Malware analysis ae1bc5fc07b1554f935c7d0e7b6452138fb56179960eb80d6c8bfd62a1b6a773.zip Malicious activity

Add for printing

File name:	ae1bc5fc07b1554f935c7d0e7b6452138fb56179960eb80d6c8bfd62a1b6a773.zip
Full analysis:	https://app.any.run/tasks/b7dae119-fc9f-495a-9153-cf400fb13380
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Malware Trends Tracker >>>
Analysis date:	February 10, 2024, 23:35:14
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	adware adaware
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=AES Encrypted
MD5:	557464EEE7CA1D926F27C97F754ABF30
SHA1:	87E2398C922D640410ADAED7A3FE39B999EBF24F
SHA256:	EAC03B7830F73B2AEA2D763EEC045E5E8B8992DE4C5D51626D634466989195A6
SSDEEP:	24576:+LJTCLM9LNon8Cw1O1us2cheDT1l2DGGikPyPrqqB4uC8gy:+LJTCLM9Lan8Cw1O1us2cheDT1l2DGG+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 3672)
  - $R4P6CYV.exe (PID: 120)
  - WebCompanion-Installer.exe (PID: 2124)
  - WebCompanion-Installer.exe (PID: 3104)
  - WebCompanion.exe (PID: 3692)
  - WebCompanion-Installer.exe (PID: 1432)
- Steals credentials from Web Browsers
  - WebCompanion.exe (PID: 1844)
  - WebCompanion.exe (PID: 968)
  - WebCompanion.exe (PID: 3956)
  - WebCompanion.exe (PID: 3584)
- ADAWARE has been detected (SURICATA)
  - WebCompanion.exe (PID: 1844)
- Changes the autorun value in the registry
  - WebCompanion.exe (PID: 1844)
  - WebCompanion.exe (PID: 968)
  - rundll32.exe (PID: 3776)
  - WebCompanion.exe (PID: 3584)
- Actions looks like stealing of personal data
  - WebCompanion.exe (PID: 1844)
  - WebCompanion.exe (PID: 968)
  - WebCompanion.exe (PID: 3584)
  - WebCompanion.exe (PID: 3956)
- Creates a writable file in the system directory
  - Lavasoft.WCAssistant.WinService.exe (PID: 4036)
  - rundll32.exe (PID: 3776)
- Starts NET.EXE for service management
  - WebCompanion-Installer.exe (PID: 1432)
  - net.exe (PID: 3964)
SUSPICIOUS
- Executable content was dropped or overwritten
  - $R4P6CYV.exe (PID: 120)
  - WebCompanion-Installer.exe (PID: 2124)
  - WebCompanion-Installer.exe (PID: 3104)
  - WebCompanion.exe (PID: 3692)
  - WebCompanion-Installer.exe (PID: 1432)
  - rundll32.exe (PID: 3776)
- Searches for installed software
  - WebCompanion-Installer.exe (PID: 2124)
  - WebCompanion.exe (PID: 1844)
  - WebCompanion.exe (PID: 968)
  - WebCompanion-Installer.exe (PID: 3104)
  - WebCompanion-Installer.exe (PID: 1432)
  - WebCompanion.exe (PID: 3956)
  - WebCompanion.exe (PID: 3584)
- Reads the Internet Settings
  - WebCompanion-Installer.exe (PID: 2124)
  - WebCompanion.exe (PID: 1844)
  - WebCompanion.exe (PID: 968)
  - WebCompanion-Installer.exe (PID: 3104)
  - runonce.exe (PID: 2732)
  - WebCompanion-Installer.exe (PID: 1432)
  - WebCompanion.exe (PID: 3956)
  - WebCompanion.exe (PID: 3584)
- Reads settings of System Certificates
  - WebCompanion-Installer.exe (PID: 2124)
  - WebCompanion.exe (PID: 1844)
  - WebCompanion.exe (PID: 968)
  - WebCompanion-Installer.exe (PID: 3104)
  - WebCompanion-Installer.exe (PID: 1432)
