redline | 4c1baefb3e979faa7733ff1269d1909553eb583c9994c93e80207993ab05b414

Analysis

max time kernel
126s
max time network
147s
platform
windows7_x64
resource
win7v20201028
submitted
13-02-2021 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cheat_417615128.exe
Size

2.8MB
MD5

ad5b3a6c1f20e8e3fdd53ccd00ceac4e
SHA1

39983d7eb929e2ab3855bb0b6cf1fc9f644c2b1c
SHA256

e8d312cec2a96d167a27898fbc99d5edaaa8b34e805bb57904561eec1f55e618
SHA512

b46e751ed9db95fbeb966151bd84a6b5c1421d5e66ed291cf4a749cd9292a44968cfaeaa49502de5ca895e3fed8296d0fdc91dcbc05dfec6b19e418d3cf64b2b

Score

10^/10

redline discovery infostealer persistence spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1600-61-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/1600-62-0x0000000000421E02-mapping.dmp	family_redline
behavioral1/memory/1600-64-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/596-80-0x0000000000421E02-mapping.dmp	family_redline
behavioral1/memory/596-79-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/596-82-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 12 IoCs

Processes:

cheat_417615128.tmpFugiat.exeWcInstaller.exeWebCompanionInstaller.exe0XDDoHrU241vwQ.exevpn.exeSosamCelka.exeDoretyypenis.exeWebCompanion.exeLavasoft.WCAssistant.WinService.exeAd-Aware Web Companion.exeWebCompanion.exe

pid	process
1488	cheat_417615128.tmp
1976	Fugiat.exe
1940	WcInstaller.exe
1660	WebCompanionInstaller.exe
1988	0XDDoHrU241vwQ.exe
1376	vpn.exe
1472	SosamCelka.exe
1576	Doretyypenis.exe
324	WebCompanion.exe
1616	Lavasoft.WCAssistant.WinService.exe
1080	Ad-Aware Web Companion.exe
2024	WebCompanion.exe

Loads dropped DLL 64 IoCs

Processes:

cheat_417615128.execheat_417615128.tmpFugiat.exeWcInstaller.exeWebCompanionInstaller.exeWebCompanion.exe

pid	process
1964	cheat_417615128.exe
1488	cheat_417615128.tmp
1488	cheat_417615128.tmp
1488	cheat_417615128.tmp
1976	Fugiat.exe
1976	Fugiat.exe
1940	WcInstaller.exe
1976	Fugiat.exe
1976	Fugiat.exe
1660	WebCompanionInstaller.exe
1660	WebCompanionInstaller.exe
1660	WebCompanionInstaller.exe
1660	WebCompanionInstaller.exe
1660	WebCompanionInstaller.exe
1660	WebCompanionInstaller.exe
1660	WebCompanionInstaller.exe
1660	WebCompanionInstaller.exe
1660	WebCompanionInstaller.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WebCompanion.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Web Companion = "C:\\Program Files (x86)\\Lavasoft\\Web Companion\\Application\\WebCompanion.exe --minimize "	WebCompanion.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 4 IoCs

Processes:

Lavasoft.WCAssistant.WinService.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE	Lavasoft.WCAssistant.WinService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE	Lavasoft.WCAssistant.WinService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_28DD3630238B51427119DAF9326B45F2	Lavasoft.WCAssistant.WinService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_28DD3630238B51427119DAF9326B45F2	Lavasoft.WCAssistant.WinService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetThreadContext 2 IoCs

Processes:

SosamCelka.exeDoretyypenis.exe

description	pid	process	target process
PID 1472 set thread context of 1600	1472	SosamCelka.exe	AddInProcess32.exe
PID 1576 set thread context of 596	1576	Doretyypenis.exe	AddInProcess32.exe

Drops file in Program Files directory 64 IoCs

Processes:

WebCompanionInstaller.exe

description	ioc	process
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Compression.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\LZ4.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\System.Data.SQLite.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\7za.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ad-Aware Web Companion.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.SHDocVw.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.WUApiLib.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ionic.Zip.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\x64\SQLite.Interop.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\zh-Hans\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Esent.Interop.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WcfService.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe.config	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\it-IT\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.Loader.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\en-US\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\DotNetZip.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\liblz4.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WcCommunication.exe.config	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.pdb	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe.config	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\NCalc.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebcompaionReimageIcon.ico	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\es-ES\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.IEController.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\MozCompressor.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\pt-BR\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\tr-TR\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\tr-TR\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\x86\SQLite.Interop.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.IWshRuntimeLibrary.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.CSharp.Utilities.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ucrtbased.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ja-JP\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Repositories.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.SqlLite.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\es-ES\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\it-IT\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\zh-CHS\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.Shell32.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionExtensionIE.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\pt-BR\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ru-RU\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.adblocker.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Omni.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Settings.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.Service.Logger.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\de-DE\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\fr-CA\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ru-RU\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Extension.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Microsoft.mshtml.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WcCommunication.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\de-DE\WebCompanion.resources.dll	WebCompanionInstaller.exe

Drops file in Windows directory 4 IoCs

Processes:

WebCompanion.exeWebCompanionInstaller.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	WebCompanion.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	WebCompanionInstaller.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	WebCompanionInstaller.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	WebCompanion.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

Processes:

WebCompanion.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	WebCompanion.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	WebCompanion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing"	WebCompanion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?pc=COS2&ptag=D021321-N0400A5089E7D110BC46F293F&form=CONBDF&conlogo=CT3331990&q={searchTerms}"	WebCompanion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "https://www.bing.com/osjson.aspx?query={searchTerms}"	WebCompanion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\ProgramData\\Lavasoft\\Web Companion\\Icons\\bing.ico"	WebCompanion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico"	WebCompanion.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ShowSearchSuggestions = "1"	WebCompanion.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	WebCompanion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\OSDFileURL = " "	WebCompanion.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ShowTopResult = "1"	WebCompanion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURL = "http://www.bing.com/search?pc=COS2&ptag=D021321-N0400A5089E7D110BC46F293F&form=CONBDF&conlogo=CT3331990&q={searchTerms}"	WebCompanion.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	WebCompanion.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

WebCompanion.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.bing.com/?pc=COS2&ptag=D021321-A5089E7D110BC46F293F&form=CONMHP&conlogo=CT3331990"	WebCompanion.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Lavasoft.WCAssistant.WinService.exenetsh.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Lavasoft.WCAssistant.WinService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Lavasoft.WCAssistant.WinService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Lavasoft.WCAssistant.WinService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	Lavasoft.WCAssistant.WinService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	Lavasoft.WCAssistant.WinService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Lavasoft.WCAssistant.WinService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Lavasoft.WCAssistant.WinService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	Lavasoft.WCAssistant.WinService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Lavasoft.WCAssistant.WinService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Lavasoft.WCAssistant.WinService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	Lavasoft.WCAssistant.WinService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Lavasoft.WCAssistant.WinService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	Lavasoft.WCAssistant.WinService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	Lavasoft.WCAssistant.WinService.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

0XDDoHrU241vwQ.exeWebCompanionInstaller.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	0XDDoHrU241vwQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	0XDDoHrU241vwQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WebCompanionInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	0XDDoHrU241vwQ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	0XDDoHrU241vwQ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	0XDDoHrU241vwQ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	WebCompanionInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WebCompanionInstaller.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

