Edit tour

Windows Analysis Report
WebCompanion.exe

Overview

General Information

Sample Name:	WebCompanion.exe
Analysis ID:	895812
MD5:	2234a9191d623036e247f4d28bb509c8
SHA1:	a96788de8b892cd341ac3b6df0ec943cdec68600
SHA256:	c090a298878546b93f3872adbe9e264be18cb6b538df8838a27cb9e9f0cad7a9
Infos:

Detection

Score:	39
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Multi AV Scanner detection for submitted file

Found detection on Joe Sandbox Cloud Basic

Yara detected Generic Downloader

Uses 32bit PE files

AV process strings found (often used to terminate AV products)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

One or more processes crash

Checks if the current process is being debugged

Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample crashes during execution, try analyze it on another analysis machine

Process Tree

System is w10x64

WebCompanion.exe (PID: 3676 cmdline: C:\Users\user\Desktop\WebCompanion.exe MD5: 2234A9191D623036E247F4D28BB509C8)

WerFault.exe (PID: 6128 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 772 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
WebCompanion.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: WebCompanion.exe

Virustotal: Detection: 9%

Perma Link

Source: WebCompanion.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: WebCompanion.exe

Static PE information: certificate valid

Source: WebCompanion.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: PresentationFramework.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER3526.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdb0 source: WebCompanion.exe, 00000000.00000002.400884974.00000000018F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.ni.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3526.tmp.dmp.3.dr
Source:	Binary string: symbols\dll\PresentationCore.pdb5 source: WebCompanion.exe, 00000000.00000002.400884974.00000000018F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.ni.pdbRSDS source: WER3526.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb={ source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: (Pvm@C:\Windows\PresentationCore.pdb source: WebCompanion.exe, 00000000.00000002.400884974.00000000018F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER3526.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\PresentationCore.pdbH source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\PresentationCore.pdb source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: c:\Windows\Temp\drone-3LBJqoTBedv1iSbk\drone\src\WebCompanion\Companion.UI\obj\x86\Debug\WebCompanion.pdb source: WebCompanion.exe
Source:	Binary string: System.Core.ni.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: PresentationFramework.ni.pdbRSDS~J source: WER3526.tmp.dmp.3.dr
Source:	Binary string: PresentationCore.ni.pdbRSDS source: WER3526.tmp.dmp.3.dr
Source:	Binary string: System.Xaml.ni.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: WindowsBase.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: mscorlib.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xaml.ni.pdbRSDS\| source: WER3526.tmp.dmp.3.dr
Source:	Binary string: System.pdbL source: WER3526.tmp.dmp.3.dr
Source:	Binary string: c:\Windows\Temp\drone-3LBJqoTBedv1iSbk\drone\src\WebCompanion\Companion.UI\obj\x86\Debug\WebCompanion.pdbPE source: WebCompanion.exe
Source:	Binary string: \??\C:\Windows\symbols\dll\PresentationCore.pdb source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationCore.ni.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\PresentationCore.pdb source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xaml.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\PresentationCore.pdbpdbore.pdb source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: WebCompanion.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationCore.pdbkb^ source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\PresentationCore.pdbi source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.ni.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: PresentationCore.pdb source: WebCompanion.exe, 00000000.00000002.400884974.00000000018F8000.00000004.00000010.00020000.00000000.sdmp, WER3526.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb9 source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp

Networking

Yara detected Generic Downloader

Source: Yara match

File source: WebCompanion.exe, type: SAMPLE

Source: WebCompanion.exe	String found in binary or memory: <td align="right" width="24"><a target="_blank" href="https://www.facebook.com/lavasoft.adaware"><img src="http://webcompanion.com/images/email/fb-icon.png" width="16" height="16" alt="fb" style="display:block;border:0;" /></a></td> equals www.facebook.com (Facebook)
Source: WebCompanion.exe	String found in binary or memory: }}uNon elevated process completed for enableEnterprisePolicy.'C:\ffLanguages.json3Search from user config: 9Search from firefox config: +http://www.google.com1http://www.microsoft.com/http://www.facebook.comstop equals www.facebook.com (Facebook)
Source: WebCompanion.exe	String found in binary or memory: TwitterVisitUrl)http://lavasoft.com/ahttps://www.facebook.com/sharer/sharer.php?u={0}/http://webcompanion.comiWeb Companion. A safer, cleaner browsing experience.Shttps://www.facebook.com/officialadaware/Khttps://plus.google.com/share?url={0}yhttps://plus.google.com/u/0/b/116438965069860868108/+adawareahttp://twitter.com/intent/tweet?text={1}&url={0}Ghttps://twitter.com/officialadawarek/WebCompanion;component/ui/views/featurelistview.xaml equals www.facebook.com (Facebook)
Source: WebCompanion.exe	String found in binary or memory: TwitterVisitUrl)http://lavasoft.com/ahttps://www.facebook.com/sharer/sharer.php?u={0}/http://webcompanion.comiWeb Companion. A safer, cleaner browsing experience.Shttps://www.facebook.com/officialadaware/Khttps://plus.google.com/share?url={0}yhttps://plus.google.com/u/0/b/116438965069860868108/+adawareahttp://twitter.com/intent/tweet?text={1}&url={0}Ghttps://twitter.com/officialadawarek/WebCompanion;component/ui/views/featurelistview.xaml equals www.twitter.com (Twitter)
Source: WebCompanion.exe	String found in binary or memory: `https://www.facebook.com/sharer/sharer.php?u={0}Rhttps://www.facebook.com/officialadaware/Jhttps://plus.google.com/share?url={0}xhttps://plus.google.com/u/0/b/116438965069860868108/+adawarehWeb Companion. A safer, cleaner browsing experience..http://webcompanion.com`http://twitter.com/intent/tweet?text={1}&url={0}Fhttps://twitter.com/officialadaware equals www.facebook.com (Facebook)
Source: WebCompanion.exe	String found in binary or memory: `https://www.facebook.com/sharer/sharer.php?u={0}Rhttps://www.facebook.com/officialadaware/Jhttps://plus.google.com/share?url={0}xhttps://plus.google.com/u/0/b/116438965069860868108/+adawarehWeb Companion. A safer, cleaner browsing experience..http://webcompanion.com`http://twitter.com/intent/tweet?text={1}&url={0}Fhttps://twitter.com/officialadaware equals www.twitter.com (Twitter)