  - WebCompanion.exe (PID: 3956)
  - WebCompanion.exe (PID: 3584)
- Drops 7-zip archiver for unpacking
  - WebCompanion-Installer.exe (PID: 2124)
  - WebCompanion-Installer.exe (PID: 1432)
- The process drops C-runtime libraries
  - WebCompanion-Installer.exe (PID: 2124)
  - WebCompanion-Installer.exe (PID: 1432)
- Changes internet zones settings
  - WebCompanion-Installer.exe (PID: 2124)
- Process drops legitimate windows executable
  - WebCompanion-Installer.exe (PID: 2124)
  - WebCompanion-Installer.exe (PID: 1432)
- Starts CMD.EXE for commands execution
  - WebCompanion-Installer.exe (PID: 2124)
  - Lavasoft.WCAssistant.WinService.exe (PID: 4036)
  - WebCompanion-Installer.exe (PID: 1432)
- Suspicious use of NETSH.EXE
  - cmd.exe (PID: 3724)
  - cmd.exe (PID: 3968)
- Reads security settings of Internet Explorer
  - WebCompanion-Installer.exe (PID: 2124)
  - WebCompanion.exe (PID: 1844)
  - WebCompanion.exe (PID: 968)
  - WebCompanion-Installer.exe (PID: 3104)
  - WebCompanion-Installer.exe (PID: 1432)
  - Lavasoft.WCAssistant.WinService.exe (PID: 4036)
  - WebCompanion.exe (PID: 3956)
  - WebCompanion.exe (PID: 3584)
- Checks Windows Trust Settings
  - WebCompanion.exe (PID: 1844)
  - WebCompanion.exe (PID: 968)
  - Lavasoft.WCAssistant.WinService.exe (PID: 4036)
  - WebCompanion.exe (PID: 3956)
  - WebCompanion.exe (PID: 3584)
- Adds/modifies Windows certificates
  - WebCompanion.exe (PID: 1844)
- The process creates files with name similar to system file names
  - WebCompanion-Installer.exe (PID: 2124)
  - WebCompanion-Installer.exe (PID: 1432)
- Creates a software uninstall entry
  - WebCompanion-Installer.exe (PID: 2124)
  - WebCompanion-Installer.exe (PID: 1432)
- Executes as Windows Service
  - Lavasoft.WCAssistant.WinService.exe (PID: 4036)
  - DCIService.exe (PID: 2992)
- Starts SC.EXE for service management
  - WebCompanion-Installer.exe (PID: 1432)
  - cmd.exe (PID: 2972)
  - WebCompanion.exe (PID: 3956)
- Drops a system driver (possible attempt to evade defenses)
  - WebCompanion-Installer.exe (PID: 1432)
  - rundll32.exe (PID: 3776)
- Uses RUNDLL32.EXE to load library
  - WebCompanion-Installer.exe (PID: 1432)
- Creates or modifies Windows services
  - rundll32.exe (PID: 3776)
- Executing commands from ".cmd" file
  - WebCompanion-Installer.exe (PID: 1432)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 3672)
- Checks supported languages
  - $R4P6CYV.exe (PID: 120)
  - WebCompanion-Installer.exe (PID: 2124)
  - WebCompanion.exe (PID: 1844)
  - WebCompanion.exe (PID: 968)
  - WebCompanion-Installer.exe (PID: 3104)
  - WebCompanion.exe (PID: 3692)
  - WebCompanion-Installer.exe (PID: 1432)
  - Lavasoft.WCAssistant.WinService.exe (PID: 4036)
  - DCIService.exe (PID: 2992)
  - WebCompanion.exe (PID: 3956)
  - WebCompanion.exe (PID: 3584)
- Manual execution by a user
  - $R4P6CYV.exe (PID: 120)
- Create files in a temporary directory
  - $R4P6CYV.exe (PID: 120)
  - WebCompanion-Installer.exe (PID: 2124)
  - WebCompanion-Installer.exe (PID: 3104)
