File name:

WebCompanionInstaller.exe

Full analysis: https://app.any.run/tasks/345f0b5a-98d2-49c0-ab89-8398a6364e99
Verdict: Malicious activity
Analysis date: December 15, 2023, 15:59:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

6428F0543B9ABA51EB5AC016C7DFF05B

SHA1:

F686DF1A32F56CB81443590FD2B08976BE640027

SHA256:

BA130C651F7B72875C3A87AAE45F24EADA7B7FA5EF016CDB1A0CBB198B305A81

SSDEEP:

24576:z6VnvKW3IrR6Tq4pvwW1tZ+fonI3Rl/eMMf2zB:z6VnvKiIrR6Tq4pvwQtZ+feI3Rl/eMMe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WebCompanionInstaller.exe (PID: 1152)
      • WebCompanion-Installer.exe (PID: 2424)

    • Creates a writable file in the system directory

      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)

    • Steals credentials from Web Browsers

      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Changes the autorun value in the registry

      • WebCompanion.exe (PID: 2380)

    • Actions looks like stealing of personal data

      • WebCompanion.exe (PID: 2380)
      • WebCompanion.exe (PID: 3440)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WebCompanion-Installer.exe (PID: 2424)

    • The process creates files with name similar to system file names

      • WebCompanion-Installer.exe (PID: 2424)

    • Searches for installed software

      • WebCompanion-Installer.exe (PID: 2424)
      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Reads the Internet Settings

      • WebCompanion-Installer.exe (PID: 2424)
      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Executes as Windows Service

      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)

    • Checks Windows Trust Settings

      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)
      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Adds/modifies Windows certificates

      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)

    • Starts CMD.EXE for commands execution

      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)
      • WebCompanion-Installer.exe (PID: 2424)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 3500)
      • cmd.exe (PID: 3124)

    • Starts SC.EXE for service management

      • WebCompanion-Installer.exe (PID: 2424)

    • Changes internet zones settings

      • WebCompanion-Installer.exe (PID: 2424)

    • Reads settings of System Certificates

      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)
      • WebCompanion-Installer.exe (PID: 2424)

    • Reads security settings of Internet Explorer

      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Drops 7-zip archiver for unpacking

      • WebCompanion-Installer.exe (PID: 2424)

    • The process drops C-runtime libraries

      • WebCompanion-Installer.exe (PID: 2424)

  • INFO

    • Create files in a temporary directory

      • WebCompanionInstaller.exe (PID: 1152)
      • WebCompanion-Installer.exe (PID: 2424)

    • Checks supported languages

      • WebCompanionInstaller.exe (PID: 1152)
      • WebCompanion-Installer.exe (PID: 2424)
      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)
      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)
      • wmpnscfg.exe (PID: 3388)

    • Reads the computer name

      • WebCompanion-Installer.exe (PID: 2424)
      • wmpnscfg.exe (PID: 3388)
      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)
      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Reads Environment values

      • WebCompanion-Installer.exe (PID: 2424)
      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)
      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Reads the machine GUID from the registry

      • WebCompanion-Installer.exe (PID: 2424)
      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)
      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Creates files in the program directory

      • WebCompanion-Installer.exe (PID: 2424)
      • Lavasoft.WCAssistant.WinService.exe (PID: 1868)
      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Creates files or folders in the user directory

      • WebCompanion-Installer.exe (PID: 2424)
      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Reads product name

