1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f

Resubmissions

22-11-2023 17:02

231122-vkac9adg64 10

19-01-2021 19:24

210119-s26yznnqsn 10

19-11-2020 13:14

201119-s41ec6lt86 10

Analysis

max time kernel
513s
max time network
525s
platform
windows10_x64
resource
win10v20201028
submitted
19-11-2020 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 7 IoCs

Processes:

WCInstaller.exeWebCompanionInstaller.exeWebCompanion.exeLavasoft.WCAssistant.WinService.exeAd-Aware Web Companion.exeWebCompanion.exeCA1A.tmp.exe

pid	process
3400	WCInstaller.exe
2892	WebCompanionInstaller.exe
2632	WebCompanion.exe
3924	Lavasoft.WCAssistant.WinService.exe
4276	Ad-Aware Web Companion.exe
4432	WebCompanion.exe
4936	CA1A.tmp.exe

Loads dropped DLL 64 IoCs

Processes:

WebCompanionInstaller.exeWebCompanion.exe

pid	process
2892	WebCompanionInstaller.exe
2892	WebCompanionInstaller.exe
2892	WebCompanionInstaller.exe
2892	WebCompanionInstaller.exe
2892	WebCompanionInstaller.exe
2892	WebCompanionInstaller.exe
2892	WebCompanionInstaller.exe
2892	WebCompanionInstaller.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WebCompanion.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Web Companion = "C:\\Program Files (x86)\\Lavasoft\\Web Companion\\Application\\WebCompanion.exe --minimize "	WebCompanion.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

Processes:

WebCompanion.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	WebCompanion.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	WebCompanion.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com

flow	ioc
16	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

Lavasoft.WCAssistant.WinService.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE	Lavasoft.WCAssistant.WinService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE	Lavasoft.WCAssistant.WinService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_28DD3630238B51427119DAF9326B45F2	Lavasoft.WCAssistant.WinService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_28DD3630238B51427119DAF9326B45F2	Lavasoft.WCAssistant.WinService.exe

Drops file in Program Files directory 64 IoCs

Processes:

WebCompanionInstaller.exe

description	ioc	process
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Compression.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Settings.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\de-DE\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Extension\@wcextensionff.xpi	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ru-RU\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ad-Aware Web Companion.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.Service.Logger.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ru-RU\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\BCUEngineS.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Automation.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\en-US\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\pt-BR\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\tr-TR\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Esent.Interop.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.WUApiLib.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.CSharp.Utilities.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Microsoft.mshtml.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.Loader.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.exe.config	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\fr-CA\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ionic.Zip.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.adblocker.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Repositories.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\NCalc.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionIcon.ico	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\fr-CA\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\zh-CHS\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.IEController.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\LZ4.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WcCommunication.exe.config	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionExtensionIE.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ja-JP\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\x64\SQLite.Interop.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe.config	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\MozCompressor.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ucrtbased.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe.config	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\es-ES\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\acs17.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\BCUSDK.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ja-JP\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WcfService.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\en-US\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\zh-Hans\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.SHDocVw.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.SqlLite.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\vcruntime140d.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WcCommunication.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\DotNetZip.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionIcon_Pro.ico	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.IWshRuntimeLibrary.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Extension.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Omni.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebcompaionReimageIcon.ico	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\es-ES\WebCompanion.resources.dll	WebCompanionInstaller.exe

Drops file in Windows directory 7 IoCs

Processes:

WebCompanion.exeWebCompanionInstaller.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	WebCompanion.exe
File created	C:\Windows\assembly\Desktop.ini	WebCompanion.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	WebCompanion.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	WebCompanion.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	WebCompanion.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	WebCompanionInstaller.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	WebCompanionInstaller.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

WebCompanion.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\OSDFileURL = " "	WebCompanion.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ShowSearchSuggestions = "1"	WebCompanion.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	WebCompanion.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	WebCompanion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing"	WebCompanion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?pc=COS2&ptag=D111920-N0700AB91A1A2A71DC4AF78EF&form=CONBDF&conlogo=CT3331955&q={searchTerms}"	WebCompanion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "https://www.bing.com/osjson.aspx?query={searchTerms}"	WebCompanion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\ProgramData\\Lavasoft\\Web Companion\\Icons\\bing.ico"	WebCompanion.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ShowTopResult = "1"	WebCompanion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico"	WebCompanion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURL = "http://www.bing.com/search?pc=COS2&ptag=D111920-N0700AB91A1A2A71DC4AF78EF&form=CONBDF&conlogo=CT3331955&q={searchTerms}"	WebCompanion.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	WebCompanion.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