Fugiat.exeAddInProcess32.exeAddInProcess32.exeLavasoft.WCAssistant.WinService.exeWebCompanion.exeWebCompanion.exe

pid	process
1976	Fugiat.exe
1976	Fugiat.exe
1976	Fugiat.exe
1976	Fugiat.exe
1600	AddInProcess32.exe
596	AddInProcess32.exe
1616	Lavasoft.WCAssistant.WinService.exe
1616	Lavasoft.WCAssistant.WinService.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
324	WebCompanion.exe
2024	WebCompanion.exe
2024	WebCompanion.exe
2024	WebCompanion.exe
2024	WebCompanion.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

0XDDoHrU241vwQ.exeSosamCelka.exeDoretyypenis.exeAddInProcess32.exeAddInProcess32.exeLavasoft.WCAssistant.WinService.exeWebCompanion.exeAUDIODG.EXEWebCompanion.exe

description	pid	process
Token: SeDebugPrivilege	1988	0XDDoHrU241vwQ.exe
Token: SeDebugPrivilege	1472	SosamCelka.exe
Token: SeDebugPrivilege	1576	Doretyypenis.exe
Token: SeDebugPrivilege	1600	AddInProcess32.exe
Token: SeDebugPrivilege	596	AddInProcess32.exe
Token: SeDebugPrivilege	1616	Lavasoft.WCAssistant.WinService.exe
Token: SeDebugPrivilege	324	WebCompanion.exe
Token: SeAssignPrimaryTokenPrivilege	1616	Lavasoft.WCAssistant.WinService.exe
Token: SeIncreaseQuotaPrivilege	1616	Lavasoft.WCAssistant.WinService.exe
Token: SeSecurityPrivilege	1616	Lavasoft.WCAssistant.WinService.exe
Token: SeTakeOwnershipPrivilege	1616	Lavasoft.WCAssistant.WinService.exe
Token: SeLoadDriverPrivilege	1616	Lavasoft.WCAssistant.WinService.exe
Token: SeSystemtimePrivilege	1616	Lavasoft.WCAssistant.WinService.exe
Token: SeBackupPrivilege	1616	Lavasoft.WCAssistant.WinService.exe
Token: SeRestorePrivilege	1616	Lavasoft.WCAssistant.WinService.exe
Token: SeShutdownPrivilege	1616	Lavasoft.WCAssistant.WinService.exe
Token: SeSystemEnvironmentPrivilege	1616	Lavasoft.WCAssistant.WinService.exe
Token: SeUndockPrivilege	1616	Lavasoft.WCAssistant.WinService.exe
Token: SeManageVolumePrivilege	1616	Lavasoft.WCAssistant.WinService.exe
Token: 33	1752	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1752	AUDIODG.EXE
Token: 33	1752	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1752	AUDIODG.EXE
Token: SeDebugPrivilege	2024	WebCompanion.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WebCompanion.exe

pid process

2024 WebCompanion.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WebCompanion.exe

pid process

2024 WebCompanion.exe

pid	process
2024	WebCompanion.exe

pid	process
2024	WebCompanion.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cheat_417615128.execheat_417615128.tmpFugiat.exeWcInstaller.exe0XDDoHrU241vwQ.exeSosamCelka.exeDoretyypenis.exeWebCompanionInstaller.exe

description	pid	process	target process
PID 1964 wrote to memory of 1488	1964	cheat_417615128.exe	cheat_417615128.tmp
PID 1964 wrote to memory of 1488	1964	cheat_417615128.exe	cheat_417615128.tmp
PID 1964 wrote to memory of 1488	1964	cheat_417615128.exe	cheat_417615128.tmp
PID 1964 wrote to memory of 1488	1964	cheat_417615128.exe	cheat_417615128.tmp
PID 1964 wrote to memory of 1488	1964	cheat_417615128.exe	cheat_417615128.tmp
PID 1964 wrote to memory of 1488	1964	cheat_417615128.exe	cheat_417615128.tmp
PID 1964 wrote to memory of 1488	1964	cheat_417615128.exe	cheat_417615128.tmp
PID 1488 wrote to memory of 1976	1488	cheat_417615128.tmp	Fugiat.exe
PID 1488 wrote to memory of 1976	1488	cheat_417615128.tmp	Fugiat.exe
PID 1488 wrote to memory of 1976	1488	cheat_417615128.tmp	Fugiat.exe
PID 1488 wrote to memory of 1976	1488	cheat_417615128.tmp	Fugiat.exe
PID 1976 wrote to memory of 1940	1976	Fugiat.exe	WcInstaller.exe
PID 1976 wrote to memory of 1940	1976	Fugiat.exe	WcInstaller.exe
PID 1976 wrote to memory of 1940	1976	Fugiat.exe	WcInstaller.exe
PID 1976 wrote to memory of 1940	1976	Fugiat.exe	WcInstaller.exe
PID 1976 wrote to memory of 1940	1976	Fugiat.exe	WcInstaller.exe
PID 1976 wrote to memory of 1940	1976	Fugiat.exe	WcInstaller.exe
PID 1976 wrote to memory of 1940	1976	Fugiat.exe	WcInstaller.exe
PID 1940 wrote to memory of 1660	1940	WcInstaller.exe	WebCompanionInstaller.exe
PID 1940 wrote to memory of 1660	1940	WcInstaller.exe	WebCompanionInstaller.exe
PID 1940 wrote to memory of 1660	1940	WcInstaller.exe	WebCompanionInstaller.exe
PID 1940 wrote to memory of 1660	1940	WcInstaller.exe	WebCompanionInstaller.exe
PID 1940 wrote to memory of 1660	1940	WcInstaller.exe	WebCompanionInstaller.exe
PID 1940 wrote to memory of 1660	1940	WcInstaller.exe	WebCompanionInstaller.exe
PID 1940 wrote to memory of 1660	1940	WcInstaller.exe	WebCompanionInstaller.exe
PID 1976 wrote to memory of 1988	1976	Fugiat.exe	0XDDoHrU241vwQ.exe
PID 1976 wrote to memory of 1988	1976	Fugiat.exe	0XDDoHrU241vwQ.exe
PID 1976 wrote to memory of 1988	1976	Fugiat.exe	0XDDoHrU241vwQ.exe
PID 1976 wrote to memory of 1988	1976	Fugiat.exe	0XDDoHrU241vwQ.exe
PID 1976 wrote to memory of 1376	1976	Fugiat.exe	vpn.exe
PID 1976 wrote to memory of 1376	1976	Fugiat.exe	vpn.exe
PID 1976 wrote to memory of 1376	1976	Fugiat.exe	vpn.exe
PID 1976 wrote to memory of 1376	1976	Fugiat.exe	vpn.exe
PID 1976 wrote to memory of 1376	1976	Fugiat.exe	vpn.exe
PID 1976 wrote to memory of 1376	1976	Fugiat.exe	vpn.exe
PID 1976 wrote to memory of 1376	1976	Fugiat.exe	vpn.exe
PID 1988 wrote to memory of 1472	1988	0XDDoHrU241vwQ.exe	SosamCelka.exe
PID 1988 wrote to memory of 1472	1988	0XDDoHrU241vwQ.exe	SosamCelka.exe
PID 1988 wrote to memory of 1472	1988	0XDDoHrU241vwQ.exe	SosamCelka.exe
PID 1988 wrote to memory of 1472	1988	0XDDoHrU241vwQ.exe	SosamCelka.exe
PID 1472 wrote to memory of 1600	1472	SosamCelka.exe	AddInProcess32.exe
PID 1472 wrote to memory of 1600	1472	SosamCelka.exe	AddInProcess32.exe
PID 1472 wrote to memory of 1600	1472	SosamCelka.exe	AddInProcess32.exe
PID 1472 wrote to memory of 1600	1472	SosamCelka.exe	AddInProcess32.exe
PID 1472 wrote to memory of 1600	1472	SosamCelka.exe	AddInProcess32.exe
PID 1472 wrote to memory of 1600	1472	SosamCelka.exe	AddInProcess32.exe
PID 1472 wrote to memory of 1600	1472	SosamCelka.exe	AddInProcess32.exe
PID 1472 wrote to memory of 1600	1472	SosamCelka.exe	AddInProcess32.exe
PID 1472 wrote to memory of 1600	1472	SosamCelka.exe	AddInProcess32.exe
PID 1988 wrote to memory of 1576	1988	0XDDoHrU241vwQ.exe	Doretyypenis.exe
PID 1988 wrote to memory of 1576	1988	0XDDoHrU241vwQ.exe	Doretyypenis.exe
PID 1988 wrote to memory of 1576	1988	0XDDoHrU241vwQ.exe	Doretyypenis.exe
PID 1988 wrote to memory of 1576	1988	0XDDoHrU241vwQ.exe	Doretyypenis.exe
PID 1576 wrote to memory of 596	1576	Doretyypenis.exe	AddInProcess32.exe
PID 1576 wrote to memory of 596	1576	Doretyypenis.exe	AddInProcess32.exe
PID 1576 wrote to memory of 596	1576	Doretyypenis.exe	AddInProcess32.exe
PID 1576 wrote to memory of 596	1576	Doretyypenis.exe	AddInProcess32.exe
PID 1576 wrote to memory of 596	1576	Doretyypenis.exe	AddInProcess32.exe
PID 1576 wrote to memory of 596	1576	Doretyypenis.exe	AddInProcess32.exe
PID 1576 wrote to memory of 596	1576	Doretyypenis.exe	AddInProcess32.exe
PID 1576 wrote to memory of 596	1576	Doretyypenis.exe	AddInProcess32.exe
PID 1576 wrote to memory of 596	1576	Doretyypenis.exe	AddInProcess32.exe
PID 1660 wrote to memory of 1896	1660	WebCompanionInstaller.exe	sc.exe
PID 1660 wrote to memory of 1896	1660	WebCompanionInstaller.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\cheat_417615128.exe
"C:\Users\Admin\AppData\Local\Temp\cheat_417615128.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Temp\is-IN93G.tmp\cheat_417615128.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IN93G.tmp\cheat_417615128.tmp" /SL5="$40156,2523301,119296,C:\Users\Admin\AppData\Local\Temp\cheat_417615128.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Local\Temp\is-ECT1Q.tmp\Fugiat.exe
"C:\Users\Admin\AppData\Local\Temp\is-ECT1Q.tmp\Fugiat.exe" a80b65d8bd2d53cc257dd27cf45cd04b
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\3TMU8dMe\WcInstaller.exe
C:\Users\Admin\AppData\Local\Temp\3TMU8dMe\WcInstaller.exe --silent --partner=BC180101 --homepage=1 --search=1
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Local\Temp\7zS49719394\WebCompanionInstaller.exe
.\WebCompanionInstaller.exe --partner=BC180101 --version=7.0.2388.4219 --prod --silent --partner=BC180101 --homepage=1 --search=1
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\sc.exe
"sc.exe" Create "WCAssistantService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= auto
6⤵
PID:1896