  - WebCompanion.exe (PID: 3692)
  - WebCompanion-Installer.exe (PID: 1432)
- Reads the machine GUID from the registry
  - WebCompanion-Installer.exe (PID: 2124)
  - WebCompanion.exe (PID: 1844)
  - WebCompanion.exe (PID: 968)
  - WebCompanion-Installer.exe (PID: 3104)
  - Lavasoft.WCAssistant.WinService.exe (PID: 4036)
  - WebCompanion-Installer.exe (PID: 1432)
  - WebCompanion.exe (PID: 3956)
  - WebCompanion.exe (PID: 3584)
  - DCIService.exe (PID: 2992)
- Reads the computer name
  - WebCompanion-Installer.exe (PID: 2124)
  - WebCompanion.exe (PID: 1844)
  - WebCompanion.exe (PID: 968)
  - WebCompanion-Installer.exe (PID: 3104)
  - WebCompanion-Installer.exe (PID: 1432)
  - Lavasoft.WCAssistant.WinService.exe (PID: 4036)
  - WebCompanion.exe (PID: 3956)
  - DCIService.exe (PID: 2992)
  - WebCompanion.exe (PID: 3584)
- Reads Environment values
  - WebCompanion-Installer.exe (PID: 2124)
  - WebCompanion.exe (PID: 1844)
  - WebCompanion.exe (PID: 968)
  - WebCompanion-Installer.exe (PID: 3104)
  - WebCompanion-Installer.exe (PID: 1432)
  - Lavasoft.WCAssistant.WinService.exe (PID: 4036)
  - WebCompanion.exe (PID: 3956)
  - WebCompanion.exe (PID: 3584)
- Creates files or folders in the user directory
  - WebCompanion-Installer.exe (PID: 2124)
  - WebCompanion.exe (PID: 1844)
  - WebCompanion.exe (PID: 968)
  - DCIService.exe (PID: 2992)
  - WebCompanion.exe (PID: 3956)
  - WebCompanion-Installer.exe (PID: 1432)
  - WebCompanion.exe (PID: 3584)
- Reads the software policy settings
  - WebCompanion-Installer.exe (PID: 2124)
  - WebCompanion.exe (PID: 1844)
  - WebCompanion.exe (PID: 968)
  - WebCompanion-Installer.exe (PID: 3104)
  - WebCompanion-Installer.exe (PID: 1432)
  - Lavasoft.WCAssistant.WinService.exe (PID: 4036)
  - WebCompanion.exe (PID: 3956)
  - WebCompanion.exe (PID: 3584)
- Creates files in the program directory
  - WebCompanion.exe (PID: 1844)
  - WebCompanion-Installer.exe (PID: 3104)
  - WebCompanion-Installer.exe (PID: 1432)
  - Lavasoft.WCAssistant.WinService.exe (PID: 4036)
  - DCIService.exe (PID: 2992)
  - WebCompanion.exe (PID: 3956)
  - WebCompanion.exe (PID: 3584)
- Reads product name
  - WebCompanion.exe (PID: 1844)
  - WebCompanion.exe (PID: 968)
  - WebCompanion.exe (PID: 3956)
  - WebCompanion.exe (PID: 3584)
- Application launched itself
  - chrome.exe (PID: 2632)
- Reads Microsoft Office registry keys
  - WebCompanion.exe (PID: 968)
  - WebCompanion.exe (PID: 3584)
- Creates files in the driver directory
  - rundll32.exe (PID: 3776)
- Drops the executable file immediately after the start
  - rundll32.exe (PID: 3776)
- Reads security settings of Internet Explorer
  - runonce.exe (PID: 2732)
- Reads the time zone
  - runonce.exe (PID: 2732)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	0x0001
ZipCompression:	Unknown (99)
ZipModifyDate:	2024:02:10 23:34:50
ZipCRC:	0xdc345e76
ZipCompressedSize:	456684
ZipUncompressedSize:	545160
ZipFileName:	$R4P6CYV.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