Source: WebCompanion.exe	String found in binary or memory: http://10.45.0.17:8341/api/v1/activeFeatures/filter/partnerId/
Source: WebCompanion.exe	String found in binary or memory: http://adaware.com/browser/ff/index.phpSInitializing
Source: WebCompanion.exe	String found in binary or memory: http://aia.entrust.net/evcs2-chain.p7c01
Source: WebCompanion.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: WebCompanion.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: WebCompanion.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: WebCompanion.exe	String found in binary or memory: http://crl.entrust.net/csbr1.crl0
Source: WebCompanion.exe	String found in binary or memory: http://crl.entrust.net/evcs2.crl0
Source: WebCompanion.exe	String found in binary or memory: http://crl.entrust.net/g2ca.crl0
Source: WebCompanion.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: WebCompanion.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: WebCompanion.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: WebCompanion.exe	String found in binary or memory: http://em.lavasoft.com/subscribe/profile?f=21&id=
Source: WebCompanion.exe	String found in binary or memory: http://ext.adaware.com/ss/new-tab-may.xpi
Source: WebCompanion.exe	String found in binary or memory: http://ext.adaware.com/ss/new-tab-may.xpi(FirefoxNtPostInstall2InstallFFRegistrySideload
Source: WebCompanion.exe	String found in binary or memory: http://ext.adaware.com/ss/newtab-omni.xpi
Source: WebCompanion.exe	String found in binary or memory: http://extservice.adaware.com/extension5Inside
Source: WebCompanion.exe	String found in binary or memory: http://in.adaware.com/wc/extension_install.php?exiturl=aHR0cDovL3d3dy53ZWJjb21wYW5pb24uY29t&utm_camp
Source: WebCompanion.exe	String found in binary or memory: http://in.adaware.com/wc/extension_install.php?exiturl=aHR0cDovL3dlYmNvbXBhbmlvbi5jb20vaW5zdGFsbC5wa
Source: WebCompanion.exe	String found in binary or memory: http://lavasoft.com?utm_source=wc&utm_medium=wc&utm_campaign=wcIhttp://webcompanion.com/version_logs
Source: WebCompanion.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: WebCompanion.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: WebCompanion.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: WebCompanion.exe	String found in binary or memory: http://ocsp.entrust.net00
Source: WebCompanion.exe	String found in binary or memory: http://ocsp.entrust.net01
Source: WebCompanion.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: WebCompanion.exe	String found in binary or memory: http://rt.webcompanion.com/notifications/download/rt/Waterfoxsetup.exe
Source: WebCompanion.exe	String found in binary or memory: http://schemas.datacontract.org/2004/07/SearchProtect.WcfService
Source: WebCompanion.exe	String found in binary or memory: http://schemas.datacontract.org/2004/07/SearchProtect.WcfService6
Source: WebCompanion.exe	String found in binary or memory: http://schemas.datacontract.org/2004/07/VPNService.WCF.Model
Source: WebCompanion.exe	String found in binary or memory: http://schemas.datacontract.org/2004/07/VPNService.WCF.Modeli
Source: WebCompanion.exe	String found in binary or memory: http://sdl.adaware.com/cdn/NewBrowserExtensionInstaller.exe
Source: WebCompanion.exe	String found in binary or memory: http://securedsearch.lavasoft.com
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/$
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/AddT
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/GetComponentsInfoT
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/GetComponentsVersionInfoT
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/ConnectDisconnectVPNResponse
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/ConnectDisconnectVPNT
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/GetConnectionInfoResponse
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/GetConnectionInfoT
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/GetLocationsResponse
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/GetLocationsT
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/IsVPNConnectedResponse
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/IsVPNConnectedT
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/LoadConfigResponse
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/LoadConfigT
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/TurnOffVPNResponse
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/TurnOffVPNT
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/CopyFilesResponse
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/CopyFilesT
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/CreatUninstallInfoResponse
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/CreatUninstallInfoT
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/GetCurrentHomePageIEResponse
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/GetCurrentHomePageIET
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/GetCurrentSearchIEResponse
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/GetCurrentSearchIET
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/ProcessRemoteFeatureResponse
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/ProcessRemoteFeatureT
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/RunProcessResponse
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/RunProcessT
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/RunasAdminResponse
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/RunasAdminT
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/SetAutoRestoreSessionIEResponse
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/SetAutoRestoreSessionIET
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/SetHomePageIEResponse
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/SetHomePageIET
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/SetNewTabIEResponse
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/SetNewTabIET
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/SetSearchEngineIEResponse
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/SetSearchEngineIET
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/SilentUninstallResponse
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/SilentUninstallT
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/UpdateUninstallInfoResponse
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/IWCAssistantService/UpdateUninstallInfoT
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/SendEmailT
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/SendFeedbackT
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/SendWCFeedbackT
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/SignZipInstallerT
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/T
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/WcSendAutoResponseEmailT
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: WebCompanion.exe	String found in binary or memory: http://webcompanion.com/faq
Source: WebCompanion.exe	String found in binary or memory: http://webcompanion.com/feedback?utm_source=wc&utm_medium=wc&utm_campaign=wcg/WebCompanion;component
Source: WebCompanion.exe	String found in binary or memory: http://webcompanion.com/ff_extension/ffLanguages.json
Source: WebCompanion.exe	String found in binary or memory: http://webcompanion.com/gw/gateway.php?pid=
Source: WebCompanion.exe	String found in binary or memory: http://webcompanion.com/help
Source: WebCompanion.exe	String found in binary or memory: http://webcompanion.com/help#119Help
Source: WebCompanion.exe	String found in binary or memory: http://webcompanion.com/images/email/hdr_main.png
Source: WebCompanion.exe	String found in binary or memory: http://webcompanion.com/images/email/tw-icon.png
Source: WebCompanion.exe	String found in binary or memory: http://webcompanion.com/images/email/wc-title-header.png
Source: WebCompanion.exe	String found in binary or memory: http://webcompanion.com/installed.php?extinstall=1QError
Source: WebCompanion.exe	String found in binary or memory: http://webcompanion.com/mail-report-reply
Source: WebCompanion.exe	String found in binary or memory: http://webcompanion.com/mz/browser_download.php?partner=
Source: WebCompanion.exe	String found in binary or memory: http://webcompanion.com/notification?timestamp=
Source: WebCompanion.exe	String found in binary or memory: http://webcompanion.com/terms?http://webcompanion.com/privacy;RecoverSE
Source: WebCompanion.exe	String found in binary or memory: http://webcompanion.com/wc_onboarding_software_noab?lang=
Source: WebCompanion.exe	String found in binary or memory: http://wpfanimatedgif.codeplex.com
Source: WebCompanion.exe	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: WebCompanion.exe	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Copyright
Source: WebCompanion.exe	String found in binary or memory: http://www.codeproject.com/Articles/28093/Using-RoutedCommands-with-a-ViewModel-in-WPF
Source: WebCompanion.exe	String found in binary or memory: http://www.entrust.net/rpa0
Source: WebCompanion.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: WebCompanion.exe	String found in binary or memory: http://www.gophish.com
Source: WebCompanion.exe	String found in binary or memory: http://www.lavasoft.com
Source: WebCompanion.exe	String found in binary or memory: http://www.lavasoft.com/mylavasoft/contact
Source: WebCompanion.exe	String found in binary or memory: http://www.lavasoft.com/privacy_policy/
Source: WebCompanion.exe	String found in binary or memory: http://www.lavasoft.com/terms_of_use/Ohttp://www.lavasoft.com/privacy_policy/
Source: WebCompanion.exe	String found in binary or memory: http://www.lavasoftsupport.com/index.php?/forum/191-web-companion/
Source: WebCompanion.exe	String found in binary or memory: https://adaware.com/ext/ie.php?pid=
Source: WebCompanion.exe	String found in binary or memory: https://adaware.com/ext/inline.php?pid=
Source: WebCompanion.exe	String found in binary or memory: https://chrome.google.com/webstore/detail/adaware-secure-search/mcecnfofnfjclaifchnaodlamfjlofkp
Source: WebCompanion.exe	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: WebCompanion.exe	String found in binary or memory: https://dwldvpn.adaware.com/get-app.aspx?configid=A63E3802-2966-4D05-8412-1F05409FD025
Source: WebCompanion.exe	String found in binary or memory: https://ext.adaware.com/
Source: WebCompanion.exe	String found in binary or memory: https://ext.adaware.com//ts/
Source: WebCompanion.exe	String found in binary or memory: https://ext.adaware.com/ss/newtab-ext.xpi
Source: WebCompanion.exe	String found in binary or memory: https://featureflags.lavasoft.com/api/Update/WCyhttps://sandbox-featureflags-api.lavasoft.net/api/fe
Source: WebCompanion.exe	String found in binary or memory: https://featureflags.lavasoft.com/api/feature/WC
Source: WebCompanion.exe	String found in binary or memory: https://media.adaware.com/moviesextension/thankyou.php?partnerID=BT151101&sourceTraffic=WCU1908
Source: WebCompanion.exe	String found in binary or memory: https://media.adaware.com/waterfox/onboarding/?utm_source=WebCompanion&utm_medium=Notifications&utm_
Source: WebCompanion.exe	String found in binary or memory: https://notiftrigger.adaware.com/notification-trigger-service/api/v1?partner=
Source: WebCompanion.exe	String found in binary or memory: https://oauth.adaware.com/api=https://myaccount.adaware.com/ehttps://gateway.lavasoft.com/webcompani
Source: WebCompanion.exe	String found in binary or memory: https://open.webcompanion.com
Source: WebCompanion.exe	String found in binary or memory: https://open.webcompanion.com/feature/myprotection
Source: WebCompanion.exe	String found in binary or memory: https://open.webcompanion.com/feature/vpn_https://open.webcompanion.com/feature/wcrewardsMhttps://op
Source: WebCompanion.exe	String found in binary or memory: https://open.webcompanion.com/feedback
Source: WebCompanion.exe	String found in binary or memory: https://open.webcompanion.com/profile
Source: WebCompanion.exe	String found in binary or memory: https://reward.webcompanion.com/?/Inside
Source: WebCompanion.exe	String found in binary or memory: https://reward.webcompanion.com/api/account/reward?http://127.0.0.1:port/api/token
Source: WebCompanion.exe	String found in binary or memory: https://sandbox-featureflags-api.lavasoft.net/api/Update/WC
Source: WebCompanion.exe	String found in binary or memory: https://sdl.adaware.com/?bundleid=WCU001&savename=WCUpdater.exe
Source: WebCompanion.exe	String found in binary or memory: https://sdl.adaware.com/cdn/BrowserExtensionInstaller.exe
Source: WebCompanion.exe	String found in binary or memory: https://staging-reward.lavasoft.net/?
Source: WebCompanion.exe	String found in binary or memory: https://staging-reward.lavasoft.net/api/account/reward
Source: WebCompanion.exe	String found in binary or memory: https://twitter.com/lavasoft
Source: WebCompanion.exe	String found in binary or memory: https://webcompanion.com/ab/index.php?partnerId=
Source: WebCompanion.exe	String found in binary or memory: https://webcompanion.com/download_extensions.php?partnerID=
Source: WebCompanion.exe	String found in binary or memory: https://webcompanion.com/en/
Source: WebCompanion.exe	String found in binary or memory: https://webcompanion.com/en/help.php
Source: WebCompanion.exe	String found in binary or memory: https://webcompanion.com/termsAhttps://webcompanion.com/privacy
Source: WebCompanion.exe	String found in binary or memory: https://webcompanion.com/wp/index.php?partnerId=
Source: WebCompanion.exe	String found in binary or memory: https://www.adaware.com/privacy-policy
Source: WebCompanion.exe	String found in binary or memory: https://www.adaware.com/sites/default/files/installers/H2OAutoUpdate/WCU005.exe
Source: WebCompanion.exe	String found in binary or memory: https://www.adaware.com/sites/default/files/installers/H2OAutoUpdate/WCU006_s.exe
Source: WebCompanion.exe	String found in binary or memory: https://www.adaware.com/terms-of-use
Source: WebCompanion.exe	String found in binary or memory: https://www.entrust.net/rpa0
Source: WebCompanion.exe	String found in binary or memory: https://www.waterfoxproject.org/en-US/about/legal/terms/waterfox/
Source: WebCompanion.exe	String found in binary or memory: https://www.waterfoxproject.org/en-US/privacy