C:\Windows\SysWOW64\sc.exe
"sc.exe" failure WCAssistantService reset= 30 actions= restart/60000
6⤵
PID:1844

C:\Windows\SysWOW64\sc.exe
"sc.exe" description "WCAssistantService" "Ad-Aware Web Companion Internet security service"
6⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
6⤵
PID:944

C:\Windows\SysWOW64\netsh.exe
netsh http add urlacl url=http://+:9007/ user=Everyone
7⤵
PID:1176

C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --install --geo=
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9gera5hs.cmdline"
7⤵
PID:1644

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5FBD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5FAD.tmp"
8⤵
PID:1188

C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ad-Aware Web Companion.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ad-Aware Web Companion.exe" {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
7⤵
- Executes dropped EXE
PID:1080

C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --afterinstall
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2024

C:\Users\Admin\AppData\Local\Temp\XB0gmhNS\0XDDoHrU241vwQ.exe
C:\Users\Admin\AppData\Local\Temp\XB0gmhNS\0XDDoHrU241vwQ.exe /VERYSILENT
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\SosamCelka.exe
"C:\Users\Admin\AppData\Local\Temp\SosamCelka.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Users\Admin\AppData\Local\Temp\Doretyypenis.exe
"C:\Users\Admin\AppData\Local\Temp\Doretyypenis.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:596

C:\Users\Admin\AppData\Local\Temp\7oEVv2oc\vpn.exe
C:\Users\Admin\AppData\Local\Temp\7oEVv2oc\vpn.exe /silent /subid=510xa80b65d8bd2d53cc257dd27cf45cd04b
4⤵
- Executes dropped EXE
PID:1376

C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
2⤵
PID:2044

C:\Windows\system32\netsh.exe
netsh http add urlacl url=http://+:9007/ user=Everyone
3⤵
- Modifies data under HKEY_USERS
PID:1572

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\t3-kpdl0.cmdline"
2⤵
PID:1988

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES6A19.tmp" "c:\Windows\Temp\CSC6A18.tmp"
3⤵
PID:1600

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\yj5h_vjh.cmdline"
2⤵
PID:1672

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RESD7BA.tmp" "c:\Windows\Temp\CSCD7B9.tmp"
3⤵
PID:1352

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5b4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll
MD5
4d40f38b6c6fee069e6fecca58d7d131

SHA1
bdcbd9797eb82fb0f26131e3a77c1c3b3c96138d

SHA256
661b6ae2d490cc5a9270934aae63064b0cf39740e25c5893d116c5582faeb3cd

SHA512
0dbf00eef58ca9dcb8cff7dab1ad40b500e8df5b4ef0eab25b5af97915fde96e36cbcfb9a5d58ce868a2742e8c4cfa5204cdf422571c9052ac4d6a21c86af15d

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll
MD5
c8db4a2af57e626b2b8ee375a821090f

SHA1
2c2cc13bb7ec16de65016cdd848538f7b795bbe4

SHA256
f81f5f1f1eb0c518f6ee09018028168d2a3945597540bccffbb7a35c8f4b063e

SHA512
b162e098763126bd5ccd85582d8480e12eafbeb5c93af371d06577bfa8a1389ee5d25e669efe4131eb9bf7cbf77cbe617d349e50ee993f7dd4a9b27885afce6f

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll
MD5
db13c52a1cff5958ec234e827dea0a23

SHA1
a6deed150aa23ba7c51cb86ca674d79428599be0

SHA256
99d06f071aa621008044b549fb7caf405a77ceadd021c554849d0a2ce682b85d

SHA512
5e9792edd53294b8674e997da01642c40753721d8b975f0f2ec15fd166dd00fd69c7f3152c4739557e56481d0c72c85bde6f097d112e71db037c6f01d0c01167