120

"C:\Users\admin\Desktop\$R4P6CYV.exe"

C:\Users\admin\Desktop\$R4P6CYV.exe

explorer.exe

User:

admin

Company:

Lavasoft

Integrity Level:

HIGH

Description:

Web Companion Installer

Exit code:

Version:

12.901.2.991

Modules

Images
c:\users\admin\desktop\$r4p6cyv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

680

"sc.exe" description "DCIService" "Webprotection Bridge service"

C:\Windows\System32\sc.exe

—

WebCompanion-Installer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

900

"sc.exe" Create "DCIService" binPath= "C:\Program Files\Lavasoft\Web Companion\Service\Win32\DCIService.exe" DisplayName= "DCIService" start= auto

C:\Windows\System32\sc.exe

—

WebCompanion-Installer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

968

"C:\Users\admin\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe" --afterinstall

C:\Users\admin\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe

WebCompanion-Installer.exe

User:

admin

Company:

Lavasoft

Integrity Level:

HIGH

Description:

Web Companion

Exit code:

4294967295

Version:

12.901.4.1003

Modules

Images
c:\users\admin\appdata\roaming\lavasoft\web companion\application\webcompanion.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

1432

.\WebCompanion-Installer.exe --nanouniqueid=1707608305134 --enablewp --silent --installid=ce6e703d-3b8d-4cab-b3cb-9bdfeb5b4fb6 --partner=IN230901A --campaign=18022583703 --version=12.1.4.1003

C:\Users\admin\AppData\Local\Temp\7zSC6EB0AFA\WebCompanion-Installer.exe

WebCompanion.exe

User:

admin

Company:

Lavasoft

Integrity Level:

HIGH

Description:

Web Companion

Exit code:

Version:

12.1.4.1003

Modules

Images
c:\users\admin\appdata\local\temp\7zsc6eb0afa\webcompanion-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

1656

"sc.exe" Create "WCAssistantService" binPath= "C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= auto

C:\Windows\System32\sc.exe

—

WebCompanion-Installer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1796

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1064 --field-trial-handle=1112,i,1693020286238810330,17215082926169375832,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1844

"C:\Users\admin\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe" --install --geo=

C:\Users\admin\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe

WebCompanion-Installer.exe

User:

admin

Company:

Lavasoft

Integrity Level:

HIGH

Description:

Web Companion

Exit code:

Version:

12.901.4.1003

Modules

Images
c:\users\admin\appdata\roaming\lavasoft\web companion\application\webcompanion.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

1936

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=1332 --field-trial-handle=1112,i,1693020286238810330,17215082926169375832,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

HIGH

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

2112

C:\Windows\system32\net1 start bddci

C:\Windows\System32\net1.exe

—

net.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll

Add for printing

Total events

75 820

Read events

75 350

Write events

453

Delete events

Modification events


(PID) Process:	(3672) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(3672) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(3672) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3672) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\phacker.zip
(PID) Process:	(3672) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:	(3672) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:	(3672) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\ae1bc5fc07b1554f935c7d0e7b6452138fb56179960eb80d6c8bfd62a1b6a773.zip
(PID) Process:	(3672) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3672) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3672) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120

