Edit tour

Windows Analysis Report
MDE_File_Sample_c404ec52446527b77da6860ca493ea2007ac03d5.zip

Overview

General Information

Sample name:	MDE_File_Sample_c404ec52446527b77da6860ca493ea2007ac03d5.zip
Analysis ID:	1586735
MD5:	81602281072f582789a0df509a1aac10
SHA1:	313482db2f1f000a370d23db2ff12d6fadc573a7
SHA256:	21b808baad576e2890358af8a899cdfc09a62c094edb651218119fd234cd199e
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Creates a window with clipboard capturing capabilities

Drops PE files

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

System is w10x64_ra

rundll32.exe (PID: 2752 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

7zFM.exe (PID: 6376 cmdline: "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\Desktop\MDE_File_Sample_c404ec52446527b77da6860ca493ea2007ac03d5.zip" MD5: 30AC0B832D75598FB3EC37B6F2A8C86A)

WebCompanion-Installer.exe (PID: 5988 cmdline: "C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe" MD5: A27F9713DB1688D03D2082BFA1827803)

WerFault.exe (PID: 6752 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 1232 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WebCompanion-Installer.exe (PID: 7044 cmdline: "C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe" MD5: A27F9713DB1688D03D2082BFA1827803)

WerFault.exe (PID: 636 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7044 -s 1236 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WebCompanion-Installer.exe (PID: 1640 cmdline: "C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe" MD5: A27F9713DB1688D03D2082BFA1827803)

WerFault.exe (PID: 2092 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 1232 MD5: C31336C1EFC2CCB44B4326EA793040F2)

OpenWith.exe (PID: 6716 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe

ReversingLabs: Detection: 20%

Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe

File created: C:\Users\user\AppData\Local\Temp\WcInstaller.log

Networking

Yara detected Generic Downloader

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe, type: DROPPED

Source: C:\Program Files\7-Zip\7zFM.exe

Window created: window name: CLIPBRDWNDCLASS

Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 1232

Source: classification engine

Classification label: mal52.troj.winZIP@12/15@0/12

Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7044
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1640
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5988

Source: C:\Program Files\7-Zip\7zFM.exe

File created: C:\Users\user\AppData\Local\Temp\7zO8E86F629

Source: C:\Program Files\7-Zip\7zFM.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Program Files\7-Zip\7zFM.exe "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\Desktop\MDE_File_Sample_c404ec52446527b77da6860ca493ea2007ac03d5.zip"
Source: C:\Program Files\7-Zip\7zFM.exe	Process created: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe "C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe"
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 1232
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Program Files\7-Zip\7zFM.exe	Process created: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe "C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe"
Source: C:\Program Files\7-Zip\7zFM.exe	Process created: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe "C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe"
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7044 -s 1236
Source: C:\Program Files\7-Zip\7zFM.exe	Process created: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe "C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe"
Source: C:\Program Files\7-Zip\7zFM.exe	Process created: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe "C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe"
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 1232
Source: C:\Program Files\7-Zip\7zFM.exe	Process created: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe "C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe"

Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: textshaping.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: wldp.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: profapi.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: propsys.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: explorerframe.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: thumbcache.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: policymanager.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: msvcp110_win.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: dataexchange.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: d3d11.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: dcomp.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: dxgi.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: edputil.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: urlmon.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: iertutil.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: srvcli.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: netutils.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: sspicli.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: appresolver.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: slc.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: userenv.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: sppc.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: apphelp.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: pcacli.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: mpr.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: sfc_os.dll
Source: C:\Program Files\7-Zip\7zFM.exe	Section loaded: actxprxy.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Section loaded: httpapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: slc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Section loaded: httpapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Section loaded: httpapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Section loaded: fwpuclnt.dll

Source: C:\Program Files\7-Zip\7zFM.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Program Files\7-Zip\7zFM.exe

File created: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe

File created: C:\Users\user\AppData\Local\Temp\WcInstaller.log

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\7zFM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\7zFM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Memory allocated: 14C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Memory allocated: 1320000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Memory allocated: 2990000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Memory allocated: 3170000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch

Source: C:\Program Files\7-Zip\7zFM.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Web\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Web\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E81062A\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Web\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zO8E8912DA\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Clipboard Data	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Rundll32	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe	21%	ReversingLabs	Win32.PUA.Generic

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
20.42.73.29	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.189.173.20	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.189.173.22	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586735
Start date and time:	2025-01-09 15:03:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	MDE_File_Sample_c404ec52446527b77da6860ca493ea2007ac03d5.zip
Detection:	MAL
Classification:	mal52.troj.winZIP@12/15@0/12
Cookbook Comments:	Found application associated with file extension: .zip

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: MDE_File_Sample_c404ec52446527b77da6860ca493ea2007ac03d5.zip

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WebCompanion-Ins_b7432f713ecfb31df92ee8eb42f36da5a2c3ce48_b7d282ce_152bf885-e58b-4765-8839-4435a258f52d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2385723891202367
Encrypted:	false
SSDEEP:
MD5:	ACB46608DBC682E148CBA3C79DF1EE42
SHA1:	269B6A00D49CC330C434EB6121352603917934C0
SHA-256:	99C1141E1BB42867AB504140562EB0EE5072BE67B8A7F2E392DE78F8E69F8D76
SHA-512:	9F8867877DCDA93A025E29163C9E8A4665C8940D466C6C0FF36D1138CD46A1FEF4CBEC2CBF666642D65B40A71328C2491E38E4EA5241AFC091DC504F7BEDF97B
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.9.0.5.0.7.0.6.7.0.5.0.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.9.0.5.0.7.1.3.3.2.4.8.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.5.2.b.f.8.8.5.-.e.5.8.b.-.4.7.6.5.-.8.8.3.9.-.4.4.3.5.a.2.5.8.f.5.2.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.f.6.1.a.3.d.9.-.a.8.f.6.-.4.d.8.7.-.8.7.0.4.-.7.4.0.6.1.6.d.c.a.6.a.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.e.b.C.o.m.p.a.n.i.o.n.-.I.n.s.t.a.l.l.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.W.e.b.C.o.m.p.a.n.i.o.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.6.4.-.0.0.0.1.-.0.0.1.6.-.9.b.5.f.-.2.8.6.6.9.f.6.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.9.e.6.a.5.a.5.e.8.6.9.a.f.5.a.c.c.0.7.3.4.b.1.e.e.c.8.3.5.6.6.0.0.0.0.0.0.0.0.!.0.0.0.0.b.8.d.f.4.6.4.9.6.5.9.0.0.3.6.0.9.4.1.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WebCompanion-Ins_b7432f713ecfb31df92ee8eb42f36da5a2c3ce48_b7d282ce_49316fba-9d3b-48c8-ab05-2dcf5d7efba3\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2385640921726313
Encrypted:	false
SSDEEP:
MD5:	805AC5CBCEED7382FA5B664D9A352F34
SHA1:	6792D3798EE717BD6725674E80F6CA6E5219B2E5
SHA-256:	3809CE8CED3E552BA14F5EF58E30D3516B18DBA8ED44D8A15A0B7A0F089218DB
SHA-512:	E3058FB6DB78628E642B90FF9D1DABE54273BCD8F81CB2FB90D718F5F931A0B0D0DD8B6087F5163BDA24F5475CE11868D62BEFDAD7F2AC6F5A15C2BD2CFA356B
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.9.0.5.1.2.5.0.2.6.3.4.4.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.9.0.5.1.2.5.4.2.1.3.6.6.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.9.3.1.6.f.b.a.-.9.d.3.b.-.4.8.c.8.-.a.b.0.5.-.2.d.c.f.5.d.7.e.f.b.a.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.c.b.4.d.0.0.8.-.e.6.a.a.-.4.5.8.b.-.8.1.c.6.-.c.7.6.4.4.0.1.8.c.e.a.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.e.b.C.o.m.p.a.n.i.o.n.-.I.n.s.t.a.l.l.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.W.e.b.C.o.m.p.a.n.i.o.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.8.4.-.0.0.0.1.-.0.0.1.6.-.5.9.1.4.-.f.d.8.6.9.f.6.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.9.e.6.a.5.a.5.e.8.6.9.a.f.5.a.c.c.0.7.3.4.b.1.e.e.c.8.3.5.6.6.0.0.0.0.0.0.0.0.!.0.0.0.0.b.8.d.f.4.6.4.9.6.5.9.0.0.3.6.0.9.4.1.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WebCompanion-Ins_b7432f713ecfb31df92ee8eb42f36da5a2c3ce48_b7d282ce_892fe111-9cee-4f4c-9de4-dd2797a05252\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2381902959469855
