880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Size

326KB
MD5

92b1ba5c910b6cfdfbc4695c0bacb8be
SHA1

8efd46ec55189a7a288a6bd3ed62cd614e37536e
SHA256

880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299
SHA512

dee25836d7ce620269d8cf230c0d1307bd2adf031428b447f3f00c3de1fef216f46e537660c2fb10784f1b24b83e7550f0577da14eaad1dcdba286215bf234d6

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 6 IoCs

Processes:

WCInstaller.exeWebCompanionInstaller.exeWebCompanion.exeLavasoft.WCAssistant.WinService.exeAd-Aware Web Companion.exeWebCompanion.exe

pid	process
4104	WCInstaller.exe
1928	WebCompanionInstaller.exe
4012	WebCompanion.exe
1224	Lavasoft.WCAssistant.WinService.exe
2768	Ad-Aware Web Companion.exe
364	WebCompanion.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WebCompanionInstaller.exeWebCompanion.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	WebCompanionInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	WebCompanion.exe

Loads dropped DLL 64 IoCs

Processes:

WebCompanionInstaller.exeWebCompanion.exe

pid	process
1928	WebCompanionInstaller.exe
1928	WebCompanionInstaller.exe
1928	WebCompanionInstaller.exe
1928	WebCompanionInstaller.exe
1928	WebCompanionInstaller.exe
1928	WebCompanionInstaller.exe
1928	WebCompanionInstaller.exe
1928	WebCompanionInstaller.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WebCompanion.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Web Companion = "C:\\Program Files (x86)\\Lavasoft\\Web Companion\\Application\\WebCompanion.exe --minimize "	WebCompanion.exe

Checks for any installed AV software in registry 1 TTPs 39 IoCs

Security Software Discovery

T1063

Processes:

880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Jiangmin\ComputerID	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\ClamWin\Version	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Avira\Antivirus	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\IKARUS\anti.virus	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\COMODO\CIS	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Sophos	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\McAfee\DesktopProtection	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\ArcaBit	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\K7 Computing\K7TotalSecurity	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Fortinet\FortiClient\installed	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\ESET\NOD	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\KasperskyLab	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\G Data\AntiVirenKit	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\BullGuard Ltd.\BullGuard\Main	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Doctor Web\InstalledComponents	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AhnLab\V3IS80	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Bitdefender\QuickScan	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Vba32\Loader	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\TrendMicro\UniClient	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

Processes:

WebCompanion.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	WebCompanion.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	WebCompanion.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com

flow	ioc
8	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

Lavasoft.WCAssistant.WinService.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE	Lavasoft.WCAssistant.WinService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE	Lavasoft.WCAssistant.WinService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_28DD3630238B51427119DAF9326B45F2	Lavasoft.WCAssistant.WinService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_28DD3630238B51427119DAF9326B45F2	Lavasoft.WCAssistant.WinService.exe

Drops file in Program Files directory 64 IoCs

Processes:

WebCompanionInstaller.exe

description	ioc	process
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.exe.config	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\it-IT\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\BCUEngineS.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.IWshRuntimeLibrary.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\LZ4.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.Service.Logger.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Esent.Interop.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Omni.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\vcruntime140d.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\BCUSDK.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.SqlLite.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ja-JP\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionIcon_Pro.ico	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\de-DE\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WcCommunication.exe.config	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe.config	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\es-ES\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\DotNetZip.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.Shell32.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.IEController.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.CSharp.Utilities.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Extension.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\pt-BR\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionExtensionIE.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\en-US\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ru-RU\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ad-Aware Web Companion.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Settings.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.Loader.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\de-DE\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Extension\@wcextensionff.xpi	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\fr-CA\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\pt-BR\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\MozCompressor.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\zh-Hans\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe.config	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\tr-TR\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\zh-CHS\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WcfService.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\NCalc.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.pdb	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\acs17.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Automation.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\tr-TR\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\x86\SQLite.Interop.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\7za.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\es-ES\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebcompaionReimageIcon.ico	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\x64\SQLite.Interop.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.SHDocVw.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ucrtbased.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\it-IT\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionIcon.ico	WebCompanionInstaller.exe

Drops file in Windows directory 7 IoCs

Processes:

WebCompanionInstaller.exeWebCompanion.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	WebCompanionInstaller.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	WebCompanionInstaller.exe
File opened for modification	C:\Windows\assembly	WebCompanion.exe
File created	C:\Windows\assembly\Desktop.ini	WebCompanion.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	WebCompanion.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	WebCompanion.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	WebCompanion.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

Processes:

WebCompanion.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	WebCompanion.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30960851"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{993F5746-4C15-42BC-99C1-064A1764271B}\ShowTopResult = "1"	WebCompanion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{993F5746-4C15-42BC-99C1-064A1764271B}\TopResultURL = "https://defaultsearch.co?q={searchTerms}"	WebCompanion.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30960851"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2851573323"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d44f7c908017924dbb36ebe98e677ce100000000020000000000106600000001000020000000bc7d40072e112646a7529288bdc806a5ba16839bbce8176d2eff998b866dc0c4000000000e8000000002000020000000a86f523f77a819f99e9afd77eb80b3dfaab2889a0867c60c30b7f21bbad4cdd6200000002edfb1b2feedf2947ae814212f8008815e4ddadce94486b81fc72c0804e8885d40000000384f3f06634b14d9dfb404ed1cb951935afc5e2f2968779b8c3894cbc62c353b8d14e8c6bb0533b41b31fad544588c651415c455fd233eb937ebfb4870fe34db	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{993F5746-4C15-42BC-99C1-064A1764271B}\DisplayName = "DefaultSearchYahoo"	WebCompanion.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{993F5746-4C15-42BC-99C1-064A1764271B}\FaviconPath = "C:\\ProgramData\\Lavasoft\\Web Companion\\Icons\\yahoo.ico"	WebCompanion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{993F5746-4C15-42BC-99C1-064A1764271B}\FaviconURL = "https://defaultsearch.co/favicon.ico"	WebCompanion.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 001769abd36cd801	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d44f7c908017924dbb36ebe98e677ce100000000020000000000106600000001000020000000277ee51a6d5a1b2203cd4e3aa60e8edb34fe05150740b9befdaa2bc10b27b099000000000e800000000200002000000025f96322b0c997aad4ed363ceda337050a1ab83251334ffceb7a0495ea9aa3922000000044d24617ae6560e303383a4b22931ecec63c6cbaa2d23734ed3ffdfa5cd4955d40000000b13133b7e2882e1753ea976e0c00cea421f6f43b1066a3d12a0d7f0a19a8a894da68e89f602ab78b26e7cd09372632b07372d4ef68478993019ba28d89180c20	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30960851"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2855480714"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4062b5abd36cd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2851573323"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{993F5746-4C15-42BC-99C1-064A1764271B}	WebCompanion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{993F5746-4C15-42BC-99C1-064A1764271B}\URL = "https://securesearch.org?q={searchTerms}"	WebCompanion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{993F5746-4C15-42BC-99C1-064A1764271B}\OSDFileURL = " "	WebCompanion.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{993F5746-4C15-42BC-99C1-064A1764271B}\ShowSearchSuggestions = "1"	WebCompanion.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359875879"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D599EFC0-D8C6-11EC-AD90-6EEA54F4F547} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{993F5746-4C15-42BC-99C1-064A1764271B}\SuggestionsURL = "https://defaultsearch.co?q={searchTerms}"	WebCompanion.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