WebCompanion.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.bing.com/?pc=COS2&ptag=D111920-AB91A1A2A71DC4AF78EF&form=CONMHP&conlogo=CT3331955"	WebCompanion.exe

Modifies data under HKEY_USERS 54 IoCs

Processes:

Lavasoft.WCAssistant.WinService.exenetsh.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Lavasoft.WCAssistant.WinService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Lavasoft.WCAssistant.WinService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	Lavasoft.WCAssistant.WinService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Lavasoft.WCAssistant.WinService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WebCompanionInstaller.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WebCompanionInstaller.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

Lavasoft.WCAssistant.WinService.exeWebCompanion.exeWebCompanion.exe

pid	process
3924	Lavasoft.WCAssistant.WinService.exe
3924	Lavasoft.WCAssistant.WinService.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
2632	WebCompanion.exe
4432	WebCompanion.exe
4432	WebCompanion.exe
4432	WebCompanion.exe
4432	WebCompanion.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

WebCompanion.exeLavasoft.WCAssistant.WinService.exeWebCompanion.exe

description	pid	process
Token: SeDebugPrivilege	2632	WebCompanion.exe
Token: SeDebugPrivilege	3924	Lavasoft.WCAssistant.WinService.exe
Token: SeAssignPrimaryTokenPrivilege	3924	Lavasoft.WCAssistant.WinService.exe
Token: SeIncreaseQuotaPrivilege	3924	Lavasoft.WCAssistant.WinService.exe
Token: SeSecurityPrivilege	3924	Lavasoft.WCAssistant.WinService.exe
Token: SeTakeOwnershipPrivilege	3924	Lavasoft.WCAssistant.WinService.exe
Token: SeLoadDriverPrivilege	3924	Lavasoft.WCAssistant.WinService.exe
Token: SeSystemtimePrivilege	3924	Lavasoft.WCAssistant.WinService.exe
Token: SeBackupPrivilege	3924	Lavasoft.WCAssistant.WinService.exe
Token: SeRestorePrivilege	3924	Lavasoft.WCAssistant.WinService.exe
Token: SeShutdownPrivilege	3924	Lavasoft.WCAssistant.WinService.exe
Token: SeSystemEnvironmentPrivilege	3924	Lavasoft.WCAssistant.WinService.exe
Token: SeUndockPrivilege	3924	Lavasoft.WCAssistant.WinService.exe
Token: SeManageVolumePrivilege	3924	Lavasoft.WCAssistant.WinService.exe
Token: SeDebugPrivilege	4432	WebCompanion.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WebCompanion.exe

pid process

4432 WebCompanion.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WebCompanion.exe

pid process

4432 WebCompanion.exe

pid	process
4432	WebCompanion.exe

pid	process
4432	WebCompanion.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

Archive.zip__ccacaxs2tbz2t6ob3e.exeWCInstaller.exeWebCompanionInstaller.execmd.exeLavasoft.WCAssistant.WinService.execmd.exeWebCompanion.execsc.execsc.exeWebCompanion.execsc.exe

