a2d3d6430f6775951cf988d960cfae4093d7a1e4d0f684ddfffaf4599ace9a71

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

WCInstaller.exeWebCompanionInstaller.exeWebCompanion.exeLavasoft.WCAssistant.WinService.exe

pid process

2532 WCInstaller.exe
3032 WebCompanionInstaller.exe
3696 WebCompanion.exe
3040 Lavasoft.WCAssistant.WinService.exe

pid	process
2532	WCInstaller.exe
3032	WebCompanionInstaller.exe
3696	WebCompanion.exe
3040	Lavasoft.WCAssistant.WinService.exe

Loads dropped DLL 58 IoCs

Processes:

WebCompanionInstaller.exeWebCompanion.exe

pid	process
3032	WebCompanionInstaller.exe
3032	WebCompanionInstaller.exe
3032	WebCompanionInstaller.exe
3032	WebCompanionInstaller.exe
3032	WebCompanionInstaller.exe
3032	WebCompanionInstaller.exe
3032	WebCompanionInstaller.exe
3032	WebCompanionInstaller.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe
3696	WebCompanion.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WebCompanion.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Web Companion = "C:\\Program Files (x86)\\Lavasoft\\Web Companion\\Application\\WebCompanion.exe --minimize "	WebCompanion.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 ip-api.com

flow	ioc
19	ip-api.com

Drops file in Program Files directory 64 IoCs

Processes:

WebCompanionInstaller.exe

description	ioc	process
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.Service.Logger.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe.config	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ucrtbased.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\vcruntime140d.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\BCUEngineS.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Automation.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebcompaionReimageIcon.ico	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\it-IT\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\DotNetZip.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Repositories.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Settings.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionExtensionIE.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionIcon.ico	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Extension\@wcextensionff.xpi	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.Shell32.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ru-RU\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Extension.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\MozCompressor.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\de-DE\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\es-ES\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WcfService.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\x64\SQLite.Interop.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\NCalc.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WcCommunication.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\fr-CA\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Omni.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.IWshRuntimeLibrary.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.WUApiLib.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.SqlLite.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ru-RU\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\zh-CHS\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\zh-Hans\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Compression.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.exe.config	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ja-JP\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\pt-BR\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.adblocker.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\System.Data.SQLite.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\tr-TR\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\liblz4.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.pdb	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\en-US\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.CSharp.Utilities.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe.config	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.Loader.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionIcon_Pro.ico	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\en-US\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\pt-BR\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\tr-TR\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WcCommunication.exe.config	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Esent.Interop.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.IEController.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\es-ES\WebCompanion.resources.dll	WebCompanionInstaller.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 10 IoCs

Processes:

Lavasoft.WCAssistant.WinService.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Lavasoft.WCAssistant.WinService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	Lavasoft.WCAssistant.WinService.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WebCompanionInstaller.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WebCompanionInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WebCompanionInstaller.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WebCompanion.exe

description pid process

Token: SeDebugPrivilege 3696 WebCompanion.exe

description	pid	process
Token: SeDebugPrivilege	3696	WebCompanion.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Archive.zip__ccacaxs2tbz2t6ob3e.bin.exeWCInstaller.exeWebCompanionInstaller.execmd.exe

description	pid	process	target process
PID 508 wrote to memory of 2532	508	Archive.zip__ccacaxs2tbz2t6ob3e.bin.exe	WCInstaller.exe
PID 508 wrote to memory of 2532	508	Archive.zip__ccacaxs2tbz2t6ob3e.bin.exe	WCInstaller.exe
PID 508 wrote to memory of 2532	508	Archive.zip__ccacaxs2tbz2t6ob3e.bin.exe	WCInstaller.exe
PID 2532 wrote to memory of 3032	2532	WCInstaller.exe	WebCompanionInstaller.exe
PID 2532 wrote to memory of 3032	2532	WCInstaller.exe	WebCompanionInstaller.exe
PID 2532 wrote to memory of 3032	2532	WCInstaller.exe	WebCompanionInstaller.exe
PID 3032 wrote to memory of 1772	3032	WebCompanionInstaller.exe	sc.exe
PID 3032 wrote to memory of 1772	3032	WebCompanionInstaller.exe	sc.exe
PID 3032 wrote to memory of 1772	3032	WebCompanionInstaller.exe	sc.exe
PID 3032 wrote to memory of 2236	3032	WebCompanionInstaller.exe	sc.exe
PID 3032 wrote to memory of 2236	3032	WebCompanionInstaller.exe	sc.exe
PID 3032 wrote to memory of 2236	3032	WebCompanionInstaller.exe	sc.exe
PID 3032 wrote to memory of 2564	3032	WebCompanionInstaller.exe	sc.exe
PID 3032 wrote to memory of 2564	3032	WebCompanionInstaller.exe	sc.exe
PID 3032 wrote to memory of 2564	3032	WebCompanionInstaller.exe	sc.exe
PID 3032 wrote to memory of 1900	3032	WebCompanionInstaller.exe	cmd.exe
PID 3032 wrote to memory of 1900	3032	WebCompanionInstaller.exe	cmd.exe
PID 3032 wrote to memory of 1900	3032	WebCompanionInstaller.exe	cmd.exe
PID 1900 wrote to memory of 4060	1900	cmd.exe	netsh.exe
PID 1900 wrote to memory of 4060	1900	cmd.exe	netsh.exe
PID 1900 wrote to memory of 4060	1900	cmd.exe	netsh.exe
PID 3032 wrote to memory of 3696	3032	WebCompanionInstaller.exe	WebCompanion.exe
PID 3032 wrote to memory of 3696	3032	WebCompanionInstaller.exe	WebCompanion.exe
PID 3032 wrote to memory of 3696	3032	WebCompanionInstaller.exe	WebCompanion.exe