Encrypted:	false
SSDEEP:
MD5:	2AA423F914BD8862967B47A98769E99D
SHA1:	31CD090230BB66F645E5F495800E88FA58FD9946
SHA-256:	4B46E76B8E07316BD2CFD0F53ECC84A6CDF3B2163BBCDDF51314157ACE6DD1E3
SHA-512:	9DC2F907AE16F5CE1B13710345032726A6098848FB47EBF4F2BEB180790C26705F2EE881D1DA0F367033637FFF7DC54B840D7077BE2BC164306A0B197C986A40
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.9.0.5.1.5.2.8.4.9.1.4.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.9.0.5.1.5.3.2.9.3.1.4.3.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.9.2.f.e.1.1.1.-.9.c.e.e.-.4.f.4.c.-.9.d.e.4.-.d.d.2.7.9.7.a.0.5.2.5.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.d.6.6.a.0.7.e.-.7.3.4.4.-.4.7.e.2.-.b.6.e.f.-.b.8.f.e.8.4.a.4.4.d.9.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.e.b.C.o.m.p.a.n.i.o.n.-.I.n.s.t.a.l.l.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.W.e.b.C.o.m.p.a.n.i.o.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.6.8.-.0.0.0.1.-.0.0.1.6.-.2.c.3.a.-.7.4.9.7.9.f.6.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.9.e.6.a.5.a.5.e.8.6.9.a.f.5.a.c.c.0.7.3.4.b.1.e.e.c.8.3.5.6.6.0.0.0.0.0.0.0.0.!.0.0.0.0.b.8.d.f.4.6.4.9.6.5.9.0.0.3.6.0.9.4.1.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER49A7.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 9 14:05:25 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	358113
Entropy (8bit):	4.122817481447595
Encrypted:	false
SSDEEP:
MD5:	911600918DA77C65F4E3908A9073F0A6
SHA1:	20EFEEDB6D4124564880B5527046ACE3364AE4AD
SHA-256:	E5D21F9C0042DCE39D4B28D9A40CFEA4A313ADFDE87291C037ADB723060550BA
SHA-512:	66AF3A441B1A748281A86085F156DCE2DD930B44DE893655B3D0EB0BC8396E23AC62235ECB12B1F7BB9283BE155DFA2A26A357D5451E837D9336363AA8201835
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... ..........g....................................$....&......T2...O..........`.......8...........T............0..aF...........&...........(..............................................................................eJ......h)......GenuineIntel............T..............g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A74.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8434
Entropy (8bit):	3.6928739530720778
Encrypted:	false
SSDEEP:
MD5:	B9815D7A1FD88379FE93D658785DE514
SHA1:	C76E184C4F899CDF5504D34B08A3BFC2B33C0CC3
SHA-256:	49210EE0EC46D0D29DB5695E6EA91931420EB671A23C1B26E49D74A408EBC34A
SHA-512:	207697151F2E5B52256A1590ABABC04E05704AED35F68464413AE7D9BCE5503A3E3500B257B2C80580B7CACF7322E7DCB2FF408567ABFEBBB2EB314308E996C2
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A94.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4833
Entropy (8bit):	4.481989637979984
Encrypted:	false
SSDEEP:
MD5:	8EB46D9D5E6655407C39EF9637BE95FC
SHA1:	0C2327DBBB6A28ADE561605AA44F49ABF11BFFB1
SHA-256:	5E980913911AFF3DF52DF0905E144E6D87D190A8314148311D784BA1FEB6D075
SHA-512:	A649807EF6FF9F4F9D5AAF7693570ADD046E275B60EBEED5C28F0D4A20631EFA03F35E970FB5CCEEF926CBADB95163A413A47C24CE585634BECE54E319BE52DD
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="668468" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7550.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 9 14:04:30 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	360690
Entropy (8bit):	4.099717618333291
