reads Environment values

      • WebCompanion-Installer.exe (PID: 2424)
      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)
      • WebCompanion.exe (PID: 2380)
      • WebCompanion.exe (PID: 3440)

    • Reads the computer name

      • WebCompanion-Installer.exe (PID: 2424)
      • wmpnscfg.exe (PID: 3388)
      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)
      • WebCompanion.exe (PID: 2380)
      • WebCompanion.exe (PID: 3440)

    • Creates files in the program directory

      • WebCompanion-Installer.exe (PID: 2424)
      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)
      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3388)

    • Creates files or folders in the user directory

      • WebCompanion-Installer.exe (PID: 2424)
      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Reads product name

      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (33)
.exe | Win32 Executable MS Visual C++ (generic) (23.9)
.exe | Win64 Executable (generic) (21.2)
.scr | Windows screen saver (10)
.dll | Win32 Dynamic Link Library (generic) (5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:04:18 20:54:06+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 104448
InitializedDataSize: 60416
UninitializedDataSize: -
EntryPoint: 0x148d4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 12.1.2.982
ProductVersionNumber: 12.1.2.982
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileVersion: 12.1.2.982
ProductVersion: 12.1.2.982
CompanyName: Lavasoft
FileDescription: Web Companion Installer
InternalName: Installer.exe
LegalCopyright: c Lavasoft Limited. All Rights Reserved.
OriginalFileName: Installer.exe
ProductName: Web Companion Installer
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
15
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start webcompanioninstaller.exe webcompanion-installer.exe wmpnscfg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs lavasoft.wcassistant.winservice.exe sc.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs webcompanion.exe webcompanion.exe webcompanioninstaller.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1152"C:\Users\admin\AppData\Local\Temp\WebCompanionInstaller.exe" C:\Users\admin\AppData\Local\Temp\WebCompanionInstaller.exe
explorer.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion Installer
Exit code:
0
Version:
12.1.2.982
Modules
Images
c:\users\admin\appdata\local\temp\webcompanioninstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1556"C:\Users\admin\AppData\Local\Temp\WebCompanionInstaller.exe" C:\Users\admin\AppData\Local\Temp\WebCompanionInstaller.exeexplorer.exe
User:
admin
Company:
Lavasoft
Integrity Level:
MEDIUM
Description:
Web Companion Installer
Exit code:
3221226540
Version:
12.1.2.982
Modules
Images
c:\users\admin\appdata\local\temp\webcompanioninstaller.exe
c:\windows\system32\ntdll.dll
1868"C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe"C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
SPWindowsService
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\program files\lavasoft\web companion\application\lavasoft.wcassistant.winservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2380"C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe" --afterinstall C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe
WebCompanion-Installer.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion
Exit code:
0
Version:
12.1.2.982
Modules
Images
c:\program files\lavasoft\web companion\application\webcompanion.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2424.\WebCompanion-Installer.exe --partner=newwebsite --version=12.1.2.982C:\Users\admin\AppData\Local\Temp\7zS084B5B11\WebCompanion-Installer.exe
WebCompanionInstaller.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion
Exit code:
0
Version:
12.1.2.982
Modules
Images
c:\users\admin\appdata\local\temp\7zs084b5b11\webcompanion-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3124"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=EveryoneC:\Windows\System32\cmd.exeWebCompanion-Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3272netsh http add urlacl url=http://+:9007/ user=EveryoneC:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
3308"sc.exe" Create "WCAssistantService" binPath= "C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= autoC:\Windows\System32\sc.exeWebCompanion-Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3388"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3440"C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe" --install --geo= C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe
WebCompanion-Installer.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion
Exit code:
0
Version:
12.1.2.982
Modules
Images
c:\program files\lavasoft\web companion\application\webcompanion.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
27 969
Read events
27 798
Write events
171
Delete events
0