WebCompanion.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://securesearch.org/homepage?hp=2&pId=AE190201&iDate=2022-05-21 05:28:53&iid=e8731496-0027-48c7-b220-a9e255fafc7b&bName="	WebCompanion.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

Lavasoft.WCAssistant.WinService.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Lavasoft.WCAssistant.WinService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	Lavasoft.WCAssistant.WinService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	Lavasoft.WCAssistant.WinService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	Lavasoft.WCAssistant.WinService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Lavasoft.WCAssistant.WinService.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WebCompanionInstaller.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WebCompanionInstaller.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exeLavasoft.WCAssistant.WinService.exeWebCompanion.exeWebCompanion.exe

pid	process
332	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
332	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
1224	Lavasoft.WCAssistant.WinService.exe
1224	Lavasoft.WCAssistant.WinService.exe
1224	Lavasoft.WCAssistant.WinService.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
4012	WebCompanion.exe
364	WebCompanion.exe
364	WebCompanion.exe
364	WebCompanion.exe
364	WebCompanion.exe
364	WebCompanion.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

176 IEXPLORE.EXE

pid	process
176	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

WebCompanionInstaller.exeWebCompanion.exeLavasoft.WCAssistant.WinService.exeWebCompanion.exe

description	pid	process
Token: SeDebugPrivilege	1928	WebCompanionInstaller.exe
Token: SeDebugPrivilege	4012	WebCompanion.exe
Token: SeDebugPrivilege	1224	Lavasoft.WCAssistant.WinService.exe
Token: SeAssignPrimaryTokenPrivilege	1224	Lavasoft.WCAssistant.WinService.exe
Token: SeIncreaseQuotaPrivilege	1224	Lavasoft.WCAssistant.WinService.exe
Token: SeSecurityPrivilege	1224	Lavasoft.WCAssistant.WinService.exe
Token: SeTakeOwnershipPrivilege	1224	Lavasoft.WCAssistant.WinService.exe
Token: SeLoadDriverPrivilege	1224	Lavasoft.WCAssistant.WinService.exe
Token: SeSystemtimePrivilege	1224	Lavasoft.WCAssistant.WinService.exe
Token: SeBackupPrivilege	1224	Lavasoft.WCAssistant.WinService.exe
Token: SeRestorePrivilege	1224	Lavasoft.WCAssistant.WinService.exe
Token: SeShutdownPrivilege	1224	Lavasoft.WCAssistant.WinService.exe
Token: SeSystemEnvironmentPrivilege	1224	Lavasoft.WCAssistant.WinService.exe
Token: SeUndockPrivilege	1224	Lavasoft.WCAssistant.WinService.exe
Token: SeManageVolumePrivilege	1224	Lavasoft.WCAssistant.WinService.exe
Token: SeDebugPrivilege	364	WebCompanion.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

IEXPLORE.EXEWebCompanion.exe

pid process

176 IEXPLORE.EXE
364 WebCompanion.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WebCompanion.exe

pid process

364 WebCompanion.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

176 IEXPLORE.EXE
176 IEXPLORE.EXE
1968 IEXPLORE.EXE
1968 IEXPLORE.EXE
1968 IEXPLORE.EXE
1968 IEXPLORE.EXE

pid	process
176	IEXPLORE.EXE
364	WebCompanion.exe

pid	process
364	WebCompanion.exe

pid	process
176	IEXPLORE.EXE
176	IEXPLORE.EXE
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exeiexplore.exeIEXPLORE.EXEWCInstaller.exeWebCompanionInstaller.execmd.exeLavasoft.WCAssistant.WinService.execmd.exeWebCompanion.execsc.execsc.execsc.exe