Add for printing

Executable files

299

Suspicious files

127

Text files

174

Unknown types

Dropped files

PID	Process	Filename		Type
120	$R4P6CYV.exe	C:\Users\admin\AppData\Local\Temp\7zS870A1218\en-US\WebCompanion-Installer.resources.dll		executable
		MD5:7C0E28A31CCD2522EFBD0A13D884737F	SHA256:573A94A782D71979F7DDDCC72376F7FE444530C0E8A260CC06314A5AA6BA4A90
120	$R4P6CYV.exe	C:\Users\admin\AppData\Local\Temp\7zS870A1218\fr-CA\WebCompanion-Installer.resources.dll		executable
		MD5:ABEDA6C7104F71C2137DF7F011EEC93C	SHA256:01748ABE22230CF621EEDCB14124D59AA9F471D85DD36DE5A271B65382F6175D
120	$R4P6CYV.exe	C:\Users\admin\AppData\Local\Temp\7zS870A1218\ja-JP\WebCompanion-Installer.resources.dll		executable
		MD5:7D06B5848CEBD17113F9BC94979CD61B	SHA256:F9D05AC726E2350429B9C91840D249E252E667E77577E01041D2DEBFF7ADECD1
120	$R4P6CYV.exe	C:\Users\admin\AppData\Local\Temp\7zS870A1218\pt-BR\WebCompanion-Installer.resources.dll		executable
		MD5:E2423F7E31E9D897AA80D9B71A6203DD	SHA256:7A85AC96F886D18C9D3A441E4BB73501AF7DD4DE0C45E0551FC80E10A3B6D0E9
120	$R4P6CYV.exe	C:\Users\admin\AppData\Local\Temp\7zS870A1218\tr-TR\WebCompanion-Installer.resources.dll		executable
		MD5:36508BEFD079D1F5E010973E59F390E7	SHA256:449952E7C986BE0625B6D43F17D8ACCC1FF367B03D7611BCB2D3BFE9B7B47975
120	$R4P6CYV.exe	C:\Users\admin\AppData\Local\Temp\7zS870A1218\it-IT\WebCompanion-Installer.resources.dll		executable
		MD5:B5C7FD5FCC9DF47FD4560CA3E7D15119	SHA256:39D4FEE7CA6F5191071F925D0BE3B6570438F3CC65EA697815C496F7114312BB
2124	WebCompanion-Installer.exe	C:\Users\admin\AppData\Local\Temp\WebCompanion.zip		compressed
		MD5:01F1EEB6020DAA365B2F1FE3BB3F4A64	SHA256:28369BCAB47935F93760DFF94117D5E38A2C846E6463DA2FB0E322BCB34A1C6D
2124	WebCompanion-Installer.exe	C:\Users\admin\AppData\Roaming\Lavasoft\Web Companion\Options\Statistics.txt		binary
		MD5:78D78B4D06171E369EEFA49F09AB968C	SHA256:B291C136EA24BE222A9B2F185A4C0C17F2044CB695961C7C291B48356A86B4E4
120	$R4P6CYV.exe	C:\Users\admin\AppData\Local\Temp\7zS870A1218\WebCompanion-Installer.exe		executable
		MD5:22AD7758BB85B37F392E2FDD7DE5E760	SHA256:3FCC92AAFCEDFE88FD90FC8CAC9DA06C931725D060571702E34C1F0386E36B29
2124	WebCompanion-Installer.exe	C:\Users\admin\AppData\Roaming\Lavasoft\Web Companion\Application\acs17.dll		executable
		MD5:73DB319018F5685DD106461BF2817E67	SHA256:03E7B296EDBB84E83592CD3D357EDAE1EBC1528E2451DEAA47B527568AB79B90