Modification events

(PID) Process:(2424) WebCompanion-Installer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2424) WebCompanion-Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
Explorer.EXE
(PID) Process:(1868) Lavasoft.WCAssistant.WinService.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1868) Lavasoft.WCAssistant.WinService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4
Operation:writeName:Blob
Value:
7E000000010000000800000000C001B39667D601530000000100000041000000303F3020060A6086480186FA6C0A010230123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C0190000000100000010000000FA46CE7CBB85CFB4310075313A09EE0562000000010000002000000043DF5774B03E7FEF5FE40D931A7BEDF1BB2E6B42738C4E6D3841103D3AA7F3390B000000010000001800000045006E00740072007500730074002E006E006500740000001400000001000000140000006A72267AD01EEF7DE73B6951D46C8D9F901266AB1D0000000100000010000000521B5F4582C1DCAAE381B05E37CA2D340300000001000000140000008CF427FD790C3AD166068DE81E57EFBB932272D40F0000000100000020000000FDE5F2D9CE2026E1E10064C0A468C9F355B90ACF85BAF5CE6F52D4016837FD94090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703087F000000010000002C000000302A060A2B0601040182370A030406082B0601050507030506082B0601050507030606082B060105050703072000000001000000420400003082043E30820326A00302010202044A538C28300D06092A864886F70D01010B05003081BE310B300906035504061302555331163014060355040A130D456E74727573742C20496E632E31283026060355040B131F536565207777772E656E74727573742E6E65742F6C6567616C2D7465726D7331393037060355040B1330286329203230303920456E74727573742C20496E632E202D20666F7220617574686F72697A656420757365206F6E6C793132303006035504031329456E747275737420526F6F742043657274696669636174696F6E20417574686F72697479202D204732301E170D3039303730373137323535345A170D3330313230373137353535345A3081BE310B300906035504061302555331163014060355040A130D456E74727573742C20496E632E31283026060355040B131F536565207777772E656E74727573742E6E65742F6C6567616C2D7465726D7331393037060355040B1330286329203230303920456E74727573742C20496E632E202D20666F7220617574686F72697A656420757365206F6E6C793132303006035504031329456E747275737420526F6F742043657274696669636174696F6E20417574686F72697479202D20473230820122300D06092A864886F70D01010105000382010F003082010A0282010100BA84B672DB9E0C6BE299E93001A776EA32B895411AC9DA614E5872CFFEF68279BF7361060AA527D8B35FD3454E1C72D64E32F2728A0FF78319D06A808000451EB0C7E79ABF1257271CA3682F0A87BD6A6B0E5E65F31C77D5D4858D7021B4B332E78BA2D5863902B1B8D247CEE4C949C43BA7DEFB547D57BEF0E86EC279B23A0B55E250981632135C2F7856C1C294B3F25AE4279A9F24D7C6ECD09B2582E3CCC2C445C58C977A066B2A119FA90A6E483B6FDBD4111942F78F07BFF5535F9C3EF4172CE669AC4E324C6277EAB7E8E5BB34BC198BAE9C51E7B77EB553B13322E56DCF703C1AFAE29B67B683F48DA5AF624C4DE058AC64341203F8B68D946324A4710203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604146A72267AD01EEF7DE73B6951D46C8D9F901266AB300D06092A864886F70D01010B05000382010100799F1D96C6B6793F228D87D3870304606A6B9A2E59897311AC43D1F513FF8D392BC0F2BD4F708CA92FEA17C40B549ED41B9698333CA8AD62A20076AB59696E061D7EC4B9448D98AF12D461DB0A194647F3EBF763C1400540A5D2B7F4B59A36BFA98876880455042B9C877F1A373C7E2DA51AD8D4895ECABDAC3D6CD86DAFD5F3760FCD3B8838229D6C939AC43DBF821B653FA60F5DAAFCE5B215CAB5ADC6BC3DD084E8EA0672B04D393278BF3E119C0BA49D9A21F3F09B0B3078DBC1DC8743FEBC639ACAC5C21CC9C78DFF3B125808E6B63DEC7A2C4EFB8396CE0C3C69875473A473C293FF5110AC155401D8FC05B189A17F74839A49D7DC4E7B8A486F8B45F6
(PID) Process:(1868) Lavasoft.WCAssistant.WinService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4