Encrypted:	false
SSDEEP:
MD5:	1C744E641D29AFAB011E5E3F58FF0E25
SHA1:	F3B0BF1D31B1D4AD9567540C39660766084ED614
SHA-256:	B62F0B5D7A950A6B0CDA0AB3BCDF14FBBB00FFAFE86A883F7BC519F3F44967D5
SHA-512:	4DF51819D22FDD24EDCB5FF073650B4A57CDC2701D21110808975733E5CFBD3650651A919ACE46A3066143583BF9DDA65364763791B5068BB6AF89B2FAFD97D9
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... .......n..g....................................$....&......T2...O..........`.......8...........T............0..rP...........&...........(..............................................................................eJ......h)......GenuineIntel............T.......d...m..g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER76C8.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8438
Entropy (8bit):	3.6925086929117024
Encrypted:	false
SSDEEP:
MD5:	B5622AA576F5D1DBC7B0CF108BF42B17
SHA1:	E867A548F1A5EAF7EE88365417C247C23398F562
SHA-256:	A62CB501BCBCD18089C8845E085D51DF7709B62BB379C3DACAA5FD29CDF4E389
SHA-512:	CA48F3FF94547F973F201CF84DC720E0B2007F52F9BC144E386DE44A1E998BD36F31786F8AC6EBD8FFE0B502E02EB74E3D02270AA76A1B69DC118671478D21B5
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.8.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7717.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4833
Entropy (8bit):	4.482929166243538
Encrypted:	false
SSDEEP:
MD5:	7D73404E703862C4F54A62292FE25D6D
SHA1:	7D5DBA114C445DDBE3A57C63992AB326BC2A7063
SHA-256:	9322165CCE46C729886606BC5ED5D72EE760F3A2D06EAEBB7598721987D7866C
SHA-512:	1BC21C5CEADE194CDF8A3569844DDA2E604BAAD4D071FD17521CB34C4E7EC07C10916E69FF5F6F300BDEA4D1540E3CB426D63C4CA3B2B26AEA68A327E27E379A
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="668467" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB66B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 9 14:05:53 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	354465
Entropy (8bit):	4.17698145928067
Encrypted:	false
SSDEEP:
MD5:	4C5118D5F65F1A1B61C210087DC7C1A1
SHA1:	30C67ECE6505832D960FA9F260938031D66623F6
SHA-256:	7DA444AEB46430E218ED7C14DE0C9525CD6B7DC91BD922E1C3C0FD1DFE820DA4
SHA-512:	DA468EC17EA6039FB02E1B6AE3B9D86CD72E61990CE8F380FB42FE50677FA74959068C2B79F808FDF71970B7610F6D9DA88109E53B3D6F842520F23F4A354F01
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... ..........g....................................$....&......D2...O..........`.......8...........T............0..!8...........&...........(..............................................................................eJ......h)......GenuineIntel............T.......h......g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB766.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8434
Entropy (8bit):	3.6925413158612423
Encrypted:	false
SSDEEP:
MD5:	088E2C989EF4BE8FA01FB5A6DA1A07B8
SHA1:	6E710CC9B71FCEB5751BFF0EFA40D815EEAFEA97
SHA-256:	345162E1973A2B8073053888AABD047D005186095F8672E7F16B8451F80C880D
SHA-512:	BB71436DADCF38E48136C442F30EA6E9C3846327E2162423F042BBE1F3AA19B2AFE78C500E8E916D730823101C226856796F9F121030256D31A31A4A79C0BE38
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.6.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB786.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4833
Entropy (8bit):	4.482142408519314
Encrypted:	false
SSDEEP:
MD5:	6164DB46BE817007984860D975012F3F
SHA1:	467DF812AAB7E8BB190753BED292A8EFF3598E61
SHA-256:	14BEF40309170BFE52A0226720CB7CE3828497534018818A0CFF0CB8F700C9B9
SHA-512:	35D2A92E0261790C9FBB33F5DB39162C11F0BCD2EF1E5DB74DD5C6E83592763DACFD365B57CC8DC11925B6D944417B90FD83E4B2833AAC1A3A476AC9056D1AFE
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="668468" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\7zO8E813919\WebCompanion-Installer.exe.config

Download File

Process:	C:\Program Files\7-Zip\7zFM.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2273
Entropy (8bit):	5.064418012146103
Encrypted:	false
SSDEEP:
MD5:	E3D3AA100B93504676414B9268DFBAD4
SHA1:	A7D1E59C9D8C48DFE259D2973C13B0E2965E67AA
SHA-256:	EA7747D876307B0022F055C311C4F8F8112FDDE380E0848FD35508C00EDF8E7A
SHA-512:	9470E0B4784CE3AA94248DDBD9C17BCA988B6A680754511CBE1F1C368270F6D18C75AD1EA0F3A438CA5BB1A12E55E8745F68F2EBC9F78C68B373A6541AC9EFBE
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ProdSettings" type="System.Configuration.NameValueSectionHandler"/>.. <section name="StagingSettings" type="System.Configuration.NameValueSectionHandler"/>.. </configSections>.. <ProdSettings>.. <add key="Installer" value="https://wcdownloadercdn.lavasoft.com/13.0.0.1080/WebCompanionInstaller-13.0.0.1080-prod.exe"/>.. <add key="WebProtectionZip" value="https://rt.webcompanion.com/notifications/download/rt/dci/latest/Webprotection.zip"/>.. <add key="InstallerZip" value="http://wcdownloadercdn.lavasoft.com/13.0.0.1080/WebCompanion-13.0.0.1080-prod.zip"/>.. <add key="WebInstallerZip" value="http://wcdownloadercdn.lavasoft.com/13.0.0.1080/webinstaller-13.0.0.1080-prod.zip"/>.. </ProdSettings>.. <StagingSettings>.. <add key="Installer" value="https://wcdownloader-qa.lavasoft.com/13.0.0.1080/WebCompanionInstaller-13.0.0.1080-internal.exe"/>.. <add key="WebProtectionZip" va

C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe

Download File

Process:	C:\Program Files\7-Zip\7zFM.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	438936
Entropy (8bit):	6.4311342686757245
Encrypted:	false
SSDEEP:
MD5:	A27F9713DB1688D03D2082BFA1827803
SHA1:	B8DF4649659003609419D052757166499D2322E8
SHA-256:	2F86EB0D3902A11DA1F534D9734DABAE37D33E2C57B03F968198A1CFC2E652A9
SHA-512:	F952C6792F10CB60CA3ECC00B317C33AADB65C8471D106171660EC0FCB0603C8D18B8AD2A90AACDA6581D342647290099AF0ED0FDD897EDB390D5BF9209EA905
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$Cf.....................t.......(... ...@....@.. ....................................@..................................(..K....@...q...............2..........X'............................................... ............... ..H............text........ ...................... ..`.rsrc....q...@...r..................@..@.reloc...............~..............@..B.................(......H..................{....i...9............................................~....}.....(......su...}......(....}.....r...pz.(....r'..p.{....(......(........0..j..........{....r...pov...,.(.....+.(......r...p(......(......r...p.{....o....o.......(........sG........o......z..........UU......N.(....r...p..(.....r...p.......{...."..}.....rA..p.rS..p.(....oV...f.~....}.....(......(.....ro..pN.(....r...p..(.....0..i.......~......(....(!...,.r...p.+..(.......(j.....(...+