description	pid	process	target process
PID 332 wrote to memory of 3736	332	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe	iexplore.exe
PID 332 wrote to memory of 3736	332	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe	iexplore.exe
PID 332 wrote to memory of 3736	332	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe	iexplore.exe
PID 3736 wrote to memory of 176	3736	iexplore.exe	IEXPLORE.EXE
PID 3736 wrote to memory of 176	3736	iexplore.exe	IEXPLORE.EXE
PID 176 wrote to memory of 1968	176	IEXPLORE.EXE	IEXPLORE.EXE
PID 176 wrote to memory of 1968	176	IEXPLORE.EXE	IEXPLORE.EXE
PID 176 wrote to memory of 1968	176	IEXPLORE.EXE	IEXPLORE.EXE
PID 332 wrote to memory of 4104	332	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe	WCInstaller.exe
PID 332 wrote to memory of 4104	332	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe	WCInstaller.exe
PID 332 wrote to memory of 4104	332	880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe	WCInstaller.exe
PID 4104 wrote to memory of 1928	4104	WCInstaller.exe	WebCompanionInstaller.exe
PID 4104 wrote to memory of 1928	4104	WCInstaller.exe	WebCompanionInstaller.exe
PID 4104 wrote to memory of 1928	4104	WCInstaller.exe	WebCompanionInstaller.exe
PID 1928 wrote to memory of 384	1928	WebCompanionInstaller.exe	sc.exe
PID 1928 wrote to memory of 384	1928	WebCompanionInstaller.exe	sc.exe
PID 1928 wrote to memory of 384	1928	WebCompanionInstaller.exe	sc.exe
PID 1928 wrote to memory of 4044	1928	WebCompanionInstaller.exe	sc.exe
PID 1928 wrote to memory of 4044	1928	WebCompanionInstaller.exe	sc.exe
PID 1928 wrote to memory of 4044	1928	WebCompanionInstaller.exe	sc.exe
PID 1928 wrote to memory of 4068	1928	WebCompanionInstaller.exe	sc.exe
PID 1928 wrote to memory of 4068	1928	WebCompanionInstaller.exe	sc.exe
PID 1928 wrote to memory of 4068	1928	WebCompanionInstaller.exe	sc.exe
PID 1928 wrote to memory of 428	1928	WebCompanionInstaller.exe	cmd.exe
PID 1928 wrote to memory of 428	1928	WebCompanionInstaller.exe	cmd.exe
PID 1928 wrote to memory of 428	1928	WebCompanionInstaller.exe	cmd.exe
PID 428 wrote to memory of 2008	428	cmd.exe	netsh.exe
PID 428 wrote to memory of 2008	428	cmd.exe	netsh.exe
PID 428 wrote to memory of 2008	428	cmd.exe	netsh.exe
PID 1928 wrote to memory of 4012	1928	WebCompanionInstaller.exe	WebCompanion.exe
PID 1928 wrote to memory of 4012	1928	WebCompanionInstaller.exe	WebCompanion.exe
PID 1928 wrote to memory of 4012	1928	WebCompanionInstaller.exe	WebCompanion.exe
PID 1224 wrote to memory of 840	1224	Lavasoft.WCAssistant.WinService.exe	cmd.exe
PID 1224 wrote to memory of 840	1224	Lavasoft.WCAssistant.WinService.exe	cmd.exe
PID 840 wrote to memory of 4008	840	cmd.exe	netsh.exe
PID 840 wrote to memory of 4008	840	cmd.exe	netsh.exe
PID 4012 wrote to memory of 4460	4012	WebCompanion.exe	csc.exe
PID 4012 wrote to memory of 4460	4012	WebCompanion.exe	csc.exe
PID 4012 wrote to memory of 4460	4012	WebCompanion.exe	csc.exe
PID 4460 wrote to memory of 4616	4460	csc.exe	cvtres.exe
PID 4460 wrote to memory of 4616	4460	csc.exe	cvtres.exe
PID 4460 wrote to memory of 4616	4460	csc.exe	cvtres.exe
PID 1224 wrote to memory of 776	1224	Lavasoft.WCAssistant.WinService.exe	csc.exe
PID 1224 wrote to memory of 776	1224	Lavasoft.WCAssistant.WinService.exe	csc.exe
PID 776 wrote to memory of 2512	776	csc.exe	cvtres.exe
PID 776 wrote to memory of 2512	776	csc.exe	cvtres.exe
PID 4012 wrote to memory of 2768	4012	WebCompanion.exe	Ad-Aware Web Companion.exe
PID 4012 wrote to memory of 2768	4012	WebCompanion.exe	Ad-Aware Web Companion.exe
PID 4012 wrote to memory of 2768	4012	WebCompanion.exe	Ad-Aware Web Companion.exe
PID 1928 wrote to memory of 364	1928	WebCompanionInstaller.exe	WebCompanion.exe
PID 1928 wrote to memory of 364	1928	WebCompanionInstaller.exe	WebCompanion.exe
PID 1928 wrote to memory of 364	1928	WebCompanionInstaller.exe	WebCompanion.exe
PID 1224 wrote to memory of 2516	1224	Lavasoft.WCAssistant.WinService.exe	csc.exe
PID 1224 wrote to memory of 2516	1224	Lavasoft.WCAssistant.WinService.exe	csc.exe
PID 2516 wrote to memory of 1056	2516	csc.exe	cvtres.exe
PID 2516 wrote to memory of 1056	2516	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe
"C:\Users\Admin\AppData\Local\Temp\880638c92fa2c08cb06e39cb26c8f0800a31261d7f9ca87b1b0d56e01d0e5299.exe"
1⤵
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:332

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://hostas.ga/bb/tds.php
2⤵
- Suspicious use of WriteProcessMemory
PID:3736

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://hostas.ga/bb/tds.php
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:176

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:176 CREDAT:17410 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1968

C:\Users\Admin\AppData\Local\Temp\WCInstaller.exe
C:\Users\Admin\AppData\Local\Temp\WCInstaller.exe --silent --partner=AE190201 --homepage=11 --search=7 --campaign=292
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104

C:\Users\Admin\AppData\Local\Temp\7zS800FB2D7\WebCompanionInstaller.exe
.\WebCompanionInstaller.exe --partner=AE190201 --campaign=292 --version=7.0.2417.4248 --prod --silent --partner=AE190201 --homepage=11 --search=7 --campaign=292
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\sc.exe
"sc.exe" Create "WCAssistantService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= auto
4⤵
PID:384

C:\Windows\SysWOW64\sc.exe
"sc.exe" failure WCAssistantService reset= 30 actions= restart/60000
4⤵
PID:4044

C:\Windows\SysWOW64\sc.exe
"sc.exe" description "WCAssistantService" "Ad-Aware Web Companion Internet security service"
4⤵
PID:4068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
4⤵
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\SysWOW64\netsh.exe
netsh http add urlacl url=http://+:9007/ user=Everyone
5⤵
PID:2008

C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --install --geo=
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\daxo7jxu.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1837.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1836.tmp"
6⤵
PID:4616

C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ad-Aware Web Companion.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ad-Aware Web Companion.exe" {993F5746-4C15-42BC-99C1-064A1764271B}
5⤵
- Executes dropped EXE
PID:2768

C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --afterinstall
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:364

C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
2⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\system32\netsh.exe
netsh http add urlacl url=http://+:9007/ user=Everyone
3⤵
PID:4008

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\lyhxhduq.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES33ED.tmp" "c:\Windows\Temp\CSC33EC.tmp"
3⤵
PID:2512

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\whso5yv4.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RESBFB2.tmp" "c:\Windows\Temp\CSCBFB1.tmp"
3⤵
PID:1056

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
1⤵
PID:3788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Security Software Discovery

T1063

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll
Filesize
208KB

MD5
c2bc294bf9b951761422325a0e4e49da

SHA1
1c90a9fbc26c694bfc1cd020b10d81b3006b0a44

SHA256
c78cf609269e27ff72d4baaf85761f8092db143dd48cb892750dd3476edee6b0

SHA512
7dc9d7f1f0242b96dea94525d30c2add977be79801406a6ac860b561f307aa610dc0b94c161c949be3761c8e9a1fdbdf9440b45b937b21a72b684272cc01fc8e