Operation:writeName:Blob
Value:
0400000001000000100000004BE2C99196650CF40E5A9392A00AFEB27F000000010000002C000000302A060A2B0601040182370A030406082B0601050507030506082B0601050507030606082B06010505070307090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080F0000000100000020000000FDE5F2D9CE2026E1E10064C0A468C9F355B90ACF85BAF5CE6F52D4016837FD940300000001000000140000008CF427FD790C3AD166068DE81E57EFBB932272D41D0000000100000010000000521B5F4582C1DCAAE381B05E37CA2D341400000001000000140000006A72267AD01EEF7DE73B6951D46C8D9F901266AB0B000000010000001800000045006E00740072007500730074002E006E0065007400000062000000010000002000000043DF5774B03E7FEF5FE40D931A7BEDF1BB2E6B42738C4E6D3841103D3AA7F339190000000100000010000000FA46CE7CBB85CFB4310075313A09EE05530000000100000041000000303F3020060A6086480186FA6C0A010230123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C07E000000010000000800000000C001B39667D6012000000001000000420400003082043E30820326A00302010202044A538C28300D06092A864886F70D01010B05003081BE310B300906035504061302555331163014060355040A130D456E74727573742C20496E632E31283026060355040B131F536565207777772E656E74727573742E6E65742F6C6567616C2D7465726D7331393037060355040B1330286329203230303920456E74727573742C20496E632E202D20666F7220617574686F72697A656420757365206F6E6C793132303006035504031329456E747275737420526F6F742043657274696669636174696F6E20417574686F72697479202D204732301E170D3039303730373137323535345A170D3330313230373137353535345A3081BE310B300906035504061302555331163014060355040A130D456E74727573742C20496E632E31283026060355040B131F536565207777772E656E74727573742E6E65742F6C6567616C2D7465726D7331393037060355040B1330286329203230303920456E74727573742C20496E632E202D20666F7220617574686F72697A656420757365206F6E6C793132303006035504031329456E747275737420526F6F742043657274696669636174696F6E20417574686F72697479202D20473230820122300D06092A864886F70D01010105000382010F003082010A0282010100BA84B672DB9E0C6BE299E93001A776EA32B895411AC9DA614E5872CFFEF68279BF7361060AA527D8B35FD3454E1C72D64E32F2728A0FF78319D06A808000451EB0C7E79ABF1257271CA3682F0A87BD6A6B0E5E65F31C77D5D4858D7021B4B332E78BA2D5863902B1B8D247CEE4C949C43BA7DEFB547D57BEF0E86EC279B23A0B55E250981632135C2F7856C1C294B3F25AE4279A9F24D7C6ECD09B2582E3CCC2C445C58C977A066B2A119FA90A6E483B6FDBD4111942F78F07BFF5535F9C3EF4172CE669AC4E324C6277EAB7E8E5BB34BC198BAE9C51E7B77EB553B13322E56DCF703C1AFAE29B67B683F48DA5AF624C4DE058AC64341203F8B68D946324A4710203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604146A72267AD01EEF7DE73B6951D46C8D9F901266AB300D06092A864886F70D01010B05000382010100799F1D96C6B6793F228D87D3870304606A6B9A2E59897311AC43D1F513FF8D392BC0F2BD4F708CA92FEA17C40B549ED41B9698333CA8AD62A20076AB59696E061D7EC4B9448D98AF12D461DB0A194647F3EBF763C1400540A5D2B7F4B59A36BFA98876880455042B9C877F1A373C7E2DA51AD8D4895ECABDAC3D6CD86DAFD5F3760FCD3B8838229D6C939AC43DBF821B653FA60F5DAAFCE5B215CAB5ADC6BC3DD084E8EA0672B04D393278BF3E119C0BA49D9A21F3F09B0B3078DBC1DC8743FEBC639ACAC5C21CC9C78DFF3B125808E6B63DEC7A2C4EFB8396CE0C3C69875473A473C293FF5110AC155401D8FC05B189A17F74839A49D7DC4E7B8A486F8B45F6
(PID) Process:(1868) Lavasoft.WCAssistant.WinService.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1868) Lavasoft.WCAssistant.WinService.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3604) netsh.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2424) WebCompanion-Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2424) WebCompanion-Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
78
Suspicious files
55
Text files
64
Unknown types
0