      • WebCompanion.exe (PID: 3440)
      • WebCompanion.exe (PID: 2380)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3388)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (33)
.exe | Win32 Executable MS Visual C++ (generic) (23.9)
.exe | Win64 Executable (generic) (21.2)
.scr | Windows screen saver (10)
.dll | Win32 Dynamic Link Library (generic) (5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:04:18 20:54:06+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 104448
InitializedDataSize: 60416
UninitializedDataSize: -
EntryPoint: 0x148d4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 12.1.2.982
ProductVersionNumber: 12.1.2.982
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileVersion: 12.1.2.982
ProductVersion: 12.1.2.982
CompanyName: Lavasoft
FileDescription: Web Companion Installer
InternalName: Installer.exe
LegalCopyright: c Lavasoft Limited. All Rights Reserved.
OriginalFileName: Installer.exe
ProductName: Web Companion Installer
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
15
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start webcompanioninstaller.exe webcompanion-installer.exe wmpnscfg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs lavasoft.wcassistant.winservice.exe sc.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs webcompanion.exe webcompanion.exe webcompanioninstaller.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1152"C:\Users\admin\AppData\Local\Temp\WebCompanionInstaller.exe" C:\Users\admin\AppData\Local\Temp\WebCompanionInstaller.exe
explorer.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion Installer
Exit code:
0
Version:
12.1.2.982
Modules
Images
c:\users\admin\appdata\local\temp\webcompanioninstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1556"C:\Users\admin\AppData\Local\Temp\WebCompanionInstaller.exe" C:\Users\admin\AppData\Local\Temp\WebCompanionInstaller.exeexplorer.exe
User:
admin
Company:
Lavasoft
Integrity Level:
MEDIUM
Description:
Web Companion Installer
Exit code:
3221226540
Version:
12.1.2.982
Modules
Images
c:\users\admin\appdata\local\temp\webcompanioninstaller.exe
c:\windows\system32\ntdll.dll
1868"C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe"C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
SPWindowsService
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\program files\lavasoft\web companion\application\lavasoft.wcassistant.winservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2380"C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe" --afterinstall C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe
WebCompanion-Installer.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion
Exit code:
0
Version:
12.1.2.982
Modules
Images
c:\program files\lavasoft\web companion\application\webcompanion.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2424.\WebCompanion-Installer.exe --partner=newwebsite --version=12.1.2.982C:\Users\admin\AppData\Local\Temp\7zS084B5B11\WebCompanion-Installer.exe
WebCompanionInstaller.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion
Exit code:
0
Version:
12.1.2.982
Modules
Images
c:\users\admin\appdata\local\temp\7zs084b5b11\webcompanion-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3124"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=EveryoneC:\Windows\System32\cmd.exeWebCompanion-Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3272netsh http add urlacl url=http://+:9007/ user=EveryoneC:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
3308"sc.exe" Create "WCAssistantService" binPath= "C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= autoC:\Windows\System32\sc.exeWebCompanion-Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3388"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3440"C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe" --install --geo= C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe
WebCompanion-Installer.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion
Exit code:
0
Version:
12.1.2.982
Modules
Images
c:\program files\lavasoft\web companion\application\webcompanion.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
27 969
Read events
27 798
Write events
171
Delete events
0