C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:508

C:\Users\Admin\AppData\Local\Temp\Temp\WCInstaller.exe
C:\Users\Admin\AppData\Local\Temp\Temp\WCInstaller.exe --silent --partner=AE190201 --homepage=1 --search=1 --campaign=292
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532

C:\Users\Admin\AppData\Local\Temp\7zS4E9D11D4\WebCompanionInstaller.exe
.\WebCompanionInstaller.exe --partner=AE190201 --campaign=292 --version=7.0.2354.4185 --prod --silent --partner=AE190201 --homepage=1 --search=1 --campaign=292
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\sc.exe
"sc.exe" Create "WCAssistantService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= auto
4⤵
PID:1772

C:\Windows\SysWOW64\sc.exe
"sc.exe" failure WCAssistantService reset= 30 actions= restart/60000
4⤵
PID:2236

C:\Windows\SysWOW64\sc.exe
"sc.exe" description "WCAssistantService" "Ad-Aware Web Companion Internet security service"
4⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
4⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\netsh.exe
netsh http add urlacl url=http://+:9007/ user=Everyone
5⤵
PID:4060

C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --install --geo=
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.IWshRuntimeLibrary.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Compression.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe.config

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\MozCompressor.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\VCRUNTIME140D.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe

MD5
74adc34bd86c6bb013850136eb097456

SHA1
ad2a9a0544b48d1f42e7115eed1f24c6bc411913

SHA256
17850159d4cdb54ebd044b10ae62886a0e878576e6eb529e17e4750eacd99fd8

SHA512
d96f659f88b1ac6fc9501a4a71d26c02069c79d9edaa555c9c85b717c130e8eb3be9c656224e188f5ab7b991aec1f4e2008f1e86c5b52b18d4a0dfaca3bb9b80

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe

MD5
74adc34bd86c6bb013850136eb097456

SHA1
ad2a9a0544b48d1f42e7115eed1f24c6bc411913

SHA256
17850159d4cdb54ebd044b10ae62886a0e878576e6eb529e17e4750eacd99fd8

SHA512
d96f659f88b1ac6fc9501a4a71d26c02069c79d9edaa555c9c85b717c130e8eb3be9c656224e188f5ab7b991aec1f4e2008f1e86c5b52b18d4a0dfaca3bb9b80

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe.config

MD5
8a41e1820d9ffd37491c51b331b379ec

SHA1
f2e32cccc16fa110d76da596b34908869f855d16

SHA256
c3dc39ae81e9d1b01e3a9adac090a98f79e976e00550f5b047427f5eae958d00

SHA512
d2ab76d2278152d4031fc5251b7e897a1e0b02a510b495644b704c58f0bce7b253a6b1d236a77f97551077f60559257dd11d55273c89342e7f7ee3a2a1e89c5e

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\liblz4.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\ucrtbased.dll

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Options\Partner.txt

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Options\Statistics.txt

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_28DD3630238B51427119DAF9326B45F2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_28DD3630238B51427119DAF9326B45F2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E9D11D4\ICSharpCode.SharpZipLib.dll

MD5
5a8ee1e57a63d4c6afd0b09eeb860219

SHA1
231ede81f741cb3d736f360dc5d5bfb2ac44ba12

SHA256
dc009d4ebdb578c98e4edc752ed7dcd46fc3ffa199ecaccbec5542dd3b34eaa6

SHA512
1beed12d412c6b2d62ade03888a0f31b1b4735e6f93270d0a3a5a91773f0084efe0ae4494f4b7969b37d07ca8c1266582725becbb34958e91b64d9bc6be9bb74