System Summary

Found detection on Joe Sandbox Cloud Basic

Source: WebCompanion.exe

Joe Sandbox Cloud Basic: Detection: malicious Score: 42 Threat Name: Analyzer: w10x64

Perma Link

Source: WebCompanion.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A4A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs WebCompanion.exe

Source: C:\Users\user\Desktop\WebCompanion.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 772

Source: WebCompanion.exe

Virustotal: Detection: 9%

Source: WebCompanion.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\WebCompanion.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: WebCompanion.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
Source: C:\Users\user\Desktop\WebCompanion.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\WebCompanion.exe C:\Users\user\Desktop\WebCompanion.exe
Source: C:\Users\user\Desktop\WebCompanion.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 772

Source: C:\Users\user\Desktop\WebCompanion.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3676

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER3526.tmp

Jump to behavior

Source: WebCompanion.exe	String found in binary or memory: PBtabui/themes/status-installed.png3
Source: WebCompanion.exe	String found in binary or memory: YFtabui/themes/windows-icon-helpp.png
Source: WebCompanion.exe	String found in binary or memory: a.themes/loading-loop.gift
Source: WebCompanion.exe	String found in binary or memory: 2ui/views/loadingview.baml
Source: WebCompanion.exe	String found in binary or memory: ,wpui/loader/block.baml
Source: WebCompanion.exe	String found in binary or memory: .wpui/loader/loader.bamlK
Source: WebCompanion.exe	String found in binary or memory: Bwpui/loader/preloadercontrol.baml8
Source: WebCompanion.exe	String found in binary or memory: .wpui/themes/loading.gif
Source: WebCompanion.exe	String found in binary or memory: status-installed.png?
Source: WebCompanion.exe	String found in binary or memory: windows-icon-helpp.png?
Source: WebCompanion.exe	String found in binary or memory: /Themes/loading-loop.gif
Source: WebCompanion.exe	String found in binary or memory: Epack://application:,,,/WebCompanion;component/WPUI/Themes/loading.gif
Source: WebCompanion.exe	String found in binary or memory: 6.$K>Epack://application:,,,/WebCompanion;component/WPUI/Themes/loading.gif
Source: WebCompanion.exe	String found in binary or memory: -Installs the updates as they become available
Source: WebCompanion.exe	String found in binary or memory: ChromeSideload/InstallFirefoxExtension
Source: WebCompanion.exe	String found in binary or memory: -starting to manage api
Source: WebCompanion.exe	String found in binary or memory: SoftwareUpdate/Adding metadata to file)Getting all criteria;inside criteria step executer
Source: WebCompanion.exe	String found in binary or memory: ehttp://webcompanion.com/installed.php?extinstall=1QError while instaling web protection --
Source: WebCompanion.exe	String found in binary or memory: \\9--install --adblock --path=
Source: WebCompanion.exe	String found in binary or memory: %systemroot%\sysnative\cmd.exe /c start /B explorer.exe{\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar_C:\Program Files\Internet Explorer\iexplore.exe-Launching for trigger +URL is null or empty.+URI is null or empty.
Source: WebCompanion.exe	String found in binary or memory: installer.exe5WebCompanion-Installer.exe
Source: WebCompanion.exe	String found in binary or memory: #E80000=../Themes/status-installed.png
Source: WebCompanion.exe	String found in binary or memory: /WebCompanion;component/ui/views/dialogs/windowstenupgrade.xamly/WebCompanion;component/ui/views/enablingprotectionview.xaml]/WebCompanion;component/wpui/loader/block.xaml
Source: WebCompanion.exe	String found in binary or memory: Colour_/WebCompanion;component/wpui/loader/loader.xaml%ProgressAnimation1%ProgressAnimation2%ProgressAnimation3%ProgressAnimation4s/WebCompanion;component/wpui/loader/preloadercontrol.xaml
Source: WebCompanion.exe	String found in binary or memory: othersQFailed to display application stat data G--enablewp --silent --installid={0}
Source: WebCompanion.exe	String found in binary or memory: IsFFReset-SearchResetEnableCount/ShowUIAfterInstallation1LaunchFirefoxOnWCStartUp/LaunchInlineOnWCStartUp+ExtensionSearchEngine%RetakenSearchValue
Source: WebCompanion.exe	String found in binary or memory: LoadingView_Loaded register MainWin_RequestBeginLoadingPanelBounceAnimationc/WebCompanion;component/ui/views/loadingview.xaml%RunAtSystemStartUpDark
Source: WebCompanion.exe	String found in binary or memory: https://www.adaware.com/sites/default/files/installers/H2OAutoUpdate/WCU006_s.exe
Source: WebCompanion.exe	String found in binary or memory: https://www.adaware.com/sites/default/files/installers/H2OAutoUpdate/WCU005.exe
Source: WebCompanion.exe	String found in binary or memory: SlideMainPanel!RestoreMainPanel5Themes/{0}/Custom_Pro.xaml=Themes/{0}/Custom_Reimage.xaml-Themes/{0}/Custom.xaml9MinimizeMainWindowStoryBoard/Stoping the service....'Service Stopped....GCould not stop WCAssistant Service YHideLoadingPanel: loaded = {0}; active = {1}7RestoreMainWindowStoryboard
Source: WebCompanion.exe	String found in binary or memory: SlideMainPanel!RestoreMainPanel5Themes/{0}/Custom_Pro.xaml=Themes/{0}/Custom_Reimage.xaml-Themes/{0}/Custom.xaml9MinimizeMainWindowStoryBoard/Stoping the service....'Service Stopped....GCould not stop WCAssistant Service YHideLoadingPanel: loaded = {0}; active = {1}7RestoreMainWindowStoryboard
Source: WebCompanion.exe	String found in binary or memory: http://tempuri.org/AddT
Source: WebCompanion.exe	String found in binary or memory: Action,http://tempuri.org/IVPNServiceWCF/LoadConfigT
Source: WebCompanion.exe	String found in binary or memory: ReplyAction4http://tempuri.org/IVPNServiceWCF/LoadConfigResponse

Source: classification engine

Classification label: sus39.troj.winEXE@2/6@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: WebCompanion.exe, 00000000.00000000.378595484.0000000001471000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS {0}(Id INTEGER PRIMARY KEY NOT NULL, Domain TEXT NULL, Date TEXT NULL);
Source: WebCompanion.exe, 00000000.00000000.378595484.0000000001471000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS {0}(Id INTEGER PRIMARY KEY NOT NULL, Key TEXT NULL, Value INTEGER NULL, LastModified TEXT NULL);#SELECT * FROM {0}-KEY,Value,LastModified)('{0}', {1}, '{2}'),

Source: C:\Users\user\Desktop\WebCompanion.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: WebCompanion.exe

Static file information: File size 11456208 > 1048576

Source: WebCompanion.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: WebCompanion.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: WebCompanion.exe

Static PE information: certificate valid

Source: WebCompanion.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0xae2600

Source: WebCompanion.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: WebCompanion.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: PresentationFramework.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER3526.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdb0 source: WebCompanion.exe, 00000000.00000002.400884974.00000000018F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.ni.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3526.tmp.dmp.3.dr
Source:	Binary string: symbols\dll\PresentationCore.pdb5 source: WebCompanion.exe, 00000000.00000002.400884974.00000000018F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.ni.pdbRSDS source: WER3526.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb={ source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: (Pvm@C:\Windows\PresentationCore.pdb source: WebCompanion.exe, 00000000.00000002.400884974.00000000018F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER3526.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\PresentationCore.pdbH source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\PresentationCore.pdb source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: c:\Windows\Temp\drone-3LBJqoTBedv1iSbk\drone\src\WebCompanion\Companion.UI\obj\x86\Debug\WebCompanion.pdb source: WebCompanion.exe
Source:	Binary string: System.Core.ni.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: PresentationFramework.ni.pdbRSDS~J source: WER3526.tmp.dmp.3.dr
Source:	Binary string: PresentationCore.ni.pdbRSDS source: WER3526.tmp.dmp.3.dr
Source:	Binary string: System.Xaml.ni.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: WindowsBase.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: mscorlib.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xaml.ni.pdbRSDS\| source: WER3526.tmp.dmp.3.dr
Source:	Binary string: System.pdbL source: WER3526.tmp.dmp.3.dr
Source:	Binary string: c:\Windows\Temp\drone-3LBJqoTBedv1iSbk\drone\src\WebCompanion\Companion.UI\obj\x86\Debug\WebCompanion.pdbPE source: WebCompanion.exe
Source:	Binary string: \??\C:\Windows\symbols\dll\PresentationCore.pdb source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationCore.ni.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\PresentationCore.pdb source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xaml.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\PresentationCore.pdbpdbore.pdb source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: WebCompanion.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationCore.pdbkb^ source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\PresentationCore.pdbi source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.ni.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: PresentationCore.pdb source: WebCompanion.exe, 00000000.00000002.400884974.00000000018F8000.00000004.00000010.00020000.00000000.sdmp, WER3526.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdb source: WER3526.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb9 source: WebCompanion.exe, 00000000.00000002.400956060.0000000001A74000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.3.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\WebCompanion.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\WebCompanion.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\WebCompanion.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\WebCompanion.exe

Queries volume information: C:\Users\user\Desktop\WebCompanion.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\WebCompanion.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: procexp.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
WebCompanion.exe	12%	ReversingLabs
WebCompanion.exe	10%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/GetComponentsVersionInfoT	3%	Virustotal		Browse
http://tempuri.org/IWCAssistantService/CreatUninstallInfoT	1%	Virustotal		Browse
http://tempuri.org/IWCAssistantService/CreatUninstallInfoT	0%	Avira URL Cloud	safe
http://tempuri.org/IVPNServiceWCF/IsVPNConnectedResponse	0%	Avira URL Cloud	safe
http://tempuri.org/GetComponentsVersionInfoT	0%	Avira URL Cloud	safe
http://ocsp.entrust.net02	0%	URL Reputation	safe
http://ocsp.entrust.net01	0%	URL Reputation	safe
http://ocsp.entrust.net00	0%	URL Reputation	safe
http://tempuri.org/IWCAssistantService/RunProcessT	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/ProcessRemoteFeatureT	0%	Avira URL Cloud	safe
http://tempuri.org/IVPNServiceWCF/ConnectDisconnectVPNResponse	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/SilentUninstallT	0%	Avira URL Cloud	safe
http://tempuri.org/IVPNServiceWCF/LoadConfigResponse	0%	Avira URL Cloud	safe
http://tempuri.org/SendWCFeedbackT	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/RunasAdminResponse	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/SetHomePageIEResponse	0%	Avira URL Cloud	safe
http://tempuri.org/IVPNServiceWCF/IsVPNConnectedT	0%	Avira URL Cloud	safe
https://staging-reward.lavasoft.net/?	0%	Avira URL Cloud	safe
http://www.gophish.com	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/GetCurrentHomePageIEResponse	0%	Avira URL Cloud	safe
https://staging-reward.lavasoft.net/api/account/reward	0%	Avira URL Cloud	safe
http://www.lavasoftsupport.com/index.php?/forum/191-web-companion/	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/GetCurrentSearchIEResponse	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/UpdateUninstallInfoResponse	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/GetCurrentHomePageIET	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/VPNService.WCF.Modeli	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/UpdateUninstallInfoT	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/SetNewTabIET	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/SetHomePageIET	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/SetAutoRestoreSessionIET	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/GetCurrentSearchIET	0%	Avira URL Cloud	safe
http://tempuri.org/WcSendAutoResponseEmailT	0%	Avira URL Cloud	safe
http://tempuri.org/SignZipInstallerT	0%	Avira URL Cloud	safe
http://tempuri.org/GetComponentsInfoT	0%	Avira URL Cloud	safe
https://sandbox-featureflags-api.lavasoft.net/api/Update/WC	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/CopyFilesResponse	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/VPNService.WCF.Model	0%	Avira URL Cloud	safe
http://tempuri.org/IVPNServiceWCF/GetLocationsT	0%	Avira URL Cloud	safe
http://tempuri.org/AddT	0%	Avira URL Cloud	safe
http://10.45.0.17:8341/api/v1/activeFeatures/filter/partnerId/	0%	Avira URL Cloud	safe
http://tempuri.org/IVPNServiceWCF/GetLocationsResponse	0%	Avira URL Cloud	safe
http://tempuri.org/SendEmailT	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/CopyFilesT	0%	Avira URL Cloud	safe
http://tempuri.org/IVPNServiceWCF/LoadConfigT	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/SetNewTabIEResponse	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/SetSearchEngineIET	0%	Avira URL Cloud	safe
http://tempuri.org/IVPNServiceWCF/TurnOffVPNResponse	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://tempuri.org/GetComponentsVersionInfoT	WebCompanion.exe	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore/detail/adaware-secure-search/mcecnfofnfjclaifchnaodlamfjlofkp	WebCompanion.exe	false		high
https://featureflags.lavasoft.com/api/Update/WCyhttps://sandbox-featureflags-api.lavasoft.net/api/fe	WebCompanion.exe	false		high
http://tempuri.org/IWCAssistantService/CreatUninstallInfoT	WebCompanion.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://securedsearch.lavasoft.com	WebCompanion.exe	false		high
http://tempuri.org/IWCAssistantService/RunProcessT	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://www.codeproject.com/Articles/28093/Using-RoutedCommands-with-a-ViewModel-in-WPF	WebCompanion.exe	false		high
https://webcompanion.com/wp/index.php?partnerId=	WebCompanion.exe	false		high
http://tempuri.org/IVPNServiceWCF/IsVPNConnectedResponse	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://tempuri.org/	WebCompanion.exe	false	URL Reputation: safe	unknown
http://tempuri.org/IWCAssistantService/ProcessRemoteFeatureT	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IVPNServiceWCF/ConnectDisconnectVPNResponse	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IWCAssistantService/SilentUninstallT	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
https://staging-reward.lavasoft.net/?	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0Copyright	WebCompanion.exe	false		high
http://tempuri.org/IVPNServiceWCF/LoadConfigResponse	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://tempuri.org/SendWCFeedbackT	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
https://media.adaware.com/moviesextension/thankyou.php?partnerID=BT151101&sourceTraffic=WCU1908	WebCompanion.exe	false		high
https://open.webcompanion.com/feature/vpn_https://open.webcompanion.com/feature/wcrewardsMhttps://op	WebCompanion.exe	false		high
http://webcompanion.com/ff_extension/ffLanguages.json	WebCompanion.exe	false		high
http://in.adaware.com/wc/extension_install.php?exiturl=aHR0cDovL3dlYmNvbXBhbmlvbi5jb20vaW5zdGFsbC5wa	WebCompanion.exe	false		high
http://aia.entrust.net/evcs2-chain.p7c01	WebCompanion.exe	false		high
http://webcompanion.com/installed.php?extinstall=1QError	WebCompanion.exe	false		high
http://wpfanimatedgif.codeplex.com	WebCompanion.exe	false		high
http://www.entrust.net/rpa0	WebCompanion.exe	false		high
https://webcompanion.com/en/	WebCompanion.exe	false		high
https://twitter.com/lavasoft	WebCompanion.exe	false		high
http://www.gophish.com	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://www.lavasoft.com/terms_of_use/Ohttp://www.lavasoft.com/privacy_policy/	WebCompanion.exe	false		high
http://www.lavasoft.com/mylavasoft/contact	WebCompanion.exe	false		high
http://tempuri.org/IWCAssistantService/RunasAdminResponse	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IWCAssistantService/SetHomePageIEResponse	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IVPNServiceWCF/IsVPNConnectedT	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
https://staging-reward.lavasoft.net/api/account/reward	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://www.entrust.net/rpa03	WebCompanion.exe	false		high
http://tempuri.org/IWCAssistantService/GetCurrentHomePageIEResponse	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://webcompanion.com/wc_onboarding_software_noab?lang=	WebCompanion.exe	false		high
http://www.lavasoftsupport.com/index.php?/forum/191-web-companion/	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IWCAssistantService/UpdateUninstallInfoResponse	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://webcompanion.com/help#119Help	WebCompanion.exe	false		high
https://notiftrigger.adaware.com/notification-trigger-service/api/v1?partner=	WebCompanion.exe	false		high
http://tempuri.org/IWCAssistantService/GetCurrentSearchIEResponse	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
https://sdl.adaware.com/cdn/BrowserExtensionInstaller.exe	WebCompanion.exe	false		high
http://tempuri.org/IWCAssistantService/GetCurrentHomePageIET	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/VPNService.WCF.Modeli	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
https://open.webcompanion.com/profile	WebCompanion.exe	false		high
https://www.adaware.com/sites/default/files/installers/H2OAutoUpdate/WCU006_s.exe	WebCompanion.exe	false		high
http://tempuri.org/IWCAssistantService/SetHomePageIET	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://webcompanion.com/feedback?utm_source=wc&utm_medium=wc&utm_campaign=wcg/WebCompanion;component	WebCompanion.exe	false		high
http://tempuri.org/IWCAssistantService/UpdateUninstallInfoT	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://www.lavasoft.com	WebCompanion.exe	false		high
https://reward.webcompanion.com/?/Inside	WebCompanion.exe	false		high
https://webcompanion.com/download_extensions.php?partnerID=	WebCompanion.exe	false		high
http://tempuri.org/IWCAssistantService/SetNewTabIET	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://www.lavasoft.com/privacy_policy/	WebCompanion.exe	false		high
http://tempuri.org/IWCAssistantService/GetCurrentSearchIET	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
https://webcompanion.com/ab/index.php?partnerId=	WebCompanion.exe	false		high
http://tempuri.org/IWCAssistantService/SetAutoRestoreSessionIET	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
https://open.webcompanion.com/feature/myprotection	WebCompanion.exe	false		high
https://reward.webcompanion.com/api/account/reward?http://127.0.0.1:port/api/token	WebCompanion.exe	false		high
https://sandbox-featureflags-api.lavasoft.net/api/Update/WC	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://in.adaware.com/wc/extension_install.php?exiturl=aHR0cDovL3d3dy53ZWJjb21wYW5pb24uY29t&utm_camp	WebCompanion.exe	false		high
http://tempuri.org/WcSendAutoResponseEmailT	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://webcompanion.com/faq	WebCompanion.exe	false		high
http://webcompanion.com/gw/gateway.php?pid=	WebCompanion.exe	false		high
http://tempuri.org/SignZipInstallerT	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IWCAssistantService/CopyFilesResponse	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
https://www.entrust.net/rpa0	WebCompanion.exe	false		high
http://tempuri.org/GetComponentsInfoT	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/g2ca.crl0	WebCompanion.exe	false		high
http://schemas.datacontract.org/2004/07/VPNService.WCF.Model	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
https://featureflags.lavasoft.com/api/feature/WC	WebCompanion.exe	false		high
http://tempuri.org/AddT	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net02	WebCompanion.exe	false	URL Reputation: safe	unknown
http://tempuri.org/IVPNServiceWCF/GetLocationsResponse	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net01	WebCompanion.exe	false	URL Reputation: safe	unknown
http://ocsp.entrust.net00	WebCompanion.exe	false	URL Reputation: safe	unknown
http://tempuri.org/IVPNServiceWCF/GetLocationsT	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://10.45.0.17:8341/api/v1/activeFeatures/filter/partnerId/	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
https://www.adaware.com/privacy-policy	WebCompanion.exe	false		high
http://webcompanion.com/images/email/wc-title-header.png	WebCompanion.exe	false		high
http://rt.webcompanion.com/notifications/download/rt/Waterfoxsetup.exe	WebCompanion.exe	false		high
https://sdl.adaware.com/?bundleid=WCU001&savename=WCUpdater.exe	WebCompanion.exe	false		high
https://dwldvpn.adaware.com/get-app.aspx?configid=A63E3802-2966-4D05-8412-1F05409FD025	WebCompanion.exe	false		high
http://tempuri.org/SendEmailT	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IVPNServiceWCF/LoadConfigT	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://webcompanion.com/notification?timestamp=	WebCompanion.exe	false		high
http://tempuri.org/IWCAssistantService/SetNewTabIEResponse	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IWCAssistantService/CopyFilesT	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/csbr1.crl0	WebCompanion.exe	false		high
https://ext.adaware.com//ts/	WebCompanion.exe	false		high
https://oauth.adaware.com/api=https://myaccount.adaware.com/ehttps://gateway.lavasoft.com/webcompani	WebCompanion.exe	false		high
http://webcompanion.com/mail-report-reply	WebCompanion.exe	false		high
http://tempuri.org/IWCAssistantService/SetSearchEngineIET	WebCompanion.exe	false	Avira URL Cloud: safe	unknown
http://webcompanion.com/mz/browser_download.php?partner=	WebCompanion.exe	false		high
http://webcompanion.com/help	WebCompanion.exe	false		high
http://webcompanion.com/images/email/tw-icon.png	WebCompanion.exe	false		high
https://adaware.com/ext/inline.php?pid=	WebCompanion.exe	false		high
https://media.adaware.com/waterfox/onboarding/?utm_source=WebCompanion&utm_medium=Notifications&utm_	WebCompanion.exe	false		high
http://tempuri.org/IVPNServiceWCF/TurnOffVPNResponse	WebCompanion.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	895812
Start date and time:	2023-06-28 17:43:47 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	WebCompanion.exe
Detection:	SUS
Classification:	sus39.troj.winEXE@2/6@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, watson.telemetry.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:45:00	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WebCompanion.exe_16c7fca3b08e152182663f628723c28ab16524_215fd746_1790532e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9634320834454905
Encrypted:	false
SSDEEP:	192:PYCEBQYTr3c9/iHHBUZMX8KwaPWw/u7st/S274ItXC2:P51Kwt8BUZMX6a5/u7st/X4Ity
MD5:	E85F765FCEBF657D87E0CD994302CFB2
SHA1:	7CD672952AC173293FCDB4D407A8182509F0EDF9
SHA-256:	5D8D2E9344C6990F937092738DC47DFC5C7F6801529DB70E0CB29E43A67F0CB9
SHA-512:	638A5B54B1FECDB3681BD83384D148938E743D9C34DE4073BA1502AEEF33D1BCC5EA592A73284272E9053D1A6F9A448F5901E34E9565FCEB5D1A0E835A89F7DF
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.2.4.7.3.0.9.3.2.0.1.5.1.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.3.2.4.7.3.0.9.4.2.9.5.2.7.7.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.2.a.a.9.0.3.3.-.3.6.9.b.-.4.a.9.5.-.9.9.3.5.-.d.5.3.f.f.b.8.6.c.5.e.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.0.2.2.8.5.7.6.-.8.7.2.7.-.4.3.1.7.-.a.8.f.4.-.c.f.6.e.e.7.8.a.2.2.b.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.e.b.C.o.m.p.a.n.i.o.n...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.W.e.b.C.o.m.p.a.n.i.o.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.5.c.-.0.0.0.1.-.0.0.1.f.-.0.d.b.0.-.6.1.e.9.2.2.a.a.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.a.b.2.c.a.6.7.5.9.7.2.7.d.e.c.e.9.8.f.4.6.1.1.3.f.8.6.d.d.4.e.0.0.0.0.0.0.0.0.!.0.0.0.0.a.9.6.7.8.8.d.e.8.b.8.9.2.c.d.3.4.1.a.c.3.b.6.d.f.0.e.c.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3526.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Jun 29 00:44:53 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	239096
Entropy (8bit):	4.771915303275478
Encrypted:	false
SSDEEP:	3072:ZHhxQPs2KYN80vTjd+pdUi7dp0waC4iFUCgUULA9gIOgF5jsW0UZ:PNXYe0EpdU2pjTjmA9RpD7
MD5:	045B91DF5178D601B5675AD66BC23463
SHA1:	EEE8681C44EB52F94091156175A65D4345C2B93E
SHA-256:	B29C915F5BD82CA905723F9A63489B7E6124FE42F9581259CAABE1F80F6609C6
SHA-512:	5EA7107E0FD281AAE540A51F4864310FD4E2278320820FF254C475E15B772DC66A3120349DC2CD0B767A96D3D1E38F0002599297EBA1765E9B4B381CBC8797E7
Malicious:	false
Reputation:	low
Preview:	MDMP....... .........d........................x............(...0..........T.......8...........T...............H...........t...........`....................................................................U...........B..............GenuineIntelW...........T.......\.....d.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER37A8.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8328
Entropy (8bit):	3.700140332487368
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiFhq6U6YqPSUmgmf6z4x8SmCprm89bi8sf0kWm:RrlsNiu6U6YSSUmgmf042SxiPf1
MD5:	0B457485E2682ABA5DAAC5545FE57C63
SHA1:	4A02B03D429B65458990BCAE0C8BAB6334056479
SHA-256:	E75D3F34C8D29195F900C924AC7889D5326F5F18216141CB3CBA173104E8DBC3
SHA-512:	79A558BB5E6AF0D8DEF17B2CA0046E159D3E1D87E6861B1CF27C0A8167EBC6FB0112CBF999C3DC9BD720B00A4DDCDBA03E015E7397FE87C237BC8D1DBEC0F32E
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.6.7.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER37D8.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4661
Entropy (8bit):	4.475866193971515
Encrypted:	false
SSDEEP:	48:cvIwSD8zsIJgtWI9t5Wgc8sqYjq8fm8M4Jx4jFtj+q8EZsXoGfFd:uITfO+IgrsqYrJx0jr+rfFd
MD5:	6A9A7D33BB45ADBA6031C2A01491D466
SHA1:	977903146AF0C038025F7C1E2D5795F11E7308A6
SHA-256:	BEA98CA5EE246177967F1A3449FC7F10E45F31DB664313D3E272BFC2923D7D24
SHA-512:	C861D4C69304DF8D5179E24BA7B61D39E2D9B787D20F7588A9BAD32CA2F4A3EFAD106DDAF9383A9B24A1F211697D5C21003334AF0EEE6BE437C73CE506F1324A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2105875" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.295200463986948
Encrypted:	false
SSDEEP:	12288:8gGB7Qyo+h9l61qBLcdBd1/gSF10aUF85SpGACu5xDUJa2v+TLSaCbT:gB7Qyo+h9l61qBCFP
MD5:	A1E072E150CEF80513A7EE728ABA54E0
SHA1:	72F7FD9BC218B15D4DB1DDB24663F1A60EF91015
SHA-256:	DD0B8A49F45089B3980195B95E7FA331E1E3AEA2F5C8AADECF855460993AFC6C
SHA-512:	503FF0225716D5D055AAE75B1BB0E45EA21C77F1EE19441CBBE34F46BB28329C539EF01BA796481B69D261AAAE93D5656B56F91A78BD92F3931E9E7E9DA0275D
Malicious:	false
Reputation:	low
Preview:	regfj...j...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...."................................................................................................................................................................................................................................................................................................................................................o..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	3.821258789371998
Encrypted:	false
SSDEEP:	768:Nl8Rftx1JJ4JKHFdJ+nqpHx3kqIESC9O6MYrnte:i9ntfd
MD5:	950B6C39FE4C3EB1B48F7798EC3C3D0F
SHA1:	C079F4DBF5D05F18969A9D55ECD13E58ADE3A57D
SHA-256:	839DBF7D7E21A20E874F2554B93689E47CBB504890ECCADA4AA6EB52B6DEBE3B
SHA-512:	51DFB7F7E86130DC12044E4C2B2C76DA6C4BD1C827DE94C234FA66B459CAE1CD3CCDE795D9A903AB692E705061D9C31953C56E94A03054869C93D24F4B77F8B3
Malicious:	false
Reputation:	low
Preview:	regfi...i...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...."................................................................................................................................................................................................................................................................................................................................................o..HvLE.n......i..............y..X.\6..=U..........0...................0..hbin................p.\..,..........nk,.2...".......h........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .2..."....... ........................... .......Z.......................Root........lf......Root....nk .2..."....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.0256736095812675
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	WebCompanion.exe
File size:	11'456'208 bytes
MD5:	2234a9191d623036e247f4d28bb509c8
SHA1:	a96788de8b892cd341ac3b6df0ec943cdec68600
SHA256:	c090a298878546b93f3872adbe9e264be18cb6b538df8838a27cb9e9f0cad7a9
SHA512:	42f05003381478a7aab9fef9a6079a30e1a4cd27b19671d974669ba58844e9d7a9f9f248650987c05509a1abc139deb4c2048143bea356d85a5cdaa76b38e79d
SSDEEP:	98304:G1Rd28dsU/h9MYdzUEN0DGl8ItJvcdUhkgDKECh0eSec:G1Rd2d6h9MYOEPl8kJkd6dCvSec
TLSH:	29B6E000B6A02519C6AE973064B98224673D7806FF6FDA1B31FFB91C5FD2386DD0536A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.................&...t......~E... ...`....@.. ....................................@................................

File Icon


Icon Hash:	8011090b07071616

Static PE Info

General

Entrypoint:	0xee457e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63EDD1BC [Thu Feb 16 06:48:28 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Entrust Extended Validation Code Signing CA - EVCS2, O="Entrust, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	2/2/2022 6:55:54 AM 3/19/2023 7:55:53 AM
Subject Chain	CN=Lavasoft Software Canada Inc., SERIALNUMBER=709505-8, OID.2.5.4.15=Private Organization, O=Lavasoft Software Canada Inc., OID.1.3.6.1.4.1.311.60.2.1.3=CA, L=Saint-Laurent, S=Quebec, C=CA
Version:	3
Thumbprint MD5:	65ED22EEFF866EF7C9AE414426DADD8C
Thumbprint SHA-1:	2931F877D950671D5D5B5A66F4A727AB211AFEBC
Thumbprint SHA-256:	5F5591B8BCAA0F05EEBB7DA36AC55C5056030FEC5491E64401EB59AD19CE7FBE
Serial:	6DA0E6F83A7CAEB158D4352B4F324391

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xae4528	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xae6000	0x70d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xae9c00	0x32d0	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xaee000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xae43f0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xae2584	0xae2600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xae6000	0x70d0	0x7200	False	0.3873012609649123	data	4.766759747907483	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xaee000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xae6550	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2833 x 2833 px/m	0.3200354609929078
RT_ICON	0xae69b8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2833 x 2833 px/m	0.23688524590163934
RT_ICON	0xae7340	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2833 x 2833 px/m	0.1721388367729831
RT_ICON	0xae83e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2833 x 2833 px/m	0.1241701244813278
RT_ICON	0xaea990	0x1a7b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9648915769287506
RT_GROUP_ICON	0xaec410	0x4c	data	0.8157894736842105
RT_VERSION	0xae61f0	0x360	data	0.4131944444444444
RT_MANIFEST	0xaec460	0xc6f	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.352497643732328

Imports

DLL	Import
mscoree.dll	_CorExeMain

• WebCompanion.exe
• WerFault.exe

Click to jump to process

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• WebCompanion.exe
• WerFault.exe

Click to jump to process

Target ID:	0
Start time:	17:44:50
Start date:	28/06/2023
Path:	C:\Users\user\Desktop\WebCompanion.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\WebCompanion.exe
Imagebase:	0xa80000
File size:	11'456'208 bytes
MD5 hash:	2234A9191D623036E247F4D28BB509C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	3
Start time:	17:44:52
Start date:	28/06/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 772
Imagebase:	0x200000
File size:	434'592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WebCompanion.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WebCompanion.exe_16c7fca3b08e152182663f628723c28ab16524_215fd746_1790532e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3526.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER37A8.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER37D8.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
WebCompanion.exe