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll
MD5
a69c86b30b2f37186bf2752b16c47111

SHA1
d73d39c2fc315eda5d04cdf2063d7e87a750832d

SHA256
6b621b8b77e873caa0b108626273b825585f4f2bc67de60a968e70ab93bd17c5

SHA512
8fcf7648def6d3f8b4c538cbaca03e9fa1c74bb033e9c6fe58044b2450a9e44f9695cf61c1ec7225726bc043e483e11bc8fe7be47afd4b3d807ba47971b1e39d

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
MD5
b99cb0981cef2d9192236e81c2383ac2

SHA1
f171cf97ab8b4566ed61fb5fd32b60c0c7717b3e

SHA256
5698cb8d2767597b351cd93579cb1c6b1f2aedcd123fa41204c65cbc41d2f807

SHA512
55c9103a77f1353ad7d87a54aad20a2aab5c13e33b58d54b515288dddbed55f9c18dfb57219c3fbe5d822d5a7c499b259a951adf80d10d46b974f334fb4f3b20

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
MD5
b99cb0981cef2d9192236e81c2383ac2

SHA1
f171cf97ab8b4566ed61fb5fd32b60c0c7717b3e

SHA256
5698cb8d2767597b351cd93579cb1c6b1f2aedcd123fa41204c65cbc41d2f807

SHA512
55c9103a77f1353ad7d87a54aad20a2aab5c13e33b58d54b515288dddbed55f9c18dfb57219c3fbe5d822d5a7c499b259a951adf80d10d46b974f334fb4f3b20

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe.config
MD5
7da2e2448142be04eb4f14e75263728d

SHA1
620f41ba9700ebdffddaf05a759a8e9dcc3fe947

SHA256
980edfc10eadc914d278f35f064c7f49d5d0ac2746a819963711fb5a077634e3

SHA512
2fb184268996e7bfb68d6538c41239d2f29ffcb7021593f9f7efc60fd4955e8020c77179e714d45cba58adada28a6473619e49c9482576df141e3896d59a620e

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll
MD5
f1f8fe284935fc99264df2e440068750

SHA1
2ade573252e674bf018ba5b570386283f1675529

SHA256
61c1e70857669b8c9be60f5594ca44b43cf83274df3b78103e78e3f3a130ca58

SHA512
e1c4f23968f4413a39de1b3b62fd8905f6e0b9bfd34c2aa5af1fb0a9883a6ac3b7c52c28d9fc7cf4dc848cfefd26485ca33593a6d1b435091a7227d5d1fbe0e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
e92176b0889cc1bb97114beb2f3c1728

SHA1
ad1459d390ec23ab1c3da73ff2fbec7fa3a7f443

SHA256
58a4f38ba43f115ba3f465c311eaaf67f43d92e580f7f153de3ab605fc9900f3

SHA512
cd2267ba2f08d2f87538f5b4f8d3032638542ac3476863a35f0df491eb3a84458ce36c06e8c1bd84219f5297b6f386748e817945a406082fa8e77244ec229d8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
MD5
d762fa6622472e2f5c11a8ceb923f8fa

SHA1
7d1f248a50bc06030c4901e2f6f403cf386f97cc

SHA256
cd312cbd6186cec4cc006c7f25ea9b847470c4c19d52ba2a3b40fa61177e9d23

SHA512
4c5e5830cf0dbafd8c41100892a626b07e8dba074bdffc05f29b677c0e06981530e4686c81e2f2f2e5a738b98bf57b4a21674ea82ffefc4f32fd25807ac4a77c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_28DD3630238B51427119DAF9326B45F2
MD5
98f7cc9d65be358e7a4eb99de5c3a03f

SHA1
e31a175e20ad1682449deeb0d9dbae7db9037648

SHA256
eb6522d4fec9783a62988eb6e64a1643726f6181ac93a32b2ef9f40b6fbea25b

SHA512
fbfdacc5c31b615644fd1d4a6b4cd0d2de8e5382efe45ad7773ed6e89caa50287199c8da704721cb5aab6aedccb93b9d0b3ab812bbb93de0c25cc5879f9eb8e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
661607820a5968a80e96ee945ee37d40

SHA1
8e6ba4cd98facb4a920a1b6c1294116507c0a127

SHA256
845f0cab7b8ecf90bc7a5b66c1f366f17330ede4b26e3cd10e4301d3155a7de7

SHA512
363fec58590946bac5240a5339e145989e93085ce69786262ba49877fb1efd8f2da71e21e691267f2de3ee40f11d72a2b033ad42d56aa6c0a57c5e6784205466

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
008b300436d468258db518e6f112c181

SHA1
b48c5adf1fd3a41aafe848a18388c3616877403f

SHA256
6065b136bec2375f82d47d7aba3acd2e7231f5ce329b52e3016cc71d8320d170

SHA512
043ac89bbd81a97a3dbf4a8a15bcd44e7ec033e57823dffcaec9f70d8fd05b6b62f90c178620b40448a587a15e4a34c13cd4afe8d425b8fec905b574b01f6436

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
dc5b3fbe95415639732bba1becd418a2

SHA1
ae743cd8ffcd0090ea95c2c8df69487e2ed8850e

SHA256
80d8b5422606cfa36097bff8776edfd9f16f80929fae497045e2273e9e767d81

SHA512
191a3f637dfd73f60351e98dcc07c7dbb1a0be23359f503da0074977ade1793098aeeceae6d2a0c07e97f739c80a0a80be8416fbc38161ed11fcbcc035848124

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
MD5
eb864cdc984a57691df313d6ba82b320

SHA1
de033c1108c48b79496929de2f5644d0927181c1

SHA256
231e670684902d33bc102d289c00d98b58971d8b609022df2625c625a567163b

SHA512
997dc11544f9eb5083acd791626d00473df16f47d745f487cac705a45d09cfc52c0d89edc46e33a363bdca1e513eb7104dc17948f6b9d7b769854cf65b0237fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_28DD3630238B51427119DAF9326B45F2
MD5
ce448d7abcd44001db5a15716410c4d9

SHA1
e26622d7b1c4347447a2db4d72826bdcd7252750

SHA256
2f96efd14b3375bb1fd53d8a2439183078ee7c61ed7ec2b2db95339329815ba7

SHA512
80e658438c2b1372c9012d0245501f841b4b704443298caee4839a0302b0925216dc2c8908589011c9626b452c59811269566f9d9994c53cac045c653522ed98

Download Submit
C:\Users\Admin\AppData\Local\Temp\3TMU8dMe\WcInstaller.exe
MD5
6de14664bd416160d08f5af41d3ca698

SHA1
6b99cc08ede75504745221892b67a6fc6f46176e

SHA256
c6bf7f7d81440f00c28e85ddab6d2c6b3af669d6f99a23b0cdbf8f99b0619541

SHA512
d30f429389cbaa6320aa33a6ae341d2058756ac0ba5f1ff43be4a3824a19cdac0eca1a90d7f1b92aae4b8b39682749eb282ed43afe696301c5d9f20fca8ce628

Download Submit
C:\Users\Admin\AppData\Local\Temp\3TMU8dMe\WcInstaller.exe
MD5
6de14664bd416160d08f5af41d3ca698

SHA1
6b99cc08ede75504745221892b67a6fc6f46176e

SHA256
c6bf7f7d81440f00c28e85ddab6d2c6b3af669d6f99a23b0cdbf8f99b0619541

SHA512
d30f429389cbaa6320aa33a6ae341d2058756ac0ba5f1ff43be4a3824a19cdac0eca1a90d7f1b92aae4b8b39682749eb282ed43afe696301c5d9f20fca8ce628

Download Submit
C:\Users\Admin\AppData\Local\Temp\7oEVv2oc\vpn.exe
MD5
a9487e1960820eb2ba0019491d3b08ce

SHA1
349b4568ddf57b5c6c1e4a715b27029b287b3b4a

SHA256
123c95cf9e3813be75fe6d337b6a66f8c06898ae2d4b0b3e69e2e14954ff4776

SHA512
dab78aff75017f039f7fee67f3967ba9dd468430f9f1ecffde07de70964131931208ee6dd97a19399d5f44d3ab8b5d21abcd3d2766b1caaf970e1bd1d69ae0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49719394\ICSharpCode.SharpZipLib.dll
MD5
95cae18bf7d7b66f2bb3dd025559d317

SHA1
e7ab70de5e7452f6083bedf676acfd88d90e7840

SHA256
52200861ae973e9281ce75ec532a59827d89f2eb55a8b185384fb611c0b61d32

SHA512
c948dc7491b94a0069568228321304179f76c40c6bc83ec6a3712dedb019305eca0d88fdc40cd0ad891e5d3fbc333edbcfd9939e7ec6d65086333a0f72c29b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49719394\Newtonsoft.Json.dll
MD5
15396a361000794fb2502aff2c4306db

SHA1
e671f739b3d19afc756b0950b0f24a936da729d7

SHA256
1ddb20849782b0ed86f243880dc961180ffc72e96d23a9c04affb0c47152e8e3

SHA512
c737b92ea0899a0ee82cf8e5ce77b0c5b760322f95a6b8d92cefa663d32414420300b2a71decc8cd37a16de9ff64c5c53de6b40db771b323189d789d160ce144

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49719394\WebCompanionInstaller.exe
MD5
46f2f7fb2d53b5b6e0ccb42cd57f6985

SHA1
c856e69aa810ad770a683cb5f9fa1405a181ed52

SHA256
06ed971cc696dfc80f3aecba48fc60bae4b9c2080a81c07ecdd4a8d31b14d92e

SHA512
c1fd5772a05ef422731bcd55e75d8f8e3098f312ae9f2519db631e296bd0a36ebe6fc3d743363fb49b6eee03b3f98780b231d76afb8a20e0cf5d3e6e3e1c386f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49719394\WebCompanionInstaller.exe
MD5
46f2f7fb2d53b5b6e0ccb42cd57f6985

SHA1
c856e69aa810ad770a683cb5f9fa1405a181ed52

SHA256
06ed971cc696dfc80f3aecba48fc60bae4b9c2080a81c07ecdd4a8d31b14d92e

SHA512
c1fd5772a05ef422731bcd55e75d8f8e3098f312ae9f2519db631e296bd0a36ebe6fc3d743363fb49b6eee03b3f98780b231d76afb8a20e0cf5d3e6e3e1c386f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49719394\WebCompanionInstaller.exe.config
MD5
0d86e732c7d385b99b69eb1ec27af0a3

SHA1
f5ff2bfc03b4b7704f5c2add6f7efcd7e177006e

SHA256
b33e2cb24a9641d16dab02ba41564b7b3a6cfd9c81843878d04f93b4a6ea875e

SHA512
87b8a4de11c14b9d0f3b93b26f8bab47c53feae3a00d4d11da7a1ff4dd3fd4408ffb9a2157752608800f0a0beaba15fb4dadaaa0d16db28c6604ca400979c36b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Doretyypenis.exe
MD5
14cc33b02c0b510e4fea20127aff0a28

SHA1
9c49405533f4e9d4b49e315e020b449d3ba0d1e7

SHA256
74994fbfbdaa4354185ec03f33ab38d92623681ab392cfce4b1f6b9b5e1180ac

SHA512
b2e4f9d9396f0dcc856893110f1a16f685fd071925b3d878c023e4c80167f66be442bf2c2855f13efff99a9e97f3cdc73999b91bf77edbe88b39e1552d457e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Doretyypenis.exe
MD5
14cc33b02c0b510e4fea20127aff0a28

SHA1
9c49405533f4e9d4b49e315e020b449d3ba0d1e7

SHA256
74994fbfbdaa4354185ec03f33ab38d92623681ab392cfce4b1f6b9b5e1180ac

SHA512
b2e4f9d9396f0dcc856893110f1a16f685fd071925b3d878c023e4c80167f66be442bf2c2855f13efff99a9e97f3cdc73999b91bf77edbe88b39e1552d457e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\SosamCelka.exe
MD5
99442aa7c203e47ccea232bd3eaf7d38

SHA1
155d05aef1fb4341df0c573cf9ff90c94ec53d28

SHA256
658134ceb037b17adbb6be720759f485d84acbbcad019fff86a9e7deec53fc0f

SHA512
6c84df5d6ba9cec6fd65864b3f9a893ee73304c80e5669857054acd7f1e2206c8843fb4e867ce57347cf824fe1f111293266e16659dbf8c9612314957e19fd66

Download Submit
C:\Users\Admin\AppData\Local\Temp\SosamCelka.exe
MD5
99442aa7c203e47ccea232bd3eaf7d38

SHA1
155d05aef1fb4341df0c573cf9ff90c94ec53d28

SHA256
658134ceb037b17adbb6be720759f485d84acbbcad019fff86a9e7deec53fc0f

SHA512
6c84df5d6ba9cec6fd65864b3f9a893ee73304c80e5669857054acd7f1e2206c8843fb4e867ce57347cf824fe1f111293266e16659dbf8c9612314957e19fd66

Download Submit
C:\Users\Admin\AppData\Local\Temp\XB0gmhNS\0XDDoHrU241vwQ.exe
MD5
8282840e5a0e8f3e90503ca94c3cc5b6

SHA1
a330529d52b50a1bd7f94d8f4dd5e1dd9ff79865

SHA256
f39d409b07ce9bd9e20303c0b3226cd63e809ab56dc5d9d47b2e6af817e51792

SHA512
25cb1130be8ce69d9ed32abd7bf4eeae4e48a045b44b056c45eb37f17bced4e958bce4589a4d0e9e0008b0a5701c23fd80d02cc0a7acb0ea2c8d9a6ac06fca4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XB0gmhNS\0XDDoHrU241vwQ.exe
MD5
8282840e5a0e8f3e90503ca94c3cc5b6

SHA1
a330529d52b50a1bd7f94d8f4dd5e1dd9ff79865

SHA256
f39d409b07ce9bd9e20303c0b3226cd63e809ab56dc5d9d47b2e6af817e51792

SHA512
25cb1130be8ce69d9ed32abd7bf4eeae4e48a045b44b056c45eb37f17bced4e958bce4589a4d0e9e0008b0a5701c23fd80d02cc0a7acb0ea2c8d9a6ac06fca4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ECT1Q.tmp\Fugiat.exe
MD5
953dd51dcffb3947f4dd9380a9722205

SHA1
18ef0815ea99cae76be5d5ba2ad10fedca62bdb9

SHA256
11cd6bbb714b8661b2c8bda0979fdc28625737d4ad7b11c5e1c88b79eded61d7

SHA512
ca5e333c77271aeb37fa9149371a282a8dc2e9b9d93809f497bee0f437fa8b36e75999ad946344046890126385616259f9b60ed7590ba3f86d55d48ac5d858e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ECT1Q.tmp\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IN93G.tmp\cheat_417615128.tmp
MD5
6a96bef4679e16a54b4090e74664dcca

SHA1
c8631c1624b98f6709b1ac37ce3956faed29bc30

SHA256
cb095356ddcfcbace96c6252fb73a267ed011c15ff206a7a9302007baa68a783

SHA512
924ab1e5c6ea72342eab6e78899a56c415e90020c46d3d8a81ae4da9276db7ea1df9684965a81fb95a6f2f9cf103b31413d67770eb15725ad04198c5d00037d0

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll
MD5
4d40f38b6c6fee069e6fecca58d7d131

SHA1
bdcbd9797eb82fb0f26131e3a77c1c3b3c96138d

SHA256
661b6ae2d490cc5a9270934aae63064b0cf39740e25c5893d116c5582faeb3cd

SHA512
0dbf00eef58ca9dcb8cff7dab1ad40b500e8df5b4ef0eab25b5af97915fde96e36cbcfb9a5d58ce868a2742e8c4cfa5204cdf422571c9052ac4d6a21c86af15d

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll
MD5
4d40f38b6c6fee069e6fecca58d7d131

SHA1
bdcbd9797eb82fb0f26131e3a77c1c3b3c96138d

SHA256
661b6ae2d490cc5a9270934aae63064b0cf39740e25c5893d116c5582faeb3cd

SHA512
0dbf00eef58ca9dcb8cff7dab1ad40b500e8df5b4ef0eab25b5af97915fde96e36cbcfb9a5d58ce868a2742e8c4cfa5204cdf422571c9052ac4d6a21c86af15d

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll
MD5
4d40f38b6c6fee069e6fecca58d7d131

SHA1
bdcbd9797eb82fb0f26131e3a77c1c3b3c96138d

SHA256
661b6ae2d490cc5a9270934aae63064b0cf39740e25c5893d116c5582faeb3cd

SHA512
0dbf00eef58ca9dcb8cff7dab1ad40b500e8df5b4ef0eab25b5af97915fde96e36cbcfb9a5d58ce868a2742e8c4cfa5204cdf422571c9052ac4d6a21c86af15d

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll
MD5
c8db4a2af57e626b2b8ee375a821090f

SHA1
2c2cc13bb7ec16de65016cdd848538f7b795bbe4

SHA256
f81f5f1f1eb0c518f6ee09018028168d2a3945597540bccffbb7a35c8f4b063e

SHA512
b162e098763126bd5ccd85582d8480e12eafbeb5c93af371d06577bfa8a1389ee5d25e669efe4131eb9bf7cbf77cbe617d349e50ee993f7dd4a9b27885afce6f

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll
MD5
c8db4a2af57e626b2b8ee375a821090f

SHA1
2c2cc13bb7ec16de65016cdd848538f7b795bbe4

SHA256
f81f5f1f1eb0c518f6ee09018028168d2a3945597540bccffbb7a35c8f4b063e

SHA512
b162e098763126bd5ccd85582d8480e12eafbeb5c93af371d06577bfa8a1389ee5d25e669efe4131eb9bf7cbf77cbe617d349e50ee993f7dd4a9b27885afce6f

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll
MD5
c8db4a2af57e626b2b8ee375a821090f

SHA1
2c2cc13bb7ec16de65016cdd848538f7b795bbe4

SHA256
f81f5f1f1eb0c518f6ee09018028168d2a3945597540bccffbb7a35c8f4b063e

SHA512
b162e098763126bd5ccd85582d8480e12eafbeb5c93af371d06577bfa8a1389ee5d25e669efe4131eb9bf7cbf77cbe617d349e50ee993f7dd4a9b27885afce6f

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll
MD5
db13c52a1cff5958ec234e827dea0a23

SHA1
a6deed150aa23ba7c51cb86ca674d79428599be0

SHA256
99d06f071aa621008044b549fb7caf405a77ceadd021c554849d0a2ce682b85d

SHA512
5e9792edd53294b8674e997da01642c40753721d8b975f0f2ec15fd166dd00fd69c7f3152c4739557e56481d0c72c85bde6f097d112e71db037c6f01d0c01167

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll
MD5
db13c52a1cff5958ec234e827dea0a23

SHA1
a6deed150aa23ba7c51cb86ca674d79428599be0

SHA256
99d06f071aa621008044b549fb7caf405a77ceadd021c554849d0a2ce682b85d

SHA512
5e9792edd53294b8674e997da01642c40753721d8b975f0f2ec15fd166dd00fd69c7f3152c4739557e56481d0c72c85bde6f097d112e71db037c6f01d0c01167

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll
MD5
db13c52a1cff5958ec234e827dea0a23

SHA1
a6deed150aa23ba7c51cb86ca674d79428599be0

SHA256
99d06f071aa621008044b549fb7caf405a77ceadd021c554849d0a2ce682b85d

SHA512
5e9792edd53294b8674e997da01642c40753721d8b975f0f2ec15fd166dd00fd69c7f3152c4739557e56481d0c72c85bde6f097d112e71db037c6f01d0c01167

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll
MD5
a69c86b30b2f37186bf2752b16c47111

SHA1
d73d39c2fc315eda5d04cdf2063d7e87a750832d

SHA256
6b621b8b77e873caa0b108626273b825585f4f2bc67de60a968e70ab93bd17c5

SHA512
8fcf7648def6d3f8b4c538cbaca03e9fa1c74bb033e9c6fe58044b2450a9e44f9695cf61c1ec7225726bc043e483e11bc8fe7be47afd4b3d807ba47971b1e39d

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
MD5
b99cb0981cef2d9192236e81c2383ac2

SHA1
f171cf97ab8b4566ed61fb5fd32b60c0c7717b3e

SHA256
5698cb8d2767597b351cd93579cb1c6b1f2aedcd123fa41204c65cbc41d2f807

SHA512
55c9103a77f1353ad7d87a54aad20a2aab5c13e33b58d54b515288dddbed55f9c18dfb57219c3fbe5d822d5a7c499b259a951adf80d10d46b974f334fb4f3b20

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
MD5
b99cb0981cef2d9192236e81c2383ac2

SHA1
f171cf97ab8b4566ed61fb5fd32b60c0c7717b3e

SHA256
5698cb8d2767597b351cd93579cb1c6b1f2aedcd123fa41204c65cbc41d2f807

SHA512
55c9103a77f1353ad7d87a54aad20a2aab5c13e33b58d54b515288dddbed55f9c18dfb57219c3fbe5d822d5a7c499b259a951adf80d10d46b974f334fb4f3b20

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
MD5
b99cb0981cef2d9192236e81c2383ac2

SHA1
f171cf97ab8b4566ed61fb5fd32b60c0c7717b3e

SHA256
5698cb8d2767597b351cd93579cb1c6b1f2aedcd123fa41204c65cbc41d2f807

SHA512
55c9103a77f1353ad7d87a54aad20a2aab5c13e33b58d54b515288dddbed55f9c18dfb57219c3fbe5d822d5a7c499b259a951adf80d10d46b974f334fb4f3b20

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll
MD5
f1f8fe284935fc99264df2e440068750

SHA1
2ade573252e674bf018ba5b570386283f1675529

SHA256
61c1e70857669b8c9be60f5594ca44b43cf83274df3b78103e78e3f3a130ca58

SHA512
e1c4f23968f4413a39de1b3b62fd8905f6e0b9bfd34c2aa5af1fb0a9883a6ac3b7c52c28d9fc7cf4dc848cfefd26485ca33593a6d1b435091a7227d5d1fbe0e6

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll
MD5
f1f8fe284935fc99264df2e440068750

SHA1
2ade573252e674bf018ba5b570386283f1675529

SHA256
61c1e70857669b8c9be60f5594ca44b43cf83274df3b78103e78e3f3a130ca58

SHA512
e1c4f23968f4413a39de1b3b62fd8905f6e0b9bfd34c2aa5af1fb0a9883a6ac3b7c52c28d9fc7cf4dc848cfefd26485ca33593a6d1b435091a7227d5d1fbe0e6

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll
MD5
f1f8fe284935fc99264df2e440068750

SHA1
2ade573252e674bf018ba5b570386283f1675529

SHA256
61c1e70857669b8c9be60f5594ca44b43cf83274df3b78103e78e3f3a130ca58

SHA512
e1c4f23968f4413a39de1b3b62fd8905f6e0b9bfd34c2aa5af1fb0a9883a6ac3b7c52c28d9fc7cf4dc848cfefd26485ca33593a6d1b435091a7227d5d1fbe0e6

Download Submit
\Users\Admin\AppData\Local\Temp\3TMU8dMe\WcInstaller.exe
MD5
6de14664bd416160d08f5af41d3ca698

SHA1
6b99cc08ede75504745221892b67a6fc6f46176e

SHA256
c6bf7f7d81440f00c28e85ddab6d2c6b3af669d6f99a23b0cdbf8f99b0619541

SHA512
d30f429389cbaa6320aa33a6ae341d2058756ac0ba5f1ff43be4a3824a19cdac0eca1a90d7f1b92aae4b8b39682749eb282ed43afe696301c5d9f20fca8ce628

Download Submit
\Users\Admin\AppData\Local\Temp\7oEVv2oc\vpn.exe
MD5
a9487e1960820eb2ba0019491d3b08ce

SHA1
349b4568ddf57b5c6c1e4a715b27029b287b3b4a

SHA256
123c95cf9e3813be75fe6d337b6a66f8c06898ae2d4b0b3e69e2e14954ff4776

SHA512
dab78aff75017f039f7fee67f3967ba9dd468430f9f1ecffde07de70964131931208ee6dd97a19399d5f44d3ab8b5d21abcd3d2766b1caaf970e1bd1d69ae0dc

Download Submit
\Users\Admin\AppData\Local\Temp\7zS49719394\ICSharpCode.SharpZipLib.dll
MD5
95cae18bf7d7b66f2bb3dd025559d317

SHA1
e7ab70de5e7452f6083bedf676acfd88d90e7840

SHA256
52200861ae973e9281ce75ec532a59827d89f2eb55a8b185384fb611c0b61d32

SHA512
c948dc7491b94a0069568228321304179f76c40c6bc83ec6a3712dedb019305eca0d88fdc40cd0ad891e5d3fbc333edbcfd9939e7ec6d65086333a0f72c29b07

Download Submit
\Users\Admin\AppData\Local\Temp\7zS49719394\ICSharpCode.SharpZipLib.dll
MD5
95cae18bf7d7b66f2bb3dd025559d317

SHA1
e7ab70de5e7452f6083bedf676acfd88d90e7840

SHA256
52200861ae973e9281ce75ec532a59827d89f2eb55a8b185384fb611c0b61d32

SHA512
c948dc7491b94a0069568228321304179f76c40c6bc83ec6a3712dedb019305eca0d88fdc40cd0ad891e5d3fbc333edbcfd9939e7ec6d65086333a0f72c29b07

Download Submit
\Users\Admin\AppData\Local\Temp\7zS49719394\ICSharpCode.SharpZipLib.dll
MD5
95cae18bf7d7b66f2bb3dd025559d317

SHA1
e7ab70de5e7452f6083bedf676acfd88d90e7840

SHA256
52200861ae973e9281ce75ec532a59827d89f2eb55a8b185384fb611c0b61d32

SHA512
c948dc7491b94a0069568228321304179f76c40c6bc83ec6a3712dedb019305eca0d88fdc40cd0ad891e5d3fbc333edbcfd9939e7ec6d65086333a0f72c29b07

Download Submit
\Users\Admin\AppData\Local\Temp\7zS49719394\Newtonsoft.Json.dll
MD5
15396a361000794fb2502aff2c4306db

SHA1
e671f739b3d19afc756b0950b0f24a936da729d7

SHA256
1ddb20849782b0ed86f243880dc961180ffc72e96d23a9c04affb0c47152e8e3

SHA512
c737b92ea0899a0ee82cf8e5ce77b0c5b760322f95a6b8d92cefa663d32414420300b2a71decc8cd37a16de9ff64c5c53de6b40db771b323189d789d160ce144

Download Submit
\Users\Admin\AppData\Local\Temp\7zS49719394\Newtonsoft.Json.dll
MD5
15396a361000794fb2502aff2c4306db

SHA1
e671f739b3d19afc756b0950b0f24a936da729d7

SHA256
1ddb20849782b0ed86f243880dc961180ffc72e96d23a9c04affb0c47152e8e3

SHA512
c737b92ea0899a0ee82cf8e5ce77b0c5b760322f95a6b8d92cefa663d32414420300b2a71decc8cd37a16de9ff64c5c53de6b40db771b323189d789d160ce144

Download Submit
\Users\Admin\AppData\Local\Temp\7zS49719394\Newtonsoft.Json.dll
MD5
15396a361000794fb2502aff2c4306db

SHA1
e671f739b3d19afc756b0950b0f24a936da729d7

SHA256
1ddb20849782b0ed86f243880dc961180ffc72e96d23a9c04affb0c47152e8e3

SHA512
c737b92ea0899a0ee82cf8e5ce77b0c5b760322f95a6b8d92cefa663d32414420300b2a71decc8cd37a16de9ff64c5c53de6b40db771b323189d789d160ce144

Download Submit
\Users\Admin\AppData\Local\Temp\7zS49719394\WebCompanionInstaller.exe
MD5
46f2f7fb2d53b5b6e0ccb42cd57f6985

SHA1
c856e69aa810ad770a683cb5f9fa1405a181ed52

SHA256
06ed971cc696dfc80f3aecba48fc60bae4b9c2080a81c07ecdd4a8d31b14d92e

SHA512
c1fd5772a05ef422731bcd55e75d8f8e3098f312ae9f2519db631e296bd0a36ebe6fc3d743363fb49b6eee03b3f98780b231d76afb8a20e0cf5d3e6e3e1c386f

Download Submit
\Users\Admin\AppData\Local\Temp\XB0gmhNS\0XDDoHrU241vwQ.exe
MD5
8282840e5a0e8f3e90503ca94c3cc5b6