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2124	WebCompanion-Installer.exe	GET	200	104.17.8.52:80	http://geo.lavasoft.com/	unknown	binary	50 b	unknown
2124	WebCompanion-Installer.exe	GET	200	104.17.8.52:80	http://geo.lavasoft.com/	unknown	binary	50 b	unknown
1844	WebCompanion.exe	GET	200	64.18.87.81:80	http://wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN230901_wb	unknown	binary	205 b	unknown
1844	WebCompanion.exe	GET	200	64.18.87.81:80	http://wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN230901_ab	unknown	binary	205 b	unknown
1844	WebCompanion.exe	GET	200	104.17.8.52:80	http://geo.lavasoft.com/	unknown	binary	50 b	unknown
1844	WebCompanion.exe	GET	200	104.18.211.25:80	http://webcompanion.com/version_logs?json=true&version=12.901.4.1003	unknown	text	4 b	unknown
1432	WebCompanion-Installer.exe	GET	200	104.17.8.52:80	http://geo.lavasoft.com/	unknown	binary	50 b	unknown
1432	WebCompanion-Installer.exe	GET	200	104.17.8.52:80	http://geo.lavasoft.com/	unknown	binary	50 b	unknown
3104	WebCompanion-Installer.exe	GET	200	104.17.8.52:80	http://geo.lavasoft.com/	unknown	binary	50 b	unknown
4036	Lavasoft.WCAssistant.WinService.exe	GET	200	69.192.162.201:80	http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRr2bwARTxMtEy9aspRAZg5QFhagQQUgrrWPZfOn89x6JI3r%2F2ztWk1V88CEDWvt3udNB9q%2FI%2BERqsxNSs%3D	unknown	binary	812 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
2124	WebCompanion-Installer.exe	104.17.8.52:80	geo.lavasoft.com	CLOUDFLARENET	—	shared
2124	WebCompanion-Installer.exe	104.17.8.52:443	geo.lavasoft.com	CLOUDFLARENET	—	shared
2124	WebCompanion-Installer.exe	104.18.27.149:443	flwadw.com	CLOUDFLARENET	—	shared
2124	WebCompanion-Installer.exe	104.17.9.52:443	geo.lavasoft.com	CLOUDFLARENET	—	shared
1844	WebCompanion.exe	104.17.8.52:80	geo.lavasoft.com	CLOUDFLARENET	—	shared
1844	WebCompanion.exe	104.17.9.52:443	geo.lavasoft.com	CLOUDFLARENET	—	shared
1844	WebCompanion.exe	104.18.27.149:443	flwadw.com	CLOUDFLARENET	—	shared

DNS requests

Domain	IP	Reputation
geo.lavasoft.com	104.17.8.52 104.17.9.52	unknown
featureflags.lavasoft.com	104.17.8.52 104.17.9.52	unknown
flwadw.com	104.18.27.149 104.18.26.149	unknown
wcdownloadercdn.lavasoft.com	104.17.9.52 104.17.8.52	whitelisted
wc-partners.lavasoft.com	64.18.87.81 64.18.87.82	whitelisted
webcompanion.com	104.18.211.25 104.18.212.25	unknown
clientservices.googleapis.com	142.250.185.227	whitelisted
accounts.google.com	64.233.166.84	shared
staging-partner-info.lavasoft.net	—	unknown
sg-bitmask.adaware.com	104.18.68.73 104.18.67.73	unknown

Threats

PID	Process	Class	Message
1844	WebCompanion.exe	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] Adaware Web Companion
1844	WebCompanion.exe	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] Adaware Web Companion
1844	WebCompanion.exe	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] Adaware Web Companion
1844	WebCompanion.exe	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] Adaware Web Companion