description	pid	process	target process
PID 1108 wrote to memory of 3400	1108	Archive.zip__ccacaxs2tbz2t6ob3e.exe	WCInstaller.exe
PID 1108 wrote to memory of 3400	1108	Archive.zip__ccacaxs2tbz2t6ob3e.exe	WCInstaller.exe
PID 1108 wrote to memory of 3400	1108	Archive.zip__ccacaxs2tbz2t6ob3e.exe	WCInstaller.exe
PID 3400 wrote to memory of 2892	3400	WCInstaller.exe	WebCompanionInstaller.exe
PID 3400 wrote to memory of 2892	3400	WCInstaller.exe	WebCompanionInstaller.exe
PID 3400 wrote to memory of 2892	3400	WCInstaller.exe	WebCompanionInstaller.exe
PID 2892 wrote to memory of 3060	2892	WebCompanionInstaller.exe	sc.exe
PID 2892 wrote to memory of 3060	2892	WebCompanionInstaller.exe	sc.exe
PID 2892 wrote to memory of 3060	2892	WebCompanionInstaller.exe	sc.exe
PID 2892 wrote to memory of 2772	2892	WebCompanionInstaller.exe	sc.exe
PID 2892 wrote to memory of 2772	2892	WebCompanionInstaller.exe	sc.exe
PID 2892 wrote to memory of 2772	2892	WebCompanionInstaller.exe	sc.exe
PID 2892 wrote to memory of 2748	2892	WebCompanionInstaller.exe	sc.exe
PID 2892 wrote to memory of 2748	2892	WebCompanionInstaller.exe	sc.exe
PID 2892 wrote to memory of 2748	2892	WebCompanionInstaller.exe	sc.exe
PID 2892 wrote to memory of 3944	2892	WebCompanionInstaller.exe	cmd.exe
PID 2892 wrote to memory of 3944	2892	WebCompanionInstaller.exe	cmd.exe
PID 2892 wrote to memory of 3944	2892	WebCompanionInstaller.exe	cmd.exe
PID 3944 wrote to memory of 1856	3944	cmd.exe	netsh.exe
PID 3944 wrote to memory of 1856	3944	cmd.exe	netsh.exe
PID 3944 wrote to memory of 1856	3944	cmd.exe	netsh.exe
PID 2892 wrote to memory of 2632	2892	WebCompanionInstaller.exe	WebCompanion.exe
PID 2892 wrote to memory of 2632	2892	WebCompanionInstaller.exe	WebCompanion.exe
PID 2892 wrote to memory of 2632	2892	WebCompanionInstaller.exe	WebCompanion.exe
PID 3924 wrote to memory of 1032	3924	Lavasoft.WCAssistant.WinService.exe	cmd.exe
PID 3924 wrote to memory of 1032	3924	Lavasoft.WCAssistant.WinService.exe	cmd.exe
PID 1032 wrote to memory of 3892	1032	cmd.exe	netsh.exe
PID 1032 wrote to memory of 3892	1032	cmd.exe	netsh.exe
PID 2632 wrote to memory of 3820	2632	WebCompanion.exe	csc.exe
PID 2632 wrote to memory of 3820	2632	WebCompanion.exe	csc.exe
PID 2632 wrote to memory of 3820	2632	WebCompanion.exe	csc.exe
PID 3820 wrote to memory of 1880	3820	csc.exe	cvtres.exe
PID 3820 wrote to memory of 1880	3820	csc.exe	cvtres.exe
PID 3820 wrote to memory of 1880	3820	csc.exe	cvtres.exe
PID 3924 wrote to memory of 4180	3924	Lavasoft.WCAssistant.WinService.exe	csc.exe
PID 3924 wrote to memory of 4180	3924	Lavasoft.WCAssistant.WinService.exe	csc.exe
PID 4180 wrote to memory of 4236	4180	csc.exe	cvtres.exe
PID 4180 wrote to memory of 4236	4180	csc.exe	cvtres.exe
PID 2632 wrote to memory of 4276	2632	WebCompanion.exe	Ad-Aware Web Companion.exe
PID 2632 wrote to memory of 4276	2632	WebCompanion.exe	Ad-Aware Web Companion.exe
PID 2632 wrote to memory of 4276	2632	WebCompanion.exe	Ad-Aware Web Companion.exe
PID 2892 wrote to memory of 4432	2892	WebCompanionInstaller.exe	WebCompanion.exe
PID 2892 wrote to memory of 4432	2892	WebCompanionInstaller.exe	WebCompanion.exe
PID 2892 wrote to memory of 4432	2892	WebCompanionInstaller.exe	WebCompanion.exe
PID 1108 wrote to memory of 4936	1108	Archive.zip__ccacaxs2tbz2t6ob3e.exe	CA1A.tmp.exe
PID 1108 wrote to memory of 4936	1108	Archive.zip__ccacaxs2tbz2t6ob3e.exe	CA1A.tmp.exe
PID 1108 wrote to memory of 4936	1108	Archive.zip__ccacaxs2tbz2t6ob3e.exe	CA1A.tmp.exe
PID 4432 wrote to memory of 4144	4432	WebCompanion.exe	csc.exe
PID 4432 wrote to memory of 4144	4432	WebCompanion.exe	csc.exe
PID 4432 wrote to memory of 4144	4432	WebCompanion.exe	csc.exe
PID 4144 wrote to memory of 4240	4144	csc.exe	cvtres.exe
PID 4144 wrote to memory of 4240	4144	csc.exe	cvtres.exe
PID 4144 wrote to memory of 4240	4144	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe
"C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\Temp\WCInstaller.exe
C:\Users\Admin\AppData\Local\Temp\Temp\WCInstaller.exe --silent --partner=AE190201 --homepage=1 --search=1 --campaign=292
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400

