File name:

WebCompanionInstaller-12.901.4.1003-prod.exe

Full analysis: https://app.any.run/tasks/ddfd8d8b-bf52-4c14-82dc-7f37a221f996
Verdict: Malicious activity
Analysis date: February 21, 2024, 09:10:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

6282E4C1946A56A337820D5C1EE8003B

SHA1:

67DE47F91D86EBFDAB2F42ABA38B067EB25122FD

SHA256:

D3E74A30090E2DEA532BC044128591FEE39DC9DD114B3F9045D5A2ADC3EBD1DF

SSDEEP:

24576:+6VnvKbsJEc4adLap8SGazADUIPqKfi9aadBRC4rkQ:+6VnvKoJEc4adLap8SGazADUIiKfi9dp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WebCompanionInstaller-12.901.4.1003-prod.exe (PID: 3672)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WebCompanionInstaller-12.901.4.1003-prod.exe (PID: 3672)

  • INFO

    • Reads the computer name

      • WebCompanion-Installer.exe (PID: 4052)

    • Checks supported languages

      • WebCompanionInstaller-12.901.4.1003-prod.exe (PID: 3672)
      • WebCompanion-Installer.exe (PID: 4052)

    • Reads the machine GUID from the registry

      • WebCompanion-Installer.exe (PID: 4052)

    • Create files in a temporary directory

      • WebCompanionInstaller-12.901.4.1003-prod.exe (PID: 3672)
      • WebCompanion-Installer.exe (PID: 4052)

    • Reads Environment values

      • WebCompanion-Installer.exe (PID: 4052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:04:18 18:54:06+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 104448
InitializedDataSize: 60416
UninitializedDataSize: -
EntryPoint: 0x148d4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 12.901.4.1003
ProductVersionNumber: 12.901.4.1003
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileVersion: 12.901.4.1003
ProductVersion: 12.901.4.1003
CompanyName: Lavasoft
FileDescription: Web Companion Installer
InternalName: Installer.exe
LegalCopyright: c Lavasoft Limited. All Rights Reserved.
OriginalFileName: Installer.exe
ProductName: Web Companion Installer
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start webcompanioninstaller-12.901.4.1003-prod.exe webcompanion-installer.exe

Process information

PID
CMD
Path
Indicators
Parent process
3672"C:\Users\admin\AppData\Local\Temp\WebCompanionInstaller-12.901.4.1003-prod.exe" C:\Users\admin\AppData\Local\Temp\WebCompanionInstaller-12.901.4.1003-prod.exe
explorer.exe
User:
admin
Company:
Lavasoft
Integrity Level:
MEDIUM
Description:
Web Companion Installer
Exit code:
0
Version:
12.901.4.1003
Modules
Images
c:\users\admin\appdata\local\temp\webcompanioninstaller-12.901.4.1003-prod.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
4052.\WebCompanion-Installer.exeC:\Users\admin\AppData\Local\Temp\7zS85E48438\WebCompanion-Installer.exe
WebCompanionInstaller-12.901.4.1003-prod.exe
User:
admin
Company:
Lavasoft
Integrity Level:
MEDIUM
Description:
Web Companion
Exit code:
0
Version:
12.901.4.1003
Modules
Images
c:\users\admin\appdata\local\temp\7zs85e48438\webcompanion-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
874
Read events
874
Write events
0
Delete events
0