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll
Filesize
208KB

MD5
c2bc294bf9b951761422325a0e4e49da

SHA1
1c90a9fbc26c694bfc1cd020b10d81b3006b0a44

SHA256
c78cf609269e27ff72d4baaf85761f8092db143dd48cb892750dd3476edee6b0

SHA512
7dc9d7f1f0242b96dea94525d30c2add977be79801406a6ac860b561f307aa610dc0b94c161c949be3761c8e9a1fdbdf9440b45b937b21a72b684272cc01fc8e

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll
Filesize
208KB

MD5
c2bc294bf9b951761422325a0e4e49da

SHA1
1c90a9fbc26c694bfc1cd020b10d81b3006b0a44

SHA256
c78cf609269e27ff72d4baaf85761f8092db143dd48cb892750dd3476edee6b0

SHA512
7dc9d7f1f0242b96dea94525d30c2add977be79801406a6ac860b561f307aa610dc0b94c161c949be3761c8e9a1fdbdf9440b45b937b21a72b684272cc01fc8e

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll
Filesize
208KB

MD5
c2bc294bf9b951761422325a0e4e49da

SHA1
1c90a9fbc26c694bfc1cd020b10d81b3006b0a44

SHA256
c78cf609269e27ff72d4baaf85761f8092db143dd48cb892750dd3476edee6b0

SHA512
7dc9d7f1f0242b96dea94525d30c2add977be79801406a6ac860b561f307aa610dc0b94c161c949be3761c8e9a1fdbdf9440b45b937b21a72b684272cc01fc8e

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll
Filesize
208KB

MD5
c2bc294bf9b951761422325a0e4e49da

SHA1
1c90a9fbc26c694bfc1cd020b10d81b3006b0a44

SHA256
c78cf609269e27ff72d4baaf85761f8092db143dd48cb892750dd3476edee6b0

SHA512
7dc9d7f1f0242b96dea94525d30c2add977be79801406a6ac860b561f307aa610dc0b94c161c949be3761c8e9a1fdbdf9440b45b937b21a72b684272cc01fc8e

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll
Filesize
56KB

MD5
4a43cc1ea41a3933c29a4e38da724909

SHA1
2f7012a9e90a94867048dd7ff9e75fffd8e70502

SHA256
d74c0a9a8d79043b5c21290b57d5e5eeffe79be0c2f43169cbfda22410605b05

SHA512
dea2201d7102231de5644bebc4923e71556168e8c818382c34d6061f2fb82e52729143838cf60dba884a4ef60add0aef9ce5e40d28e19016ba59e2712dece10a

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll
Filesize
56KB

MD5
4a43cc1ea41a3933c29a4e38da724909

SHA1
2f7012a9e90a94867048dd7ff9e75fffd8e70502

SHA256
d74c0a9a8d79043b5c21290b57d5e5eeffe79be0c2f43169cbfda22410605b05

SHA512
dea2201d7102231de5644bebc4923e71556168e8c818382c34d6061f2fb82e52729143838cf60dba884a4ef60add0aef9ce5e40d28e19016ba59e2712dece10a

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll
Filesize
56KB

MD5
4a43cc1ea41a3933c29a4e38da724909

SHA1
2f7012a9e90a94867048dd7ff9e75fffd8e70502

SHA256
d74c0a9a8d79043b5c21290b57d5e5eeffe79be0c2f43169cbfda22410605b05

SHA512
dea2201d7102231de5644bebc4923e71556168e8c818382c34d6061f2fb82e52729143838cf60dba884a4ef60add0aef9ce5e40d28e19016ba59e2712dece10a

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll
Filesize
56KB

MD5
4a43cc1ea41a3933c29a4e38da724909

SHA1
2f7012a9e90a94867048dd7ff9e75fffd8e70502

SHA256
d74c0a9a8d79043b5c21290b57d5e5eeffe79be0c2f43169cbfda22410605b05

SHA512
dea2201d7102231de5644bebc4923e71556168e8c818382c34d6061f2fb82e52729143838cf60dba884a4ef60add0aef9ce5e40d28e19016ba59e2712dece10a

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll
Filesize
56KB

MD5
4a43cc1ea41a3933c29a4e38da724909

SHA1
2f7012a9e90a94867048dd7ff9e75fffd8e70502

SHA256
d74c0a9a8d79043b5c21290b57d5e5eeffe79be0c2f43169cbfda22410605b05

SHA512
dea2201d7102231de5644bebc4923e71556168e8c818382c34d6061f2fb82e52729143838cf60dba884a4ef60add0aef9ce5e40d28e19016ba59e2712dece10a

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll
Filesize
196KB

MD5
a64ce10c17c1df39e0b3167c20c75763

SHA1
87fd682ff36d56b007718f83dba52e66f9ffe02e

SHA256
8fcdaa5bab8bf2038b089e8f817fe96004469b80771fa5e971ef51b5c01599bd

SHA512
dae5258af61c82db59bfbf9f841b61746b304d901fc7017c3bbbbbcf8ea71193e955cde86d198b7303f4062ddc828266c7b02911429a16c1ca42d3dfec6233fd

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll
Filesize
196KB

MD5
a64ce10c17c1df39e0b3167c20c75763

SHA1
87fd682ff36d56b007718f83dba52e66f9ffe02e

SHA256
8fcdaa5bab8bf2038b089e8f817fe96004469b80771fa5e971ef51b5c01599bd

SHA512
dae5258af61c82db59bfbf9f841b61746b304d901fc7017c3bbbbbcf8ea71193e955cde86d198b7303f4062ddc828266c7b02911429a16c1ca42d3dfec6233fd

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll
Filesize
196KB

MD5
a64ce10c17c1df39e0b3167c20c75763

SHA1
87fd682ff36d56b007718f83dba52e66f9ffe02e

SHA256
8fcdaa5bab8bf2038b089e8f817fe96004469b80771fa5e971ef51b5c01599bd

SHA512
dae5258af61c82db59bfbf9f841b61746b304d901fc7017c3bbbbbcf8ea71193e955cde86d198b7303f4062ddc828266c7b02911429a16c1ca42d3dfec6233fd