Add for printing

Process	Message
WebCompanion-Installer.exe	Detecting windows culture
WebCompanion-Installer.exe	Preparing request for featureflag: {"Geo":"DE","Partner":"IN230901","Campaign":"18022583703","InstallDate":"20240210","TriggerType":"install","TriggerEvent":"installer","Version":"12.901.2.991","featurewp":true,"featureal":true}
WebCompanion-Installer.exe	Getting response from featureflag: [{"sectionCode":"WAC","code":"WAC","configuration":"{\"Icon\": \"https://webcompanion.com/images/favicon.ico\", \"AppName\": \"Web Companion\", \"Settings\": [\"WCAutoUpdate\", \"EnableGranularity\", \"PostRunV2Action\", \"PostRunTimerAction\", \"EnableTelemetryScan\", \"EnableWebProtection\", \"EnableDynamicNotification\"], \"CompanyName\": \"Lavasoft\", \"ConfigVersion\": \"v1\", \"CurrentVersion\": \"9.3.0\"}","targetId":301},{"sectionCode":"WFAI","code":"WCP","configuration":"{\"Version\": \"3.0.2.12\", \"FilePath\": \"https://rt.webcompanion.com/notifications/download/rt/dci/latest/Webprotection.zip\", \"BlackList\": \"https://acs.lavasoft.com/api/v2/url/blacklist\", \"WhiteList\": \"https://acs.lavasoft.com/api/v2/url/permanentwhitelist\", \"DisplayName\": \"Web Protection\", \"FeatureName\": \"WebProtection\"}","targetId":241}]
WebCompanion-Installer.exe	2/10/2024 11:35:45 PM :-> Start
WebCompanion-Installer.exe	Failed to report progress in SendPostRequest: System.Net.WebException: The remote server returned an error: (400) Bad Request. at System.Net.HttpWebRequest.GetResponse() at WebCompanionInstaller.Utils.RestUtils.SendPostRequest(String url, String body)
WebCompanion-Installer.exe	2/10/2024 11:35:46 PM :-> Starting installer 12.901.2.991 with: .\WebCompanion-Installer.exe --savename=Setup.exe --partner=IN230901 --nonadmin --direct --tych --campaign=18022583703 --version=12.901.2.991, Run as admin: True
WebCompanion-Installer.exe	SecurityProtocol set toTls, Tls11, Tls12, Tls13
WebCompanion-Installer.exe	Preparing for installing Web Companion
WebCompanion-Installer.exe	2/10/2024 11:35:47 PM :-> Generating Machine and Install Id ...
WebCompanion-Installer.exe	2/10/2024 11:35:47 PM :-> Machine Id and Install Id has been generated

General Info

ae1bc5fc07b1554f935c7d0e7b6452138fb56179960eb80d6c8bfd62a1b6a773.zip

557464EEE7CA1D926F27C97F754ABF30

87E2398C922D640410ADAED7A3FE39B999EBF24F

EAC03B7830F73B2AEA2D763EEC045E5E8B8992DE4C5D51626D634466989195A6

24576:+LJTCLM9LNon8Cw1O1us2cheDT1l2DGGikPyPrqqB4uC8gy:+LJTCLM9Lan8Cw1O1us2cheDT1l2DGG+

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Steals credentials from Web Browsers

ADAWARE has been detected (SURICATA)

Changes the autorun value in the registry

Actions looks like stealing of personal data

Creates a writable file in the system directory

Starts NET.EXE for service management

SUSPICIOUS

Executable content was dropped or overwritten

Searches for installed software

Reads the Internet Settings

Reads settings of System Certificates

Drops 7-zip archiver for unpacking

The process drops C-runtime libraries

Changes internet zones settings

Process drops legitimate windows executable

Starts CMD.EXE for commands execution

Suspicious use of NETSH.EXE

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Adds/modifies Windows certificates

The process creates files with name similar to system file names

Creates a software uninstall entry

Executes as Windows Service

Starts SC.EXE for service management

Drops a system driver (possible attempt to evade defenses)

Uses RUNDLL32.EXE to load library

Creates or modifies Windows services

Executing commands from ".cmd" file

INFO

Executable content was dropped or overwritten

Checks supported languages

Manual execution by a user

Create files in a temporary directory

Reads the machine GUID from the registry

Reads the computer name

Reads Environment values

Creates files or folders in the user directory

Reads the software policy settings

Creates files in the program directory

Reads product name

Application launched itself

Reads Microsoft Office registry keys

Creates files in the driver directory

Drops the executable file immediately after the start

Reads security settings of Internet Explorer

Reads the time zone

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules