Overview
overview
10Static
static
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
3ฺฺฺ�...ฺฺ
windows10_x64
4ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
9ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
3ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
3ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
1Analysis
-
max time kernel
301s -
max time network
257s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 15:58
Static task
static1
Behavioral task
behavioral1
Sample
1.bin/1.bin.exe
Resource
win10v20201028
agenttesladanabotdharmaformbookgozi_rm3qakbot86920224spx1291590734339agilenetbankerbotnetcoreentitycryptoneevasionkeyloggerpackerpersistenceransomwareratrezer0spywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
31.exe
Resource
win10v20201028
agenttesladanabotdharmaformbookgozi_rm3qakbot86920224spx1291590734339agilenetbankerbotnetcoreentitycryptoneevasionkeyloggerpackerpersistenceransomwareratrezer0spywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
azorultplugxredlinesmokeloadertofseevidarxmrignew_year_btcbackdoorbootkitdiscoveryevasioninfostealermacrominerpersistencespywarestealertrojanupxvmprotectxlm
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral10
Sample
HYDRA.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral11
Sample
Keygen.exe
Resource
win10v20201028
asyncratazorultmodiloaderoskiraccoonremcos5e4db353b88c002ba6466c06437973619aad03b3discoveryevasioninfostealerpersistenceratspywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral12
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral13
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral14
Sample
OnlineInstaller.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral15
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral16
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
Resource
win10v20201028
azorultplugxredlinesmokeloadervidarnew_year_btcbackdoorbootkitdiscoveryevasioninfostealermacropersistencespywarestealertrojanupxxlm
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral17
Sample
VyprVPN.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral18
Sample
WSHSetup[1].exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral19
Sample
api.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral20
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral21
Sample
good.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral22
Sample
infected dot net installer.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral23
Sample
update.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral24
Sample
vir1.xls
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral25
Sample
xNet.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Score
8/10
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
pid Process 3860 WCInstaller.exe 4056 WebCompanionInstaller.exe 1748 WebCompanion.exe 1536 Lavasoft.WCAssistant.WinService.exe 4436 Ad-Aware Web Companion.exe 4936 WebCompanion.exe 500 B1FE.tmp.exe -
Loads dropped DLL 64 IoCs
pid Process 4056 WebCompanionInstaller.exe 4056 WebCompanionInstaller.exe 4056 WebCompanionInstaller.exe 4056 WebCompanionInstaller.exe 4056 WebCompanionInstaller.exe 4056 WebCompanionInstaller.exe 4056 WebCompanionInstaller.exe 4056 WebCompanionInstaller.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Web Companion = "C:\\Program Files (x86)\\Lavasoft\\Web Companion\\Application\\WebCompanion.exe --minimize " WebCompanion.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini WebCompanion.exe File opened for modification C:\Windows\assembly\Desktop.ini WebCompanion.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ip-api.com -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE Lavasoft.WCAssistant.WinService.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE Lavasoft.WCAssistant.WinService.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_28DD3630238B51427119DAF9326B45F2 Lavasoft.WCAssistant.WinService.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_28DD3630238B51427119DAF9326B45F2 Lavasoft.WCAssistant.WinService.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionIcon.ico WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\es-ES\WebCompanion.resources.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Extension\@wcextensionff.xpi WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\tr-TR\WebCompanion.resources.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ionic.Zip.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\MozCompressor.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebcompaionReimageIcon.ico WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\ru-RU\WebCompanionInstaller.resources.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Compression.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.exe WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Automation.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionIcon_Pro.ico WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\es-ES\WebCompanionInstaller.resources.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\zh-CHS\WebCompanionInstaller.resources.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\acs17.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\BCUEngineS.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.Loader.exe WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\pt-BR\WebCompanionInstaller.resources.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.IWshRuntimeLibrary.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.IEController.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WcfService.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\en-US\WebCompanion.resources.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\en-US\WebCompanionInstaller.resources.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\fr-CA\WebCompanionInstaller.resources.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ad-Aware Web Companion.exe WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.adblocker.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\x64\SQLite.Interop.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\x86\SQLite.Interop.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\NCalc.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.pdb WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\liblz4.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\tr-TR\WebCompanionInstaller.resources.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\zh-Hans\WebCompanion.resources.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.CSharp.Utilities.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.SHDocVw.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\DotNetZip.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\WcCommunication.exe.config WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\de-DE\WebCompanion.resources.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Esent.Interop.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\ucrtbased.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe.config WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.exe.config WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\fr-CA\WebCompanion.resources.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.WUApiLib.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Settings.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Microsoft.mshtml.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\vcruntime140d.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Repositories.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\ja-JP\WebCompanion.resources.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\WcCommunication.exe WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\it-IT\WebCompanion.resources.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.Service.Logger.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe.config WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\LZ4.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\de-DE\WebCompanionInstaller.resources.dll WebCompanionInstaller.exe File created C:\Program Files (x86)\Lavasoft\Web Companion\Application\ja-JP\WebCompanionInstaller.resources.dll WebCompanionInstaller.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new WebCompanionInstaller.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new WebCompanionInstaller.exe File opened for modification C:\Windows\assembly WebCompanion.exe File created C:\Windows\assembly\Desktop.ini WebCompanion.exe File opened for modification C:\Windows\assembly\Desktop.ini WebCompanion.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new WebCompanion.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new WebCompanion.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ShowTopResult = "1" WebCompanion.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURL = "http://www.bing.com/search?pc=COS2&ptag=D111820-N0700AB91A1A2A71DC4AF78EF&form=CONBDF&conlogo=CT3331955&q={searchTerms}" WebCompanion.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" WebCompanion.exe Key deleted \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} WebCompanion.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?pc=COS2&ptag=D111820-N0700AB91A1A2A71DC4AF78EF&form=CONBDF&conlogo=CT3331955&q={searchTerms}" WebCompanion.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\ProgramData\\Lavasoft\\Web Companion\\Icons\\bing.ico" WebCompanion.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico" WebCompanion.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ShowSearchSuggestions = "1" WebCompanion.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} WebCompanion.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing" WebCompanion.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "https://www.bing.com/osjson.aspx?query={searchTerms}" WebCompanion.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\OSDFileURL = " " WebCompanion.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.bing.com/?pc=COS2&ptag=D111820-AB91A1A2A71DC4AF78EF&form=CONMHP&conlogo=CT3331955" WebCompanion.exe -
Modifies data under HKEY_USERS 54 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs Lavasoft.WCAssistant.WinService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs Lavasoft.WCAssistant.WinService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs Lavasoft.WCAssistant.WinService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust Lavasoft.WCAssistant.WinService.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates Lavasoft.WCAssistant.WinService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Lavasoft.WCAssistant.WinService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs Lavasoft.WCAssistant.WinService.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 WebCompanionInstaller.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 WebCompanionInstaller.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 WebCompanionInstaller.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 WebCompanionInstaller.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 WebCompanionInstaller.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1536 Lavasoft.WCAssistant.WinService.exe 1536 Lavasoft.WCAssistant.WinService.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 1748 WebCompanion.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 1748 WebCompanion.exe Token: SeDebugPrivilege 1536 Lavasoft.WCAssistant.WinService.exe Token: SeAssignPrimaryTokenPrivilege 1536 Lavasoft.WCAssistant.WinService.exe Token: SeIncreaseQuotaPrivilege 1536 Lavasoft.WCAssistant.WinService.exe Token: SeSecurityPrivilege 1536 Lavasoft.WCAssistant.WinService.exe Token: SeTakeOwnershipPrivilege 1536 Lavasoft.WCAssistant.WinService.exe Token: SeLoadDriverPrivilege 1536 Lavasoft.WCAssistant.WinService.exe Token: SeSystemtimePrivilege 1536 Lavasoft.WCAssistant.WinService.exe Token: SeBackupPrivilege 1536 Lavasoft.WCAssistant.WinService.exe Token: SeRestorePrivilege 1536 Lavasoft.WCAssistant.WinService.exe Token: SeShutdownPrivilege 1536 Lavasoft.WCAssistant.WinService.exe Token: SeSystemEnvironmentPrivilege 1536 Lavasoft.WCAssistant.WinService.exe Token: SeUndockPrivilege 1536 Lavasoft.WCAssistant.WinService.exe Token: SeManageVolumePrivilege 1536 Lavasoft.WCAssistant.WinService.exe Token: SeDebugPrivilege 4936 WebCompanion.exe Token: SeDebugPrivilege 3168 taskmgr.exe Token: SeSystemProfilePrivilege 3168 taskmgr.exe Token: SeCreateGlobalPrivilege 3168 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4936 WebCompanion.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4936 WebCompanion.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 4704 wrote to memory of 3860 4704 Archive.zip__ccacaxs2tbz2t6ob3e.exe 78 PID 4704 wrote to memory of 3860 4704 Archive.zip__ccacaxs2tbz2t6ob3e.exe 78 PID 4704 wrote to memory of 3860 4704 Archive.zip__ccacaxs2tbz2t6ob3e.exe 78 PID 3860 wrote to memory of 4056 3860 WCInstaller.exe 79 PID 3860 wrote to memory of 4056 3860 WCInstaller.exe 79 PID 3860 wrote to memory of 4056 3860 WCInstaller.exe 79 PID 4056 wrote to memory of 4480 4056 WebCompanionInstaller.exe 80 PID 4056 wrote to memory of 4480 4056 WebCompanionInstaller.exe 80 PID 4056 wrote to memory of 4480 4056 WebCompanionInstaller.exe 80 PID 4056 wrote to memory of 808 4056 WebCompanionInstaller.exe 82 PID 4056 wrote to memory of 808 4056 WebCompanionInstaller.exe 82 PID 4056 wrote to memory of 808 4056 WebCompanionInstaller.exe 82 PID 4056 wrote to memory of 616 4056 WebCompanionInstaller.exe 84 PID 4056 wrote to memory of 616 4056 WebCompanionInstaller.exe 84 PID 4056 wrote to memory of 616 4056 WebCompanionInstaller.exe 84 PID 4056 wrote to memory of 1328 4056 WebCompanionInstaller.exe 86 PID 4056 wrote to memory of 1328 4056 WebCompanionInstaller.exe 86 PID 4056 wrote to memory of 1328 4056 WebCompanionInstaller.exe 86 PID 1328 wrote to memory of 1592 1328 cmd.exe 88 PID 1328 wrote to memory of 1592 1328 cmd.exe 88 PID 1328 wrote to memory of 1592 1328 cmd.exe 88 PID 4056 wrote to memory of 1748 4056 WebCompanionInstaller.exe 89 PID 4056 wrote to memory of 1748 4056 WebCompanionInstaller.exe 89 PID 4056 wrote to memory of 1748 4056 WebCompanionInstaller.exe 89 PID 1536 wrote to memory of 2812 1536 Lavasoft.WCAssistant.WinService.exe 91 PID 1536 wrote to memory of 2812 1536 Lavasoft.WCAssistant.WinService.exe 91 PID 2812 wrote to memory of 3960 2812 cmd.exe 93 PID 2812 wrote to memory of 3960 2812 cmd.exe 93 PID 1748 wrote to memory of 4920 1748 WebCompanion.exe 94 PID 1748 wrote to memory of 4920 1748 WebCompanion.exe 94 PID 1748 wrote to memory of 4920 1748 WebCompanion.exe 94 PID 4920 wrote to memory of 4152 4920 csc.exe 96 PID 4920 wrote to memory of 4152 4920 csc.exe 96 PID 4920 wrote to memory of 4152 4920 csc.exe 96 PID 1536 wrote to memory of 4356 1536 Lavasoft.WCAssistant.WinService.exe 99 PID 1536 wrote to memory of 4356 1536 Lavasoft.WCAssistant.WinService.exe 99 PID 4356 wrote to memory of 2056 4356 csc.exe 101 PID 4356 wrote to memory of 2056 4356 csc.exe 101 PID 1748 wrote to memory of 4436 1748 WebCompanion.exe 102 PID 1748 wrote to memory of 4436 1748 WebCompanion.exe 102 PID 1748 wrote to memory of 4436 1748 WebCompanion.exe 102 PID 4056 wrote to memory of 4936 4056 WebCompanionInstaller.exe 103 PID 4056 wrote to memory of 4936 4056 WebCompanionInstaller.exe 103 PID 4056 wrote to memory of 4936 4056 WebCompanionInstaller.exe 103 PID 4704 wrote to memory of 500 4704 Archive.zip__ccacaxs2tbz2t6ob3e.exe 105 PID 4704 wrote to memory of 500 4704 Archive.zip__ccacaxs2tbz2t6ob3e.exe 105 PID 4704 wrote to memory of 500 4704 Archive.zip__ccacaxs2tbz2t6ob3e.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe"C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Users\Admin\AppData\Local\Temp\Temp\WCInstaller.exeC:\Users\Admin\AppData\Local\Temp\Temp\WCInstaller.exe --silent --partner=AE190201 --homepage=1 --search=1 --campaign=2922⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\7zS41F742A4\WebCompanionInstaller.exe.\WebCompanionInstaller.exe --partner=AE190201 --campaign=292 --version=7.0.2354.4185 --prod --silent --partner=AE190201 --homepage=1 --search=1 --campaign=2923⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\sc.exe"sc.exe" Create "WCAssistantService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= auto4⤵PID:4480
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" failure WCAssistantService reset= 30 actions= restart/600004⤵PID:808
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" description "WCAssistantService" "Ad-Aware Web Companion Internet security service"4⤵PID:616
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone4⤵
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\netsh.exenetsh http add urlacl url=http://+:9007/ user=Everyone5⤵PID:1592
-
-
-
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe"C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --install --geo=4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wribbtiu.cmdline"5⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C63.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1C62.tmp"6⤵PID:4152
-
-
-
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ad-Aware Web Companion.exe"C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ad-Aware Web Companion.exe" {0633EE93-D776-472f-A0FF-E1416B8B2E3A}5⤵
- Executes dropped EXE
PID:4436
-
-
-
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe"C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --afterinstall4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4936
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\B1FE.tmp.exeC:\Users\Admin\AppData\Local\Temp\B1FE.tmp.exe2⤵
- Executes dropped EXE
PID:500
-
-
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe"C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone2⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\system32\netsh.exenetsh http add urlacl url=http://+:9007/ user=Everyone3⤵
- Modifies data under HKEY_USERS
PID:3960
-
-
-
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe"C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\xwvdb-tt.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES3FBA.tmp" "c:\Windows\Temp\CSC3FB9.tmp"3⤵PID:2056
-
-
-
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exeC:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe1⤵PID:4628
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3168