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll
Filesize
196KB

MD5
a64ce10c17c1df39e0b3167c20c75763

SHA1
87fd682ff36d56b007718f83dba52e66f9ffe02e

SHA256
8fcdaa5bab8bf2038b089e8f817fe96004469b80771fa5e971ef51b5c01599bd

SHA512
dae5258af61c82db59bfbf9f841b61746b304d901fc7017c3bbbbbcf8ea71193e955cde86d198b7303f4062ddc828266c7b02911429a16c1ca42d3dfec6233fd

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll
Filesize
196KB

MD5
a64ce10c17c1df39e0b3167c20c75763

SHA1
87fd682ff36d56b007718f83dba52e66f9ffe02e

SHA256
8fcdaa5bab8bf2038b089e8f817fe96004469b80771fa5e971ef51b5c01599bd

SHA512
dae5258af61c82db59bfbf9f841b61746b304d901fc7017c3bbbbbcf8ea71193e955cde86d198b7303f4062ddc828266c7b02911429a16c1ca42d3dfec6233fd

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll
Filesize
122KB

MD5
1621c94a96e78de23ed8c36727aa3ae2

SHA1
1efb06f83396f063df81ad9ea480867dc59984a7

SHA256
f2cb8d625a8900bdf99f21c78eb2d718d627e8d1a7a6eb4885654a3c7c1da4f6

SHA512
8f714c3a46843f9080537134b0fb31decb2c93556ab8bf0bc7f1d04646ae2b183e301640ab8f9d4321344867b1af23f8fe7eb4de0d245453f98cc298c8127728

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll
Filesize
122KB

MD5
1621c94a96e78de23ed8c36727aa3ae2

SHA1
1efb06f83396f063df81ad9ea480867dc59984a7

SHA256
f2cb8d625a8900bdf99f21c78eb2d718d627e8d1a7a6eb4885654a3c7c1da4f6

SHA512
8f714c3a46843f9080537134b0fb31decb2c93556ab8bf0bc7f1d04646ae2b183e301640ab8f9d4321344867b1af23f8fe7eb4de0d245453f98cc298c8127728

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll
Filesize
122KB

MD5
1621c94a96e78de23ed8c36727aa3ae2

SHA1
1efb06f83396f063df81ad9ea480867dc59984a7

SHA256
f2cb8d625a8900bdf99f21c78eb2d718d627e8d1a7a6eb4885654a3c7c1da4f6

SHA512
8f714c3a46843f9080537134b0fb31decb2c93556ab8bf0bc7f1d04646ae2b183e301640ab8f9d4321344867b1af23f8fe7eb4de0d245453f98cc298c8127728

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll
Filesize
122KB

MD5
1621c94a96e78de23ed8c36727aa3ae2

SHA1
1efb06f83396f063df81ad9ea480867dc59984a7

SHA256
f2cb8d625a8900bdf99f21c78eb2d718d627e8d1a7a6eb4885654a3c7c1da4f6

SHA512
8f714c3a46843f9080537134b0fb31decb2c93556ab8bf0bc7f1d04646ae2b183e301640ab8f9d4321344867b1af23f8fe7eb4de0d245453f98cc298c8127728

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll
Filesize
122KB

MD5
1621c94a96e78de23ed8c36727aa3ae2

SHA1
1efb06f83396f063df81ad9ea480867dc59984a7

SHA256
f2cb8d625a8900bdf99f21c78eb2d718d627e8d1a7a6eb4885654a3c7c1da4f6

SHA512
8f714c3a46843f9080537134b0fb31decb2c93556ab8bf0bc7f1d04646ae2b183e301640ab8f9d4321344867b1af23f8fe7eb4de0d245453f98cc298c8127728

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll
Filesize
477KB

MD5
be3d79c30985aa0b07bb6904fdca8350

SHA1
8b60bf774d101109e1ac9b5ad1c223da38decd90

SHA256
58800683b8cb3611c0ea7a91c61f99205aa8da0259e52fcd23fd932aec5e57ba

SHA512
7102d5b6f2206bbede625036f0bc379c48c758015b90aa383bc6657f302f9fcaaad47bd1e77aee2430256808fb1da6b36f399ec512d13426cee4d27189bd0f6d

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll
Filesize
477KB

MD5
be3d79c30985aa0b07bb6904fdca8350

SHA1
8b60bf774d101109e1ac9b5ad1c223da38decd90

SHA256
58800683b8cb3611c0ea7a91c61f99205aa8da0259e52fcd23fd932aec5e57ba

SHA512
7102d5b6f2206bbede625036f0bc379c48c758015b90aa383bc6657f302f9fcaaad47bd1e77aee2430256808fb1da6b36f399ec512d13426cee4d27189bd0f6d

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll
Filesize
477KB

MD5
be3d79c30985aa0b07bb6904fdca8350

SHA1
8b60bf774d101109e1ac9b5ad1c223da38decd90

SHA256
58800683b8cb3611c0ea7a91c61f99205aa8da0259e52fcd23fd932aec5e57ba

SHA512
7102d5b6f2206bbede625036f0bc379c48c758015b90aa383bc6657f302f9fcaaad47bd1e77aee2430256808fb1da6b36f399ec512d13426cee4d27189bd0f6d

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll
Filesize
477KB

MD5
be3d79c30985aa0b07bb6904fdca8350

SHA1
8b60bf774d101109e1ac9b5ad1c223da38decd90

SHA256
58800683b8cb3611c0ea7a91c61f99205aa8da0259e52fcd23fd932aec5e57ba

SHA512
7102d5b6f2206bbede625036f0bc379c48c758015b90aa383bc6657f302f9fcaaad47bd1e77aee2430256808fb1da6b36f399ec512d13426cee4d27189bd0f6d

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll
Filesize
477KB

MD5
be3d79c30985aa0b07bb6904fdca8350

SHA1
8b60bf774d101109e1ac9b5ad1c223da38decd90

SHA256
58800683b8cb3611c0ea7a91c61f99205aa8da0259e52fcd23fd932aec5e57ba

SHA512
7102d5b6f2206bbede625036f0bc379c48c758015b90aa383bc6657f302f9fcaaad47bd1e77aee2430256808fb1da6b36f399ec512d13426cee4d27189bd0f6d