Modification events

No data
Executable files
13
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3672WebCompanionInstaller-12.901.4.1003-prod.exeC:\Users\admin\AppData\Local\Temp\7zS85E48438\en-US\WebCompanion-Installer.resources.dllexecutable
MD5:E4266F63970E9BB702FDED23ABB07AD7
SHA256:83CF07757CA5E7C3DD2A8CABC44BA246B6B6F24C3D7042CEB3FC91DDFA8C4160
3672WebCompanionInstaller-12.901.4.1003-prod.exeC:\Users\admin\AppData\Local\Temp\7zS85E48438\de-DE\WebCompanion-Installer.resources.dllexecutable
MD5:882D661D8E16DBBB09AC9B31454130F2
SHA256:91B10F5BB33CE0A3C1D10BA53AC71DBD95A5702CB7B183A65210C54FFB9CD585
3672WebCompanionInstaller-12.901.4.1003-prod.exeC:\Users\admin\AppData\Local\Temp\7zS85E48438\ICSharpCode.SharpZipLib.dllexecutable
MD5:B0040D764201ABD71C26560E798BFA7F
SHA256:13C3E0FEC7FF29EB8AB28B321102C2D27AFCBB410884CD693CFD3D211BBEF1D5
3672WebCompanionInstaller-12.901.4.1003-prod.exeC:\Users\admin\AppData\Local\Temp\7zS85E48438\es-ES\WebCompanion-Installer.resources.dllexecutable
MD5:49097A52EE5BB99275F10224FBDF8DEF
SHA256:8922F2BE98BDEF22CA58CB24AD75CAC9CC9A6EEEB5E61C359CC9D639B0CA72B9
3672WebCompanionInstaller-12.901.4.1003-prod.exeC:\Users\admin\AppData\Local\Temp\7zS85E48438\it-IT\WebCompanion-Installer.resources.dllexecutable
MD5:B1E13550602007500AB49888607320E7
SHA256:5126C176226EF22564CED739E43F65A50EE96034F4D709AB184A3E1C07D53797
3672WebCompanionInstaller-12.901.4.1003-prod.exeC:\Users\admin\AppData\Local\Temp\7zS85E48438\ja-JP\WebCompanion-Installer.resources.dllexecutable
MD5:6D043830CBA47195B2DD06DAFC9216BA
SHA256:DCD3BD4FBF91BF5348F071AD284866725DFF07907641C9F52F9EE99C26EC3EB5
3672WebCompanionInstaller-12.901.4.1003-prod.exeC:\Users\admin\AppData\Local\Temp\7zS85E48438\ru-RU\WebCompanion-Installer.resources.dllexecutable
MD5:F0D226185C695EA2479FDB885A7FB704
SHA256:53435A7C3E55C7F3E9733F704E60014C2BD12512C902F16134492C2AE1C591BB
3672WebCompanionInstaller-12.901.4.1003-prod.exeC:\Users\admin\AppData\Local\Temp\7zS85E48438\pt-BR\WebCompanion-Installer.resources.dllexecutable
MD5:917BC855C6178351A99AE65DC3C45129
SHA256:2960AE10EBE3BCE868C0D7FF416FFB462F2B6E3032A5D576C7154FF451ACC713
3672WebCompanionInstaller-12.901.4.1003-prod.exeC:\Users\admin\AppData\Local\Temp\7zS85E48438\WebCompanion-Installer.exe.configxml
MD5:BE34B448B611DC35DD383ED545E8FA96
SHA256:DEEBA89FAB938088E2E65942E93210E6E368EEF6BC1CA8E8724ED43154701851
3672WebCompanionInstaller-12.901.4.1003-prod.exeC:\Users\admin\AppData\Local\Temp\7zS85E48438\Newtonsoft.Json.dllexecutable
MD5:746C1F0EA5A5C0A67FE96DBA4E32AC76
SHA256:9EE20B0B7E54E633EFF1A25B6E379201D499552689AD29EEBD5AD90F221B1386
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
Process
Message
WebCompanion-Installer.exe
Failed to OpenWcfHost: System.ServiceModel.AddressAccessDeniedException: HTTP could not register URL http://+:9008/webcompanion/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353 for details). ---> System.Net.HttpListenerException: Access is denied at System.Net.HttpListener.AddAllPrefixes() at System.Net.HttpListener.Start() at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen() --- End of inner exception stack trace --- at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen() at System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener channelListener) at System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback selectTransportManagerCallback) at System.ServiceModel.Channels.TransportChannelListener.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.HttpChannelListener`1.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at WebCompanionInstaller.App.OpenInstallerWcfHost()
WebCompanion-Installer.exe
Detecting windows culture
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WebCompanionInstaller-12.901.4.1003-prod.exe