Modification events

(PID) Process:(2424) WebCompanion-Installer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2424) WebCompanion-Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
Explorer.EXE
(PID) Process:(1868) Lavasoft.WCAssistant.WinService.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1868) Lavasoft.WCAssistant.WinService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4
Operation:writeName:Blob
Value:
7E000000010000000800000000C001B39667D601530000000100000041000000303F3020060A6086480186FA6C0A010230123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C0190000000100000010000000FA46CE7CBB85CFB4310075313A09EE0562000000010000002000000043DF5774B03E7FEF5FE40D931A7BEDF1BB2E6B42738C4E6D3841103D3AA7F3390B000000010000001800000045006E00740072007500730074002E006E006500740000001400000001000000140000006A72267AD01EEF7DE73B6951D46C8D9F901266AB1D0000000100000010000000521B5F4582C1DCAAE381B05E37CA2D340300000001000000140000008CF427FD790C3AD166068DE81E57EFBB932272D40F0000000100000020000000FDE5F2D9CE2026E1E10064C0A468C9F355B90ACF85BAF5CE6F52D4016837FD94090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703087F000000010000002C000000302A060A2B0601040182370A030406082B0601050507030506082B0601050507030606082B060105050703072000000001000000420400003082043E30820326A00302010202044A538C28300D06092A864886F70D01010B05003081BE310B300906035504061302555331163014060355040A130D456E74727573742C20496E632E31283026060355040B131F536565207777772E656E74727573742E6E65742F6C6567616C2D7465726D7331393037060355040B1330286329203230303920456E74727573742C20496E632E202D20666F7220617574686F72697A656420757365206F6E6C793132303006035504031329456E747275737420526F6F742043657274696669636174696F6E20417574686F72697479202D204732301E170D3039303730373137323535345A170D3330313230373137353535345A3081BE310B300906035504061302555331163014060355040A130D456E74727573742C20496E632E31283026060355040B131F536565207777772E656E74727573742E6E65742F6C6567616C2D7465726D7331393037060355040B1330286329203230303920456E74727573742C20496E632E202D20666F7220617574686F72697A656420757365206F6E6C793132303006035504031329456E747275737420526F6F742043657274696669636174696F6E20417574686F72697479202D20473230820122300D06092A864886F70D01010105000382010F003082010A0282010100BA84B672DB9E0C6BE299E93001A776EA32B895411AC9DA614E5872CFFEF68279BF7361060AA527D8B35FD3454E1C72D64E32F2728A0FF78319D06A808000451EB0C7E79ABF1257271CA3682F0A87BD6A6B0E5E65F31C77D5D4858D7021B4B332E78BA2D5863902B1B8D247CEE4C949C43BA7DEFB547D57BEF0E86EC279B23A0B55E250981632135C2F7856C1C294B3F25AE4279A9F24D7C6ECD09B2582E3CCC2C445C58C977A066B2A119FA90A6E483B6FDBD4111942F78F07BFF5535F9C3EF4172CE669AC4E324C6277EAB7E8E5BB34BC198BAE9C51E7B77EB553B13322E56DCF703C1AFAE29B67B683F48DA5AF624C4DE058AC64341203F8B68D946324A4710203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604146A72267AD01EEF7DE73B6951D46C8D9F901266AB300D06092A864886F70D01010B05000382010100799F1D96C6B6793F228D87D3870304606A6B9A2E59897311AC43D1F513FF8D392BC0F2BD4F708CA92FEA17C40B549ED41B9698333CA8AD62A20076AB59696E061D7EC4B9448D98AF12D461DB0A194647F3EBF763C1400540A5D2B7F4B59A36BFA98876880455042B9C877F1A373C7E2DA51AD8D4895ECABDAC3D6CD86DAFD5F3760FCD3B8838229D6C939AC43DBF821B653FA60F5DAAFCE5B215CAB5ADC6BC3DD084E8EA0672B04D393278BF3E119C0BA49D9A21F3F09B0B3078DBC1DC8743FEBC639ACAC5C21CC9C78DFF3B125808E6B63DEC7A2C4EFB8396CE0C3C69875473A473C293FF5110AC155401D8FC05B189A17F74839A49D7DC4E7B8A486F8B45F6
(PID) Process:(1868) Lavasoft.WCAssistant.WinService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4