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll
Filesize
83KB

MD5
d5c31fede4beab43b12c04e2b1f62752

SHA1
53ce138616adcda3b76d6b7d341b7116895e1bde

SHA256
65c36c0e83780dbe52f0324e3f16639eda216ca4c3c7be9336dd4df20fa3b8da

SHA512
a1c05a70461945f3c53d82247803df17cf4930699fdc8b83d9776868138ecacb54dedbe698b873f6e49590700a13cdaf4b209490f53c372fc60c8193295e0529

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll
Filesize
104KB

MD5
ca68de1bda08520bd34dc6673dd4f281

SHA1
67554404de7c38be13101d8b270ac00feadd0c96

SHA256
be915855427f5347cabeeffd6c3b8acca4f6b959b1396c2eb1420211db2c9ab6

SHA512
ff393f47e53ad43b6acd44d4dd4b694c4b947028e62d0f8983bd97435cb85159fc467e2cd2ad8db1c32597f1364eb12b9dce1b760a191631c56d72f6924485f3

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll
Filesize
104KB

MD5
ca68de1bda08520bd34dc6673dd4f281

SHA1
67554404de7c38be13101d8b270ac00feadd0c96

SHA256
be915855427f5347cabeeffd6c3b8acca4f6b959b1396c2eb1420211db2c9ab6

SHA512
ff393f47e53ad43b6acd44d4dd4b694c4b947028e62d0f8983bd97435cb85159fc467e2cd2ad8db1c32597f1364eb12b9dce1b760a191631c56d72f6924485f3

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll
Filesize
104KB

MD5
ca68de1bda08520bd34dc6673dd4f281

SHA1
67554404de7c38be13101d8b270ac00feadd0c96

SHA256
be915855427f5347cabeeffd6c3b8acca4f6b959b1396c2eb1420211db2c9ab6

SHA512
ff393f47e53ad43b6acd44d4dd4b694c4b947028e62d0f8983bd97435cb85159fc467e2cd2ad8db1c32597f1364eb12b9dce1b760a191631c56d72f6924485f3

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll
Filesize
104KB

MD5
ca68de1bda08520bd34dc6673dd4f281

SHA1
67554404de7c38be13101d8b270ac00feadd0c96

SHA256
be915855427f5347cabeeffd6c3b8acca4f6b959b1396c2eb1420211db2c9ab6

SHA512
ff393f47e53ad43b6acd44d4dd4b694c4b947028e62d0f8983bd97435cb85159fc467e2cd2ad8db1c32597f1364eb12b9dce1b760a191631c56d72f6924485f3

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll
Filesize
104KB

MD5
ca68de1bda08520bd34dc6673dd4f281

SHA1
67554404de7c38be13101d8b270ac00feadd0c96

SHA256
be915855427f5347cabeeffd6c3b8acca4f6b959b1396c2eb1420211db2c9ab6

SHA512
ff393f47e53ad43b6acd44d4dd4b694c4b947028e62d0f8983bd97435cb85159fc467e2cd2ad8db1c32597f1364eb12b9dce1b760a191631c56d72f6924485f3

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll
Filesize
428KB

MD5
ccee2ac61dd73892cdc0cbd32993bc1d

SHA1
14db7a21d9ab4b422b8bb113cb9c5de57dca8128

SHA256
d90c0dc5e4c232fbcad07fe6893e2b0ea23523d506dea1c6ee8bccb57aff794c

SHA512
2d2ddccfd21755d251cc4b936570147f97b74c5a94a3e4de64b57fc3b78fcd39c50b615ee7704d5d6e9ebba980931b94ba8bb746699651872c0bc7dee734721b

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll
Filesize
428KB

MD5
ccee2ac61dd73892cdc0cbd32993bc1d

SHA1
14db7a21d9ab4b422b8bb113cb9c5de57dca8128

SHA256
d90c0dc5e4c232fbcad07fe6893e2b0ea23523d506dea1c6ee8bccb57aff794c

SHA512
2d2ddccfd21755d251cc4b936570147f97b74c5a94a3e4de64b57fc3b78fcd39c50b615ee7704d5d6e9ebba980931b94ba8bb746699651872c0bc7dee734721b

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll
Filesize
428KB

MD5
ccee2ac61dd73892cdc0cbd32993bc1d

SHA1
14db7a21d9ab4b422b8bb113cb9c5de57dca8128

SHA256
d90c0dc5e4c232fbcad07fe6893e2b0ea23523d506dea1c6ee8bccb57aff794c

SHA512
2d2ddccfd21755d251cc4b936570147f97b74c5a94a3e4de64b57fc3b78fcd39c50b615ee7704d5d6e9ebba980931b94ba8bb746699651872c0bc7dee734721b

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll
Filesize
428KB

MD5
ccee2ac61dd73892cdc0cbd32993bc1d

SHA1
14db7a21d9ab4b422b8bb113cb9c5de57dca8128

SHA256
d90c0dc5e4c232fbcad07fe6893e2b0ea23523d506dea1c6ee8bccb57aff794c

SHA512
2d2ddccfd21755d251cc4b936570147f97b74c5a94a3e4de64b57fc3b78fcd39c50b615ee7704d5d6e9ebba980931b94ba8bb746699651872c0bc7dee734721b

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll
Filesize
428KB

MD5
ccee2ac61dd73892cdc0cbd32993bc1d

SHA1
14db7a21d9ab4b422b8bb113cb9c5de57dca8128

SHA256
d90c0dc5e4c232fbcad07fe6893e2b0ea23523d506dea1c6ee8bccb57aff794c

SHA512
2d2ddccfd21755d251cc4b936570147f97b74c5a94a3e4de64b57fc3b78fcd39c50b615ee7704d5d6e9ebba980931b94ba8bb746699651872c0bc7dee734721b

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
Filesize
8.1MB

MD5
77f2c58048cf41ce6cc2f7c97d5d59a8

SHA1
8ba2b2d965a53fdf6d8a86e4c2d7c1ff81e63d3e

SHA256
b69bee6313e4c2eb119ad2cc53b37c6c2e124d69e979e24c6abbb6bb81ae0cb4

SHA512
d8a24dd7c6cd747c173a7b4b83538e5fc5c11c412e2053b3bd3b17e223ff44ed5b2f5f4abc911ce38f1dedceffffbab2f1c85ff46faf9f2bf01151c0dc1dd0cd