Dropped files

PID
Process
Filename
Type
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\WebCompanion-Installer.exe.configxml
MD5:D9F815916A197AC939570FB46F30A7E0
SHA256:DFDBEDA30F14EC52BA098CEC25FBDE8E96B4B2C0EE7A978C79BCC226D3A397DA
2424WebCompanion-Installer.exeC:\Program Files\Lavasoft\Web Companion\Application\BCUSDK.dllexecutable
MD5:67682071658EF87F551244C72C7E93EC
SHA256:44739805D56227D3210E83124DAD19CCEEECD3DA122F1EFE9C23C2BDFB4DBDD7
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\pt-BR\WebCompanion-Installer.resources.dllexecutable
MD5:9E388123D11B03496D87CA20DB2DF304
SHA256:0DE57F6026FF2F5BD595040C91BC024D57446DB9C504A861206CF64FCD5055D9
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\tr-TR\WebCompanion-Installer.resources.dllexecutable
MD5:E2FC6F58450E315AB32444D7E8DD7733
SHA256:1CE26A4CF8CE2CA80F86992E8C9F1A409D1695E183D7FBB91BF5B4A25A96054A
2424WebCompanion-Installer.exeC:\Users\admin\AppData\Local\Temp\WebCompanion.zipcompressed
MD5:A97814579D2C171F7279C216C27550A3
SHA256:C5C782879C1A93311669D3A904A60B54515A6DB1727709009EF506A248D36BFA
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\ru-RU\WebCompanion-Installer.resources.dllexecutable
MD5:6D49F12C73CD9ED8B21553D22700D228
SHA256:3B2292C476DC538590BE02AC5C63B52BD5B4F03F6197EDB9BC7360F5D9AD80FE
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\WebCompanion-Installer.exeexecutable
MD5:2CD1C4054D7F2F203CC18DD3A2955108
SHA256:E6ECBF1996A9881BF8609A02B60C47CB8451936480288F8C2C3B3A3F4FCDB455
2424WebCompanion-Installer.exeC:\ProgramData\Lavasoft\Web Companion\Options\Statistics.txtbinary
MD5:5FA90E4352844B1AA5A159EFA7191958
SHA256:66CF0EEF9C19A546E92403255D04B958D99C669289F61599DFF5A0F2107D10E5
2424WebCompanion-Installer.exeC:\Program Files\Lavasoft\Web Companion\Application\BCUEngineS.dllexecutable
MD5:7449E9BFBABA554C6082DAB27A365FC6
SHA256:FB53429D8AC015CAD56A53EC67AEC1C04081114E229606107B58EE0D2DFE9766
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\en-US\WebCompanion-Installer.resources.dllexecutable
MD5:ED69B843BB711243CC4B660E64DFBD9A
SHA256:FD509E29B1A7F0132F9C6C4C53CE2C1A343A89DF38953C9A0B3129B06056A4C4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
21
DNS requests
12
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2424
WebCompanion-Installer.exe
GET
104.17.9.52:80
http://geo.lavasoft.com/
unknown
unknown
2424
WebCompanion-Installer.exe
GET
200
104.17.9.52:80
http://geo.lavasoft.com/
unknown
binary
54 b
unknown
GET
200
104.17.9.52:80
http://geo.lavasoft.com/
unknown
binary
50 b
unknown
2424
WebCompanion-Installer.exe
GET
200
104.17.9.52:80
http://wcdownloadercdn.lavasoft.com/12.1.2.982/WebCompanion-12.1.2.982-prod.zip
unknown
compressed
10.0 Mb
unknown
1868
Lavasoft.WCAssistant.WinService.exe
GET
200
72.246.170.45:80
http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTLXNCzDvBhHecWjg70iJhBW0InywQUanImetAe733nO2lR1GyNn5ASZqsCEE5A5DdU7eaMAAAAAFHTlH8%3D
unknown
binary
1.55 Kb
unknown
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c452aca4c9f2d951
unknown
compressed
4.66 Kb
unknown
1868
Lavasoft.WCAssistant.WinService.exe
GET
200
72.246.170.45:80
http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRr2bwARTxMtEy9aspRAZg5QFhagQQUgrrWPZfOn89x6JI3r%2F2ztWk1V88CEDWvt3udNB9q%2FI%2BERqsxNSs%3D
unknown
binary
812 b
unknown
1868
Lavasoft.WCAssistant.WinService.exe
GET
200
72.246.170.45:80
http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRp%2BmQDKauE4nIg%2FgknZHuBlLkfKgQUzolPglGqFaKEYsoxI2HSYfv4%2FngCEHTvSjTpoGUpJ37OBzkq8uU%3D
unknown
binary
806 b
unknown
3440
WebCompanion.exe
GET
200
64.18.87.81:80
http://wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=newwebsite
unknown
binary
206 b
unknown
3440
WebCompanion.exe
GET
200
64.18.87.81:80
http://wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=newwebsite_wb
unknown
binary
205 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
2424
WebCompanion-Installer.exe
104.17.9.52:80
geo.lavasoft.com
CLOUDFLARENET
shared
2424
WebCompanion-Installer.exe
104.17.8.52:443
geo.lavasoft.com
CLOUDFLARENET
shared
2588
svchost.exe
239.255.255.250:1900
whitelisted
2424
WebCompanion-Installer.exe
104.18.26.149:443
flwadw.com
CLOUDFLARENET
shared
1868
Lavasoft.WCAssistant.WinService.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
1868
Lavasoft.WCAssistant.WinService.exe
72.246.170.45:80
ocsp.entrust.net
AKAMAI-AS
DE
unknown
3440
WebCompanion.exe
104.17.9.52:80
geo.lavasoft.com
CLOUDFLARENET
shared