C:\Users\Admin\AppData\Local\Temp\7zS84D416F4\WebCompanionInstaller.exe
.\WebCompanionInstaller.exe --partner=AE190201 --campaign=292 --version=7.0.2354.4185 --prod --silent --partner=AE190201 --homepage=1 --search=1 --campaign=292
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\SysWOW64\sc.exe
"sc.exe" Create "WCAssistantService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= auto
4⤵
PID:3060

C:\Windows\SysWOW64\sc.exe
"sc.exe" failure WCAssistantService reset= 30 actions= restart/60000
4⤵
PID:2772

C:\Windows\SysWOW64\sc.exe
"sc.exe" description "WCAssistantService" "Ad-Aware Web Companion Internet security service"
4⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
4⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\netsh.exe
netsh http add urlacl url=http://+:9007/ user=Everyone
5⤵
PID:1856

C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --install --geo=
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7zowtfll.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3971.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3970.tmp"
6⤵
PID:1880

C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ad-Aware Web Companion.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ad-Aware Web Companion.exe" {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
5⤵
- Executes dropped EXE
PID:4276

C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --afterinstall
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4432

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-imuaq-m.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:4144

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES407D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC407C.tmp"
6⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\CA1A.tmp.exe
C:\Users\Admin\AppData\Local\Temp\CA1A.tmp.exe
2⤵
- Executes dropped EXE
PID:4936

C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
2⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\system32\netsh.exe
netsh http add urlacl url=http://+:9007/ user=Everyone
3⤵
- Modifies data under HKEY_USERS
PID:3892

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\5qfar25f.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES56EC.tmp" "c:\Windows\Temp\CSC56EB.tmp"
3⤵
PID:4236

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
1⤵
PID:4860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ad-Aware Web Companion.exe

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ad-Aware Web Companion.exe

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.IWshRuntimeLibrary.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Automation.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.CSharp.Utilities.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Compression.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Settings.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.Service.Logger.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WcfService.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe.config

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.adblocker.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\MozCompressor.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\VCRUNTIME140D.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe.config

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionIcon.ico

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\en-US\WebCompanion.resources.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\liblz4.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\ucrtbased.dll

Download Submit
C:\ProgramData\Application Data\Lavasoft\Web Companion\Logs\Webcompanion\webcompanion.log

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Logs\WindowsService\WCAssistantServiceLog.log

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Options\ActiveFeatures.zip

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Options\EventSafeguard.txt

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Options\Partner.txt

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Options\ProfileInfo.txt

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Options\ServicePartnerInfo.txt

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Options\Statistics.txt

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Options\UpdateServer.txt

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Options\b_search.json

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Options\install.txt

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_28DD3630238B51427119DAF9326B45F2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_28DD3630238B51427119DAF9326B45F2

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\7.0.2354.4185\user.config

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\WebCompanion.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WebCompanion.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Temp\-imuaq-m.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS84D416F4\ICSharpCode.SharpZipLib.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS84D416F4\Newtonsoft.Json.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS84D416F4\WebCompanionInstaller.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS84D416F4\WebCompanionInstaller.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS84D416F4\WebCompanionInstaller.exe.config

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zowtfll.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA1A.tmp.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA1A.tmp.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3971.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES407D.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\Recover.txt

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\WCInstaller.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\WCInstaller.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\FData.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\IData.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\Language.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\up70r7vk.default-release\prefs.js

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\up70r7vk.default-release\search.json.mozlz4

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch

Download Submit
C:\Windows\TEMP\5qfar25f.dll

Download Submit
C:\Windows\TEMP\RES56EC.tmp

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-imuaq-m.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-imuaq-m.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7zowtfll.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7zowtfll.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3970.tmp