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E9D11D4\Newtonsoft.Json.dll

MD5
5d06e0b95f7e4128194a6f517125bede

SHA1
a78d45faffbc3628f2fc3243485e59fbd429721e

SHA256
530b79ff0f7dcfeceb0d369f7aa4ff9e0ee97b7c604cf8932c27dcbe29198b2c

SHA512
5de8b691f012454044c9737730b9b06239fdbdbb343407d299e1c5c58cd8cc63f12ba0c9520d695a4ac55eee239fd354d92e57d68b24a29c0494a3fa0730c861

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E9D11D4\WebCompanionInstaller.exe

MD5
86f911c125a0750b159990af56f524f6

SHA1
baedde9e161f5f5cbe470fe147978f1845dbdbc9

SHA256
0063bc6e62666112f32273e4175c62f78c9ad9c75e1fd8c6dbd2c56cf68a961c

SHA512
4c2cfcdb64df5b749aa5e448e12fafad3d9bf47b61f3b9c2423af1651acee373379338f4a0c52898fcd4dc6a9cb96c19b081eea5c9165d1ea90128e01053fbf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E9D11D4\WebCompanionInstaller.exe

MD5
86f911c125a0750b159990af56f524f6

SHA1
baedde9e161f5f5cbe470fe147978f1845dbdbc9

SHA256
0063bc6e62666112f32273e4175c62f78c9ad9c75e1fd8c6dbd2c56cf68a961c

SHA512
4c2cfcdb64df5b749aa5e448e12fafad3d9bf47b61f3b9c2423af1651acee373379338f4a0c52898fcd4dc6a9cb96c19b081eea5c9165d1ea90128e01053fbf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E9D11D4\WebCompanionInstaller.exe.config

MD5
0d86e732c7d385b99b69eb1ec27af0a3

SHA1
f5ff2bfc03b4b7704f5c2add6f7efcd7e177006e

SHA256
b33e2cb24a9641d16dab02ba41564b7b3a6cfd9c81843878d04f93b4a6ea875e

SHA512
87b8a4de11c14b9d0f3b93b26f8bab47c53feae3a00d4d11da7a1ff4dd3fd4408ffb9a2157752608800f0a0beaba15fb4dadaaa0d16db28c6604ca400979c36b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\WCInstaller.exe

MD5
d3541b516a76755a3da9c5fe5d06940c

SHA1
c28f4c4ebf1fa7a94415ebf41776c65b2de7eee9

SHA256
ddba9a0e5ec5829c79b4c81100fd8bd7f6e5f5f854e7be6b27287d846424d719

SHA512
dccaf71a8fa6d9b87d7480e2a7d32f7b741e45fec875feb39be8d6fd44979469db48cccbd029e65765b7f28bdf908152cbe9da620d4c1e3d00bd653cd9e5af25

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\WCInstaller.exe

MD5
d3541b516a76755a3da9c5fe5d06940c

SHA1
c28f4c4ebf1fa7a94415ebf41776c65b2de7eee9

SHA256
ddba9a0e5ec5829c79b4c81100fd8bd7f6e5f5f854e7be6b27287d846424d719

SHA512
dccaf71a8fa6d9b87d7480e2a7d32f7b741e45fec875feb39be8d6fd44979469db48cccbd029e65765b7f28bdf908152cbe9da620d4c1e3d00bd653cd9e5af25

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.IWshRuntimeLibrary.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.IWshRuntimeLibrary.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.IWshRuntimeLibrary.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.IWshRuntimeLibrary.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Compression.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Compression.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Compression.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Compression.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\MozCompressor.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\MozCompressor.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\MozCompressor.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\liblz4.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\ucrtbased.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\vcruntime140d.dll

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4E9D11D4\ICSharpCode.SharpZipLib.dll

MD5
5a8ee1e57a63d4c6afd0b09eeb860219

SHA1
231ede81f741cb3d736f360dc5d5bfb2ac44ba12

SHA256
dc009d4ebdb578c98e4edc752ed7dcd46fc3ffa199ecaccbec5542dd3b34eaa6

SHA512
1beed12d412c6b2d62ade03888a0f31b1b4735e6f93270d0a3a5a91773f0084efe0ae4494f4b7969b37d07ca8c1266582725becbb34958e91b64d9bc6be9bb74

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4E9D11D4\ICSharpCode.SharpZipLib.dll