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
Filesize
8.1MB

MD5
77f2c58048cf41ce6cc2f7c97d5d59a8

SHA1
8ba2b2d965a53fdf6d8a86e4c2d7c1ff81e63d3e

SHA256
b69bee6313e4c2eb119ad2cc53b37c6c2e124d69e979e24c6abbb6bb81ae0cb4

SHA512
d8a24dd7c6cd747c173a7b4b83538e5fc5c11c412e2053b3bd3b17e223ff44ed5b2f5f4abc911ce38f1dedceffffbab2f1c85ff46faf9f2bf01151c0dc1dd0cd

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe.config
Filesize
18KB

MD5
8b3576cde2e6f7bc30632a1f507bd87b

SHA1
1ac9c3614d8c5d04941563186e4678dd669bf1c6

SHA256
440f5772d57f9cf586619c05ddb864a48a432636eec7870cbbbd5239b5ab447e

SHA512
29c0773cd232716b11c4db923eae368f23be6623e386224d27ec055b4bf90606694f8ca226d59a596a904a9d72635376e94219ace4124525720b14b532e9ff0f

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll
Filesize
316KB

MD5
ee8b943bb72031b910f84ab4fa65e57b

SHA1
485c9fa129c4c2316f5048398e79e086d0359563

SHA256
2484a55e0d929117e0ab9c510352e55f68872c76b7abc51e382d3ecdc987554a

SHA512
93eefae3ebc2c0c95a4f84f945528e7ffe9463efaf67bb1e7c11f645283f2604a2d44dc481b489eb90850f14b7dd04d7941a12417b65de37144abb0c1dc119cd

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll
Filesize
316KB

MD5
ee8b943bb72031b910f84ab4fa65e57b

SHA1
485c9fa129c4c2316f5048398e79e086d0359563

SHA256
2484a55e0d929117e0ab9c510352e55f68872c76b7abc51e382d3ecdc987554a

SHA512
93eefae3ebc2c0c95a4f84f945528e7ffe9463efaf67bb1e7c11f645283f2604a2d44dc481b489eb90850f14b7dd04d7941a12417b65de37144abb0c1dc119cd

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll
Filesize
316KB

MD5
ee8b943bb72031b910f84ab4fa65e57b

SHA1
485c9fa129c4c2316f5048398e79e086d0359563

SHA256
2484a55e0d929117e0ab9c510352e55f68872c76b7abc51e382d3ecdc987554a

SHA512
93eefae3ebc2c0c95a4f84f945528e7ffe9463efaf67bb1e7c11f645283f2604a2d44dc481b489eb90850f14b7dd04d7941a12417b65de37144abb0c1dc119cd

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll
Filesize
316KB

MD5
ee8b943bb72031b910f84ab4fa65e57b

SHA1
485c9fa129c4c2316f5048398e79e086d0359563

SHA256
2484a55e0d929117e0ab9c510352e55f68872c76b7abc51e382d3ecdc987554a

SHA512
93eefae3ebc2c0c95a4f84f945528e7ffe9463efaf67bb1e7c11f645283f2604a2d44dc481b489eb90850f14b7dd04d7941a12417b65de37144abb0c1dc119cd

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll
Filesize
316KB

MD5
ee8b943bb72031b910f84ab4fa65e57b

SHA1
485c9fa129c4c2316f5048398e79e086d0359563

SHA256
2484a55e0d929117e0ab9c510352e55f68872c76b7abc51e382d3ecdc987554a

SHA512
93eefae3ebc2c0c95a4f84f945528e7ffe9463efaf67bb1e7c11f645283f2604a2d44dc481b489eb90850f14b7dd04d7941a12417b65de37144abb0c1dc119cd

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Options\Partner.txt
Filesize
51B

MD5
45a70d140009ac215d82dfbabbdd67fe

SHA1
181cc4691dc09735acdacabd272c4f366639f595

SHA256
bec9c22f95c27d962ad2c8892602f7ba8bd10c5a6a1d94b5cc2bf0bafa81ff19

SHA512
b86d450776b4e17e830ad10d5915a91ff4d80cb3f0f7733905790291d9b237d54293b94782fa9d6899a479e0055d5f60e55b9beac225705717a081d5f1e55041

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
Filesize
1KB

MD5
ba2a0c051ed9e4989d8a1adba02be45c

SHA1
8c67de6e0de642f50b8bd428987f4d99f9a32a68

SHA256
ceb1797d742dfe11f126c330d962e020b806ea383d93b51c5143cf1adf127351

SHA512
f3cd64b2807177e3ad387b895927bf7f989654905c74aad0f494b9c7769c2d4793ae1eb929a0ffc6116562f134286edf61af38468731bd96469f52b47bb59eeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_28DD3630238B51427119DAF9326B45F2
Filesize
1KB

MD5
7df674134ee524021bd82d0c4f4e56c6

SHA1
eacfc497c3275c707e5015be050494bbc266f77c

SHA256
e7acb1558a69b883ac816650a93bf95f43898193da497488ec8590dd25adb888

SHA512
29b5698356567456381f0b76ebff66788cf90a8feb217b793d77f719f36bbcd47ed28fc342c3d106c2c9c7034c70083991ee5451550062d1dd916cf92a64e26a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
Filesize
398B

MD5
720039295bd927f481ba4f7c9a07a23a

SHA1
3e411a1e074fd4b65d40f7fab5e51de2973fda90

SHA256
69cb028223ae6ebd9b1517fe31ed27e4d9df5b8ad66fbfcd4ab14935a8ad0745

SHA512
d56b382665181d91357c3d485cfab34d1140921bdd020d29c8b27fde81827e9f649b81620a53eb1924e030acc354e71d5b1178e7e89c830b08ef03f0d441e84e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_28DD3630238B51427119DAF9326B45F2
Filesize
398B

MD5
a572b44e3b723a0eaededb7435bc2544

SHA1
f54d99a38abaa632e4110b4b8cc494aec14b1bd6

SHA256
d313c8cac54b50fde4cdae93ba154b8cca9d60b7238b557d2d5e8bfc608b4cd4

SHA512
8f735ad43912d85237ab3cc7532bc599239a4f7204150a42d62e7327d9869e84431c8ba7c2cca521d93c98630247f3aa22a7819ca4d50420892d37518690e953

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS800FB2D7\ICSharpCode.SharpZipLib.dll
Filesize
208KB