DNS requests

Domain
IP
Reputation
geo.lavasoft.com
  • 104.17.9.52
  • 104.17.8.52
unknown
featureflags.lavasoft.com
  • 104.17.8.52
  • 104.17.9.52
unknown
flwadw.com
  • 104.18.26.149
  • 104.18.27.149
unknown
wcdownloadercdn.lavasoft.com
  • 104.17.9.52
  • 104.17.8.52
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.entrust.net
  • 72.246.170.45
whitelisted
wc-partners.lavasoft.com
  • 64.18.87.81
  • 64.18.87.82
whitelisted
webcompanion.com
  • 104.18.212.25
  • 104.18.211.25
unknown
staging-partner-info.lavasoft.net
unknown
sg-bitmask.adaware.com
  • 104.18.67.73
  • 104.18.68.73
unknown

Threats

PID
Process
Class
Message
2424
WebCompanion-Installer.exe
Potentially Bad Traffic
ET HUNTING Terse Request for Zip File (GET)
Process
Message
WebCompanion-Installer.exe
Detecting windows culture
WebCompanion-Installer.exe
Preparing request for featureflag: {"Geo":"NL","Partner":"newwebsite","Campaign":"NA","InstallDate":"20231215","TriggerType":"install","TriggerEvent":"installer","Version":"12.1.2.982","featurewp":true,"featureal":true}
WebCompanion-Installer.exe
Getting response from featureflag: [{"sectionCode":"WAC","code":"WAC","configuration":"{\"Icon\": \"https://webcompanion.com/images/favicon.ico\", \"AppName\": \"Web Companion\", \"Settings\": [\"WCAutoUpdate\", \"EnableGranularity\", \"PostRunV2Action\", \"PostRunTimerAction\", \"EnableTelemetryScan\", \"EnableWebProtection\", \"EnableDynamicNotification\"], \"CompanyName\": \"Lavasoft\", \"ConfigVersion\": \"v1\", \"CurrentVersion\": \"9.3.0\"}","targetId":301},{"sectionCode":"WFAI","code":"WCP","configuration":"{\"Version\": \"3.0.2.12\", \"FilePath\": \"https://rt.webcompanion.com/notifications/download/rt/dci/latest/Webprotection.zip\", \"BlackList\": \"https://acs.lavasoft.com/api/v2/url/blacklist\", \"WhiteList\": \"https://acs.lavasoft.com/api/v2/url/permanentwhitelist\", \"DisplayName\": \"Web Protection\", \"FeatureName\": \"WebProtection\"}","targetId":241}]
WebCompanion-Installer.exe
12/15/2023 3:59:40 PM :-> Start
WebCompanion-Installer.exe
12/15/2023 3:59:40 PM :-> Starting installer 12.1.2.982 with: .\WebCompanion-Installer.exe --partner=newwebsite --version=12.1.2.982, Run as admin: True
WebCompanion-Installer.exe
Failed to report progress in SendPostRequest: System.Net.WebException: The remote server returned an error: (400) Bad Request. at System.Net.HttpWebRequest.GetResponse() at WebCompanionInstaller.Utils.RestUtils.SendPostRequest(String url, String body)
WebCompanion-Installer.exe
SecurityProtocol set toTls, Tls11, Tls12, Tls13
WebCompanion-Installer.exe
Preparing for installing Web Companion
WebCompanion-Installer.exe
Failed to report progress in SendPostRequest: System.Net.WebException: The underlying connection was closed: A connection that was expected to be kept alive was closed by the server. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags) at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size) --- End of inner exception stack trace --- at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size) at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count) at System.Net.Security._SslStream.StartFrameHeader(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security._SslStream.StartReading(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security._SslStream.ProcessRead(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.TlsStream.Read(Byte[] buffer, Int32 offset, Int32 size) at System.Net.PooledStream.Read(Byte[] buffer, Int32 offset, Int32 size) at System.Net.Connection.SyncRead(HttpWebRequest request, Boolean userRetrievedStream, Boolean probeRead) --- End of inner exception stack trace --- at System.Net.HttpWebRequest.GetResponse() at WebCompanionInstaller.Utils.RestUtils.SendPostRequest(String url, String body)
WebCompanion-Installer.exe
12/15/2023 4:00:09 PM :-> Generating Machine and Install Id ...
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WebCompanionInstaller.exe