MD5
5a8ee1e57a63d4c6afd0b09eeb860219

SHA1
231ede81f741cb3d736f360dc5d5bfb2ac44ba12

SHA256
dc009d4ebdb578c98e4edc752ed7dcd46fc3ffa199ecaccbec5542dd3b34eaa6

SHA512
1beed12d412c6b2d62ade03888a0f31b1b4735e6f93270d0a3a5a91773f0084efe0ae4494f4b7969b37d07ca8c1266582725becbb34958e91b64d9bc6be9bb74

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4E9D11D4\ICSharpCode.SharpZipLib.dll

MD5
5a8ee1e57a63d4c6afd0b09eeb860219

SHA1
231ede81f741cb3d736f360dc5d5bfb2ac44ba12

SHA256
dc009d4ebdb578c98e4edc752ed7dcd46fc3ffa199ecaccbec5542dd3b34eaa6

SHA512
1beed12d412c6b2d62ade03888a0f31b1b4735e6f93270d0a3a5a91773f0084efe0ae4494f4b7969b37d07ca8c1266582725becbb34958e91b64d9bc6be9bb74

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4E9D11D4\ICSharpCode.SharpZipLib.dll

MD5
5a8ee1e57a63d4c6afd0b09eeb860219

SHA1
231ede81f741cb3d736f360dc5d5bfb2ac44ba12

SHA256
dc009d4ebdb578c98e4edc752ed7dcd46fc3ffa199ecaccbec5542dd3b34eaa6

SHA512
1beed12d412c6b2d62ade03888a0f31b1b4735e6f93270d0a3a5a91773f0084efe0ae4494f4b7969b37d07ca8c1266582725becbb34958e91b64d9bc6be9bb74

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4E9D11D4\Newtonsoft.Json.dll

MD5
5d06e0b95f7e4128194a6f517125bede

SHA1
a78d45faffbc3628f2fc3243485e59fbd429721e

SHA256
530b79ff0f7dcfeceb0d369f7aa4ff9e0ee97b7c604cf8932c27dcbe29198b2c

SHA512
5de8b691f012454044c9737730b9b06239fdbdbb343407d299e1c5c58cd8cc63f12ba0c9520d695a4ac55eee239fd354d92e57d68b24a29c0494a3fa0730c861

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4E9D11D4\Newtonsoft.Json.dll

MD5
5d06e0b95f7e4128194a6f517125bede

SHA1
a78d45faffbc3628f2fc3243485e59fbd429721e

SHA256
530b79ff0f7dcfeceb0d369f7aa4ff9e0ee97b7c604cf8932c27dcbe29198b2c

SHA512
5de8b691f012454044c9737730b9b06239fdbdbb343407d299e1c5c58cd8cc63f12ba0c9520d695a4ac55eee239fd354d92e57d68b24a29c0494a3fa0730c861

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4E9D11D4\Newtonsoft.Json.dll

MD5
5d06e0b95f7e4128194a6f517125bede

SHA1
a78d45faffbc3628f2fc3243485e59fbd429721e

SHA256
530b79ff0f7dcfeceb0d369f7aa4ff9e0ee97b7c604cf8932c27dcbe29198b2c

SHA512
5de8b691f012454044c9737730b9b06239fdbdbb343407d299e1c5c58cd8cc63f12ba0c9520d695a4ac55eee239fd354d92e57d68b24a29c0494a3fa0730c861

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4E9D11D4\Newtonsoft.Json.dll

MD5
5d06e0b95f7e4128194a6f517125bede

SHA1
a78d45faffbc3628f2fc3243485e59fbd429721e

SHA256
530b79ff0f7dcfeceb0d369f7aa4ff9e0ee97b7c604cf8932c27dcbe29198b2c

SHA512
5de8b691f012454044c9737730b9b06239fdbdbb343407d299e1c5c58cd8cc63f12ba0c9520d695a4ac55eee239fd354d92e57d68b24a29c0494a3fa0730c861

Download Submit
memory/1772-18-0x0000000000000000-mapping.dmp

Download
memory/1900-21-0x0000000000000000-mapping.dmp

Download
memory/2236-19-0x0000000000000000-mapping.dmp

Download
memory/2532-0-0x0000000000000000-mapping.dmp

Download
memory/2564-20-0x0000000000000000-mapping.dmp

Download
memory/3032-3-0x0000000000000000-mapping.dmp

Download
memory/3040-106-0x00007FF808200000-0x00007FF808BA0000-memory.dmp

Filesize
9.6MB

Download
memory/3696-97-0x000000006F490000-0x000000006FB7E000-memory.dmp

Filesize
6.9MB

Download
memory/3696-100-0x000000000CE60000-0x000000000CE61000-memory.dmp

Filesize
4KB

Download
memory/3696-23-0x0000000000000000-mapping.dmp

Download
memory/4060-22-0x0000000000000000-mapping.dmp

Download