C:\Users\user\AppData\Local\Temp\WcInstaller.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe
File Type:	ASCII text, with very long lines (308), with CRLF line terminators
Category:	modified
Size (bytes):	1457
Entropy (8bit):	4.873575275262101
Encrypted:	false
SSDEEP:
MD5:	47C0C2975CA86EFC63AAC7491E3AD873
SHA1:	750DB4D5466DF4FD01EB04BE0E1563CA057892D9
SHA-256:	38ED07D05CD8E04025929081CD45C8B82113522172A3BC09E1287748C131EE69
SHA-512:	76E55A0E53397B8A36AA18502AA5F4D760EDB5DDB63E0DBBBFB3A21E234DD3A90C24AB8B57AFFC901686501061C65CD67C62AF3B1425A3AC416720B3C92817C6
Malicious:	false
Reputation:	unknown
Preview:	Failed to OpenWcfHost: System.ServiceModel.AddressAccessDeniedException: HTTP could not register URL http://+:9008/webcompanion/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353 for details). ---> System.Net.HttpListenerException: Access is denied.. at System.Net.HttpListener.AddAllPrefixes().. at System.Net.HttpListener.Start().. at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen().. --- End of inner exception stack trace ---.. at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen().. at System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener channelListener).. at System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback selectTransportManagerCallback).. at System.ServiceModel.Channels.TransportChannelListener.OnOpen(TimeSpan timeout).. at System.ServiceModel.Channels.HttpChannelListener`1.OnOpen(TimeSpan timeout).. at System

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.99952389332103
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	MDE_File_Sample_c404ec52446527b77da6860ca493ea2007ac03d5.zip
File size:	456'855 bytes
MD5:	81602281072f582789a0df509a1aac10
SHA1:	313482db2f1f000a370d23db2ff12d6fadc573a7
SHA256:	21b808baad576e2890358af8a899cdfc09a62c094edb651218119fd234cd199e
SHA512:	4bfc7f1b214631f03851b04d51cabbe3da039da183df0e1612416735ddae69c481d06c3f93210516631f341949f1fb23cf4af2487a03e9c47e3b6a36f2877077
SSDEEP:	12288:YlymFnzn/UJ1KNdOiUEfnCGuCTcvJoWjXH9:YRUJ1SUrsnCj9jt
TLSH:	F4A423B0F9B91D06EEA069872FF375934A1A8BECC42D663352F4259D243CD323A1D175
File Content Preview:	PK........qm)Z..Z.C...HR..U.$.Defender detected and quarantined 'Trojan:Win32/Wacatac.A!ml' in file 'Setup (1).exe'.. ..........9.{.b...9.{.b...8.{.b....+....hs%.....o...... .$%......^L..R,..;y..Z......T..5c.q.F..T.N.b....?[..X..W]....x=....w........\d..g

File Icon


Icon Hash:	1c1c1e4e4ececedc

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MDE_File_Sample_c404ec52446527b77da6860ca493ea2007ac03d5.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Dropped Files

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WebCompanion-Ins_b7432f713ecfb31df92ee8eb42f36da5a2c3ce48_b7d282ce_152bf885-e58b-4765-8839-4435a258f52d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WebCompanion-Ins_b7432f713ecfb31df92ee8eb42f36da5a2c3ce48_b7d282ce_49316fba-9d3b-48c8-ab05-2dcf5d7efba3\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WebCompanion-Ins_b7432f713ecfb31df92ee8eb42f36da5a2c3ce48_b7d282ce_892fe111-9cee-4f4c-9de4-dd2797a05252\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER49A7.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A74.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A94.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7550.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER76C8.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7717.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB66B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB766.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB786.tmp.xml

C:\Users\user\AppData\Local\Temp\7zO8E813919\WebCompanion-Installer.exe.config

C:\Users\user\AppData\Local\Temp\7zO8E839E09\WebCompanion-Installer.exe

C:\Users\user\AppData\Local\Temp\WcInstaller.log

Static File Info

General

File Icon

Windows Analysis Report
MDE_File_Sample_c404ec52446527b77da6860ca493ea2007ac03d5.zip