Operation:writeName:Blob
Value:
0400000001000000100000004BE2C99196650CF40E5A9392A00AFEB27F000000010000002C000000302A060A2B0601040182370A030406082B0601050507030506082B0601050507030606082B06010505070307090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080F0000000100000020000000FDE5F2D9CE2026E1E10064C0A468C9F355B90ACF85BAF5CE6F52D4016837FD940300000001000000140000008CF427FD790C3AD166068DE81E57EFBB932272D41D0000000100000010000000521B5F4582C1DCAAE381B05E37CA2D341400000001000000140000006A72267AD01EEF7DE73B6951D46C8D9F901266AB0B000000010000001800000045006E00740072007500730074002E006E0065007400000062000000010000002000000043DF5774B03E7FEF5FE40D931A7BEDF1BB2E6B42738C4E6D3841103D3AA7F339190000000100000010000000FA46CE7CBB85CFB4310075313A09EE05530000000100000041000000303F3020060A6086480186FA6C0A010230123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C07E000000010000000800000000C001B39667D6012000000001000000420400003082043E30820326A00302010202044A538C28300D06092A864886F70D01010B05003081BE310B300906035504061302555331163014060355040A130D456E74727573742C20496E632E31283026060355040B131F536565207777772E656E74727573742E6E65742F6C6567616C2D7465726D7331393037060355040B1330286329203230303920456E74727573742C20496E632E202D20666F7220617574686F72697A656420757365206F6E6C793132303006035504031329456E747275737420526F6F742043657274696669636174696F6E20417574686F72697479202D204732301E170D3039303730373137323535345A170D3330313230373137353535345A3081BE310B300906035504061302555331163014060355040A130D456E74727573742C20496E632E31283026060355040B131F536565207777772E656E74727573742E6E65742F6C6567616C2D7465726D7331393037060355040B1330286329203230303920456E74727573742C20496E632E202D20666F7220617574686F72697A656420757365206F6E6C793132303006035504031329456E747275737420526F6F742043657274696669636174696F6E20417574686F72697479202D20473230820122300D06092A864886F70D01010105000382010F003082010A0282010100BA84B672DB9E0C6BE299E93001A776EA32B895411AC9DA614E5872CFFEF68279BF7361060AA527D8B35FD3454E1C72D64E32F2728A0FF78319D06A808000451EB0C7E79ABF1257271CA3682F0A87BD6A6B0E5E65F31C77D5D4858D7021B4B332E78BA2D5863902B1B8D247CEE4C949C43BA7DEFB547D57BEF0E86EC279B23A0B55E250981632135C2F7856C1C294B3F25AE4279A9F24D7C6ECD09B2582E3CCC2C445C58C977A066B2A119FA90A6E483B6FDBD4111942F78F07BFF5535F9C3EF4172CE669AC4E324C6277EAB7E8E5BB34BC198BAE9C51E7B77EB553B13322E56DCF703C1AFAE29B67B683F48DA5AF624C4DE058AC64341203F8B68D946324A4710203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604146A72267AD01EEF7DE73B6951D46C8D9F901266AB300D06092A864886F70D01010B05000382010100799F1D96C6B6793F228D87D3870304606A6B9A2E59897311AC43D1F513FF8D392BC0F2BD4F708CA92FEA17C40B549ED41B9698333CA8AD62A20076AB59696E061D7EC4B9448D98AF12D461DB0A194647F3EBF763C1400540A5D2B7F4B59A36BFA98876880455042B9C877F1A373C7E2DA51AD8D4895ECABDAC3D6CD86DAFD5F3760FCD3B8838229D6C939AC43DBF821B653FA60F5DAAFCE5B215CAB5ADC6BC3DD084E8EA0672B04D393278BF3E119C0BA49D9A21F3F09B0B3078DBC1DC8743FEBC639ACAC5C21CC9C78DFF3B125808E6B63DEC7A2C4EFB8396CE0C3C69875473A473C293FF5110AC155401D8FC05B189A17F74839A49D7DC4E7B8A486F8B45F6
(PID) Process:(1868) Lavasoft.WCAssistant.WinService.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1868) Lavasoft.WCAssistant.WinService.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3604) netsh.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2424) WebCompanion-Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2424) WebCompanion-Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
78
Suspicious files
55
Text files
64
Unknown types
0

Dropped files

PID
Process
Filename
Type
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\WebCompanion-Installer.exe.configxml
MD5:D9F815916A197AC939570FB46F30A7E0
SHA256:DFDBEDA30F14EC52BA098CEC25FBDE8E96B4B2C0EE7A978C79BCC226D3A397DA
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\fr-CA\WebCompanion-Installer.resources.dllexecutable
MD5:1A9D0979F853135929A8CFA929632BB3
SHA256:53962528A7010070152E63DB2ACF4C91D217DD99C089D48104694976BF6D882F
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\ja-JP\WebCompanion-Installer.resources.dllexecutable
MD5:9FC7F2E4C35E1BF99452D6AA4D7C145D
SHA256:A9BDC529C1619E97BBD4CCA9451EB0A5C0771584EEF3762A0936F56ADC45E9EC
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\es-ES\WebCompanion-Installer.resources.dllexecutable
MD5:72E902BAD3C552E4A5B663B88E3361F2
SHA256:853290F914866C44710B0034066E56E32E3C2AF0C6B90C9CA566BC64BBB418C8
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\Newtonsoft.Json.dllexecutable
MD5:E43470DF21F2B7381846D1290E2DBBE4
SHA256:E0583463BBFDAD8E34C36CCB2AAAC8B5B3518C99EB895248F48D8E4B259AF8DA
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\ICSharpCode.SharpZipLib.dllexecutable
MD5:FF32EC84E050CDF0B99282966343FF00
SHA256:B5E8D075ACEFD6C471F0AD1BB38C3E3A27A64D8F217A6AEDC2314DE544DAD427
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\en-US\WebCompanion-Installer.resources.dllexecutable
MD5:ED69B843BB711243CC4B660E64DFBD9A
SHA256:FD509E29B1A7F0132F9C6C4C53CE2C1A343A89DF38953C9A0B3129B06056A4C4
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\ru-RU\WebCompanion-Installer.resources.dllexecutable
MD5:6D49F12C73CD9ED8B21553D22700D228
SHA256:3B2292C476DC538590BE02AC5C63B52BD5B4F03F6197EDB9BC7360F5D9AD80FE
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\zh-CHS\WebCompanion-Installer.resources.dllexecutable
MD5:58E7CBBB2FAD1EC9F11033817E982B7D
SHA256:AD56DD34B090601DD7BB55A1730796569470F6405EC56D91079CF8B766912DC5
1152WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS084B5B11\tr-TR\WebCompanion-Installer.resources.dllexecutable
MD5:E2FC6F58450E315AB32444D7E8DD7733
SHA256:1CE26A4CF8CE2CA80F86992E8C9F1A409D1695E183D7FBB91BF5B4A25A96054A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
21
DNS requests
12
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2424
WebCompanion-Installer.exe
GET
200
104.17.9.52:80
http://geo.lavasoft.com/
unknown
binary
54 b
unknown
2424
WebCompanion-Installer.exe
GET
104.17.9.52:80
http://geo.lavasoft.com/
unknown
unknown
2424
WebCompanion-Installer.exe
GET
200
104.17.9.52:80
http://wcdownloadercdn.lavasoft.com/12.1.2.982/WebCompanion-12.1.2.982-prod.zip
unknown
compressed
10.0 Mb
unknown
GET
200
104.17.9.52:80
http://geo.lavasoft.com/
unknown
binary
50 b
unknown
1868
Lavasoft.WCAssistant.WinService.exe
GET
200
72.246.170.45:80
http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTLXNCzDvBhHecWjg70iJhBW0InywQUanImetAe733nO2lR1GyNn5ASZqsCEE5A5DdU7eaMAAAAAFHTlH8%3D
unknown
binary
1.55 Kb
unknown
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c452aca4c9f2d951
unknown
compressed
4.66 Kb
unknown
1868
Lavasoft.WCAssistant.WinService.exe
GET
200
72.246.170.45:80
http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRr2bwARTxMtEy9aspRAZg5QFhagQQUgrrWPZfOn89x6JI3r%2F2ztWk1V88CEDWvt3udNB9q%2FI%2BERqsxNSs%3D
unknown
binary
812 b
unknown
1868
Lavasoft.WCAssistant.WinService.exe
GET
200
72.246.170.45:80
http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRp%2BmQDKauE4nIg%2FgknZHuBlLkfKgQUzolPglGqFaKEYsoxI2HSYfv4%2FngCEHTvSjTpoGUpJ37OBzkq8uU%3D
unknown
binary
806 b
unknown
3440
WebCompanion.exe
GET
200
104.17.9.52:80
http://geo.lavasoft.com/
unknown
binary
50 b
unknown
3440
WebCompanion.exe
GET
200
64.18.87.81:80
http://wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=newwebsite
unknown
binary
206 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
2424
WebCompanion-Installer.exe
104.17.9.52:80
geo.lavasoft.com
CLOUDFLARENET
shared
2424
WebCompanion-Installer.exe
104.17.8.52:443
geo.lavasoft.com
CLOUDFLARENET
shared
2588
svchost.exe
239.255.255.250:1900
whitelisted
2424
WebCompanion-Installer.exe
104.18.26.149:443
flwadw.com
CLOUDFLARENET
shared
1868
Lavasoft.WCAssistant.WinService.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
1868
Lavasoft.WCAssistant.WinService.exe
72.246.170.45:80
ocsp.entrust.net
AKAMAI-AS
DE
unknown
3440
WebCompanion.exe
104.17.9.52:80
geo.lavasoft.com
CLOUDFLARENET
shared

DNS requests

Domain
IP
Reputation
geo.lavasoft.com
  • 104.17.9.52
  • 104.17.8.52
unknown
featureflags.lavasoft.com
  • 104.17.8.52
  • 104.17.9.52
unknown
flwadw.com
  • 104.18.26.149
  • 104.18.27.149
unknown
wcdownloadercdn.lavasoft.com
  • 104.17.9.52
  • 104.17.8.52
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.entrust.net
  • 72.246.170.45
whitelisted
wc-partners.lavasoft.com
  • 64.18.87.81
  • 64.18.87.82
whitelisted
webcompanion.com
  • 104.18.212.25
  • 104.18.211.25
unknown
staging-partner-info.lavasoft.net
unknown
sg-bitmask.adaware.com
  • 104.18.67.73
  • 104.18.68.73
unknown

Threats

PID
Process
Class
Message
2424
WebCompanion-Installer.exe
Potentially Bad Traffic
ET HUNTING Terse Request for Zip File (GET)
Process
Message
WebCompanion-Installer.exe
Detecting windows culture
WebCompanion-Installer.exe
Preparing request for featureflag: {"Geo":"NL","Partner":"newwebsite","Campaign":"NA","InstallDate":"20231215","TriggerType":"install","TriggerEvent":"installer","Version":"12.1.2.982","featurewp":true,"featureal":true}
WebCompanion-Installer.exe
Getting response from featureflag: [{"sectionCode":"WAC","code":"WAC","configuration":"{\"Icon\": \"https://webcompanion.com/images/favicon.ico\", \"AppName\": \"Web Companion\", \"Settings\": [\"WCAutoUpdate\", \"EnableGranularity\", \"PostRunV2Action\", \"PostRunTimerAction\", \"EnableTelemetryScan\", \"EnableWebProtection\", \"EnableDynamicNotification\"], \"CompanyName\": \"Lavasoft\", \"ConfigVersion\": \"v1\", \"CurrentVersion\": \"9.3.0\"}","targetId":301},{"sectionCode":"WFAI","code":"WCP","configuration":"{\"Version\": \"3.0.2.12\", \"FilePath\": \"https://rt.webcompanion.com/notifications/download/rt/dci/latest/Webprotection.zip\", \"BlackList\": \"https://acs.lavasoft.com/api/v2/url/blacklist\", \"WhiteList\": \"https://acs.lavasoft.com/api/v2/url/permanentwhitelist\", \"DisplayName\": \"Web Protection\", \"FeatureName\": \"WebProtection\"}","targetId":241}]
WebCompanion-Installer.exe
12/15/2023 3:59:40 PM :-> Start
WebCompanion-Installer.exe
12/15/2023 3:59:40 PM :-> Starting installer 12.1.2.982 with: .\WebCompanion-Installer.exe --partner=newwebsite --version=12.1.2.982, Run as admin: True
WebCompanion-Installer.exe
Failed to report progress in SendPostRequest: System.Net.WebException: The remote server returned an error: (400) Bad Request. at System.Net.HttpWebRequest.GetResponse() at WebCompanionInstaller.Utils.RestUtils.SendPostRequest(String url, String body)
WebCompanion-Installer.exe
SecurityProtocol set toTls, Tls11, Tls12, Tls13
WebCompanion-Installer.exe
Preparing for installing Web Companion
WebCompanion-Installer.exe
Failed to report progress in SendPostRequest: System.Net.WebException: The underlying connection was closed: A connection that was expected to be kept alive was closed by the server. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags) at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size) --- End of inner exception stack trace --- at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size) at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count) at System.Net.Security._SslStream.StartFrameHeader(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security._SslStream.StartReading(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security._SslStream.ProcessRead(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.TlsStream.Read(Byte[] buffer, Int32 offset, Int32 size) at System.Net.PooledStream.Read(Byte[] buffer, Int32 offset, Int32 size) at System.Net.Connection.SyncRead(HttpWebRequest request, Boolean userRetrievedStream, Boolean probeRead) --- End of inner exception stack trace --- at System.Net.HttpWebRequest.GetResponse() at WebCompanionInstaller.Utils.RestUtils.SendPostRequest(String url, String body)
WebCompanion-Installer.exe
12/15/2023 4:00:09 PM :-> Generating Machine and Install Id ...
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WebCompanionInstaller.exe