SHA1
a330529d52b50a1bd7f94d8f4dd5e1dd9ff79865

SHA256
f39d409b07ce9bd9e20303c0b3226cd63e809ab56dc5d9d47b2e6af817e51792

SHA512
25cb1130be8ce69d9ed32abd7bf4eeae4e48a045b44b056c45eb37f17bced4e958bce4589a4d0e9e0008b0a5701c23fd80d02cc0a7acb0ea2c8d9a6ac06fca4b

Download Submit
\Users\Admin\AppData\Local\Temp\is-ECT1Q.tmp\Fugiat.exe
MD5
953dd51dcffb3947f4dd9380a9722205

SHA1
18ef0815ea99cae76be5d5ba2ad10fedca62bdb9

SHA256
11cd6bbb714b8661b2c8bda0979fdc28625737d4ad7b11c5e1c88b79eded61d7

SHA512
ca5e333c77271aeb37fa9149371a282a8dc2e9b9d93809f497bee0f437fa8b36e75999ad946344046890126385616259f9b60ed7590ba3f86d55d48ac5d858e0

Download Submit
\Users\Admin\AppData\Local\Temp\is-ECT1Q.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-ECT1Q.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-ECT1Q.tmp\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\Users\Admin\AppData\Local\Temp\is-IN93G.tmp\cheat_417615128.tmp
MD5
6a96bef4679e16a54b4090e74664dcca

SHA1
c8631c1624b98f6709b1ac37ce3956faed29bc30

SHA256
cb095356ddcfcbace96c6252fb73a267ed011c15ff206a7a9302007baa68a783

SHA512
924ab1e5c6ea72342eab6e78899a56c415e90020c46d3d8a81ae4da9276db7ea1df9684965a81fb95a6f2f9cf103b31413d67770eb15725ad04198c5d00037d0

Download Submit
memory/324-123-0x000000006BC30000-0x000000006C31E000-memory.dmp

Filesize
6.9MB

Download
memory/324-120-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/324-146-0x0000000000523000-0x0000000000524000-memory.dmp

Filesize
4KB

Download
memory/324-124-0x00000000068A0000-0x00000000068A1000-memory.dmp

Filesize
4KB

Download
memory/324-145-0x0000000000522000-0x0000000000523000-memory.dmp

Filesize
4KB

Download
memory/324-135-0x0000000000521000-0x0000000000522000-memory.dmp

Filesize
4KB

Download
memory/324-94-0x0000000000000000-mapping.dmp

Download
memory/572-147-0x000007FEF6E90000-0x000007FEF710A000-memory.dmp

Filesize
2.5MB

Download
memory/596-81-0x000000006BC30000-0x000000006C31E000-memory.dmp

Filesize
6.9MB

Download
memory/596-82-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/596-79-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/596-80-0x0000000000421E02-mapping.dmp

Download
memory/596-87-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/944-90-0x0000000000000000-mapping.dmp

Download
memory/1080-141-0x0000000000000000-mapping.dmp

Download
memory/1176-91-0x0000000000000000-mapping.dmp

Download
memory/1188-137-0x0000000000000000-mapping.dmp

Download
memory/1192-86-0x0000000000000000-mapping.dmp

Download
memory/1352-157-0x0000000000000000-mapping.dmp

Download
memory/1376-44-0x0000000000000000-mapping.dmp

Download
memory/1472-52-0x000000006BC30000-0x000000006C31E000-memory.dmp

Filesize
6.9MB

Download
memory/1472-56-0x0000000004690000-0x0000000004691000-memory.dmp

Filesize
4KB

Download
memory/1472-49-0x0000000000000000-mapping.dmp

Download
memory/1472-53-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1488-15-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1488-4-0x0000000000000000-mapping.dmp

Download
memory/1572-133-0x000007FEFB541000-0x000007FEFB543000-memory.dmp

Filesize
8KB

Download
memory/1572-132-0x0000000000000000-mapping.dmp

Download
memory/1576-74-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/1576-69-0x000000006BC30000-0x000000006C31E000-memory.dmp

Filesize
6.9MB

Download
memory/1576-66-0x0000000000000000-mapping.dmp

Download
memory/1576-70-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/1600-61-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1600-62-0x0000000000421E02-mapping.dmp

Download
memory/1600-63-0x000000006BC30000-0x000000006C31E000-memory.dmp

Filesize
6.9MB

Download
memory/1600-140-0x0000000000000000-mapping.dmp

Download
memory/1600-73-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/1600-64-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1616-138-0x0000000000B5B000-0x0000000000B5D000-memory.dmp

Filesize
8KB

Download
memory/1616-143-0x0000000000B5D000-0x0000000000B5E000-memory.dmp

Filesize
4KB

Download
memory/1616-134-0x0000000000B3A000-0x0000000000B59000-memory.dmp

Filesize
124KB

Download
memory/1616-129-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp

Filesize
9.6MB

Download
memory/1616-127-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp

Filesize
9.6MB

Download
memory/1616-128-0x0000000000B30000-0x0000000000B32000-memory.dmp

Filesize
8KB

Download
memory/1644-136-0x0000000001F80000-0x0000000001F81000-memory.dmp

Filesize
4KB

Download
memory/1644-130-0x0000000000000000-mapping.dmp

Download
memory/1660-27-0x0000000000000000-mapping.dmp

Download
memory/1660-36-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/1672-156-0x0000000000000000-mapping.dmp

Download
memory/1672-158-0x0000000001330000-0x0000000001332000-memory.dmp

Filesize
8KB

Download
memory/1844-85-0x0000000000000000-mapping.dmp

Download
memory/1896-84-0x0000000000000000-mapping.dmp

Download
memory/1940-22-0x0000000000000000-mapping.dmp

Download
memory/1964-14-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/1964-2-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1976-18-0x0000000004DE0000-0x0000000004DF1000-memory.dmp

Filesize
68KB

Download
memory/1976-19-0x0000000000400000-0x0000000001458000-memory.dmp

Filesize
16.3MB

Download
memory/1976-20-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1976-17-0x00000000049D0000-0x00000000049E1000-memory.dmp

Filesize
68KB

Download
memory/1976-10-0x0000000000000000-mapping.dmp

Download
memory/1988-139-0x0000000000000000-mapping.dmp

Download
memory/1988-144-0x0000000001240000-0x0000000001242000-memory.dmp

Filesize
8KB

Download
memory/1988-47-0x000000001AD20000-0x000000001AD22000-memory.dmp

Filesize
8KB

Download
memory/1988-35-0x000007FEF4C70000-0x000007FEF565C000-memory.dmp

Filesize
9.9MB

Download
memory/1988-42-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/1988-32-0x0000000000000000-mapping.dmp

Download
memory/1988-40-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2024-150-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/2024-151-0x000000006BD40000-0x000000006C42E000-memory.dmp

Filesize
6.9MB

Download
memory/2024-155-0x0000000000B51000-0x0000000000B52000-memory.dmp

Filesize
4KB

Download
memory/2024-152-0x0000000006360000-0x0000000006361000-memory.dmp

Filesize
4KB

Download
memory/2024-148-0x0000000000000000-mapping.dmp

Download
memory/2024-159-0x0000000000B56000-0x0000000000B67000-memory.dmp

Filesize
68KB

Download
memory/2024-160-0x0000000000B67000-0x0000000000B68000-memory.dmp

Filesize
4KB

Download
memory/2044-131-0x0000000000000000-mapping.dmp

Download