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC407C.tmp

Download Submit
\??\c:\Windows\Temp\5qfar25f.0.cs

Download Submit
\??\c:\Windows\Temp\5qfar25f.cmdline

Download Submit
\??\c:\Windows\Temp\CSC56EB.tmp

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.IWshRuntimeLibrary.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.IWshRuntimeLibrary.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.IWshRuntimeLibrary.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.IWshRuntimeLibrary.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Automation.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Automation.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Automation.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Automation.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.CSharp.Utilities.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.CSharp.Utilities.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.CSharp.Utilities.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.CSharp.Utilities.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.CSharp.Utilities.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.CSharp.Utilities.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.CSharp.Utilities.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.CSharp.Utilities.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Compression.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Compression.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Compression.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Compression.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Compression.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Compression.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Compression.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Compression.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Settings.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Settings.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Settings.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Settings.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.adblocker.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.adblocker.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.adblocker.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.adblocker.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\MozCompressor.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\MozCompressor.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\MozCompressor.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\MozCompressor.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\MozCompressor.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\MozCompressor.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\en-US\WebCompanion.resources.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\en-US\WebCompanion.resources.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\en-US\WebCompanion.resources.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\en-US\WebCompanion.resources.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\liblz4.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\liblz4.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\ucrtbased.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\ucrtbased.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\vcruntime140d.dll

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\vcruntime140d.dll

Download Submit
\Users\Admin\AppData\Local\Temp\7zS84D416F4\ICSharpCode.SharpZipLib.dll

Download Submit
\Users\Admin\AppData\Local\Temp\7zS84D416F4\ICSharpCode.SharpZipLib.dll

Download Submit
\Users\Admin\AppData\Local\Temp\7zS84D416F4\ICSharpCode.SharpZipLib.dll

Download Submit
\Users\Admin\AppData\Local\Temp\7zS84D416F4\ICSharpCode.SharpZipLib.dll

Download Submit
\Users\Admin\AppData\Local\Temp\7zS84D416F4\Newtonsoft.Json.dll

Download Submit
\Users\Admin\AppData\Local\Temp\7zS84D416F4\Newtonsoft.Json.dll

Download Submit
\Users\Admin\AppData\Local\Temp\7zS84D416F4\Newtonsoft.Json.dll

Download Submit
\Users\Admin\AppData\Local\Temp\7zS84D416F4\Newtonsoft.Json.dll

Download Submit
memory/1032-109-0x0000000000000000-mapping.dmp

Download
memory/1856-21-0x0000000000000000-mapping.dmp

Download
memory/1880-114-0x0000000000000000-mapping.dmp

Download
memory/2632-97-0x000000006F3C0000-0x000000006FAAE000-memory.dmp

Filesize
6.9MB

Download
memory/2632-22-0x0000000000000000-mapping.dmp

Download
memory/2632-100-0x000000000ADC0000-0x000000000ADC1000-memory.dmp

Filesize
4KB

Download
memory/2748-19-0x0000000000000000-mapping.dmp

Download
memory/2772-18-0x0000000000000000-mapping.dmp

Download
memory/2892-3-0x0000000000000000-mapping.dmp

Download
memory/3060-17-0x0000000000000000-mapping.dmp

Download
memory/3400-0-0x0000000000000000-mapping.dmp

Download
memory/3820-111-0x0000000000000000-mapping.dmp

Download
memory/3892-110-0x0000000000000000-mapping.dmp

Download
memory/3924-106-0x00007FFC44690000-0x00007FFC45030000-memory.dmp

Filesize
9.6MB

Download
memory/3944-20-0x0000000000000000-mapping.dmp

Download
memory/4144-229-0x0000000000000000-mapping.dmp

Download
memory/4180-125-0x0000000000000000-mapping.dmp

Download
memory/4236-128-0x0000000000000000-mapping.dmp

Download
memory/4240-232-0x0000000000000000-mapping.dmp

Download
memory/4276-133-0x0000000000000000-mapping.dmp

Download
memory/4432-145-0x0000000000000000-mapping.dmp

Download
memory/4432-198-0x000000006F740000-0x000000006FE2E000-memory.dmp

Filesize
6.9MB

Download
memory/4432-241-0x000000000EBB0000-0x000000000EBB1000-memory.dmp

Filesize
4KB

Download
memory/4432-253-0x000000000EBB0000-0x000000000EBC0000-memory.dmp

Filesize
64KB

Download
memory/4432-201-0x000000000CF50000-0x000000000CF51000-memory.dmp

Filesize
4KB

Download
memory/4860-217-0x00007FFC44690000-0x00007FFC45030000-memory.dmp

Filesize
9.6MB

Download
memory/4936-220-0x0000000000000000-mapping.dmp

Download