MD5
9ca372e8f1a3805b3ba02c1bdcc101e3

SHA1
a112a7456e76adb88c403118bc5aa843b41e7560

SHA256
c5d4f060359b45df242da27d587534a5deb07aa1e7f2c94b9832eac7a1147958

SHA512
11818b010d70814332f36e698b570eb47c975ca9fe1e1d51d4616ff1b203a4390916f6cefcda375b3fbfb6ba5ef7aade0d7dcf6105ea6ce65cb0e7886cce1dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS800FB2D7\ICSharpCode.SharpZipLib.dll
Filesize
208KB

MD5
9ca372e8f1a3805b3ba02c1bdcc101e3

SHA1
a112a7456e76adb88c403118bc5aa843b41e7560

SHA256
c5d4f060359b45df242da27d587534a5deb07aa1e7f2c94b9832eac7a1147958

SHA512
11818b010d70814332f36e698b570eb47c975ca9fe1e1d51d4616ff1b203a4390916f6cefcda375b3fbfb6ba5ef7aade0d7dcf6105ea6ce65cb0e7886cce1dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS800FB2D7\ICSharpCode.SharpZipLib.dll
Filesize
208KB

MD5
9ca372e8f1a3805b3ba02c1bdcc101e3

SHA1
a112a7456e76adb88c403118bc5aa843b41e7560

SHA256
c5d4f060359b45df242da27d587534a5deb07aa1e7f2c94b9832eac7a1147958

SHA512
11818b010d70814332f36e698b570eb47c975ca9fe1e1d51d4616ff1b203a4390916f6cefcda375b3fbfb6ba5ef7aade0d7dcf6105ea6ce65cb0e7886cce1dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS800FB2D7\ICSharpCode.SharpZipLib.dll
Filesize
208KB

MD5
9ca372e8f1a3805b3ba02c1bdcc101e3

SHA1
a112a7456e76adb88c403118bc5aa843b41e7560

SHA256
c5d4f060359b45df242da27d587534a5deb07aa1e7f2c94b9832eac7a1147958

SHA512
11818b010d70814332f36e698b570eb47c975ca9fe1e1d51d4616ff1b203a4390916f6cefcda375b3fbfb6ba5ef7aade0d7dcf6105ea6ce65cb0e7886cce1dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS800FB2D7\ICSharpCode.SharpZipLib.dll
Filesize
208KB

MD5
9ca372e8f1a3805b3ba02c1bdcc101e3

SHA1
a112a7456e76adb88c403118bc5aa843b41e7560

SHA256
c5d4f060359b45df242da27d587534a5deb07aa1e7f2c94b9832eac7a1147958

SHA512
11818b010d70814332f36e698b570eb47c975ca9fe1e1d51d4616ff1b203a4390916f6cefcda375b3fbfb6ba5ef7aade0d7dcf6105ea6ce65cb0e7886cce1dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS800FB2D7\Newtonsoft.Json.dll
Filesize
428KB

MD5
0de6a884ee8bf431a7bb8cfb46b37c17

SHA1
139c151e8f86406e4a7dc2dbe300ea5e69cfada5

SHA256
107b2784e06328e6c844b17bd9286815eef031913d177bd4598b283b3e0b0857

SHA512
3fdcdc436ce43fe9a0100dceb4f591b98c27d3b0b46ad0031c6180f28e96eb6b7b876e8f71170cb920c0290abd05c28442300e2d13e04f731484cee1bee057da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS800FB2D7\Newtonsoft.Json.dll
Filesize
428KB

MD5
0de6a884ee8bf431a7bb8cfb46b37c17

SHA1
139c151e8f86406e4a7dc2dbe300ea5e69cfada5

SHA256
107b2784e06328e6c844b17bd9286815eef031913d177bd4598b283b3e0b0857

SHA512
3fdcdc436ce43fe9a0100dceb4f591b98c27d3b0b46ad0031c6180f28e96eb6b7b876e8f71170cb920c0290abd05c28442300e2d13e04f731484cee1bee057da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS800FB2D7\Newtonsoft.Json.dll
Filesize
428KB

MD5
0de6a884ee8bf431a7bb8cfb46b37c17

SHA1
139c151e8f86406e4a7dc2dbe300ea5e69cfada5

SHA256
107b2784e06328e6c844b17bd9286815eef031913d177bd4598b283b3e0b0857

SHA512
3fdcdc436ce43fe9a0100dceb4f591b98c27d3b0b46ad0031c6180f28e96eb6b7b876e8f71170cb920c0290abd05c28442300e2d13e04f731484cee1bee057da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS800FB2D7\Newtonsoft.Json.dll
Filesize
428KB

MD5
0de6a884ee8bf431a7bb8cfb46b37c17

SHA1
139c151e8f86406e4a7dc2dbe300ea5e69cfada5

SHA256
107b2784e06328e6c844b17bd9286815eef031913d177bd4598b283b3e0b0857

SHA512
3fdcdc436ce43fe9a0100dceb4f591b98c27d3b0b46ad0031c6180f28e96eb6b7b876e8f71170cb920c0290abd05c28442300e2d13e04f731484cee1bee057da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS800FB2D7\Newtonsoft.Json.dll
Filesize
428KB

MD5
0de6a884ee8bf431a7bb8cfb46b37c17

SHA1
139c151e8f86406e4a7dc2dbe300ea5e69cfada5

SHA256
107b2784e06328e6c844b17bd9286815eef031913d177bd4598b283b3e0b0857

SHA512
3fdcdc436ce43fe9a0100dceb4f591b98c27d3b0b46ad0031c6180f28e96eb6b7b876e8f71170cb920c0290abd05c28442300e2d13e04f731484cee1bee057da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS800FB2D7\WebCompanionInstaller.exe
Filesize
364KB

MD5
fc6914ec6bfcc36059143a72e2073c19

SHA1
79eecd6c9c1cf5f3af56f796189ff3b7183145fa

SHA256
d22bcbc8b7afc8784bc845313668db68f18ed948097c5dd4185a0fc1d75c0300

SHA512
787b0b21c655e84d51b211f1e3a34b0e89006ab81ad82dda35f859dd16c0bbce2fb6d3bced053a3b4867b8ed5958863d4c6b1cd8a0bcea31686b9b71ed800f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS800FB2D7\WebCompanionInstaller.exe
Filesize
364KB

MD5
fc6914ec6bfcc36059143a72e2073c19

SHA1
79eecd6c9c1cf5f3af56f796189ff3b7183145fa

SHA256
d22bcbc8b7afc8784bc845313668db68f18ed948097c5dd4185a0fc1d75c0300

SHA512
787b0b21c655e84d51b211f1e3a34b0e89006ab81ad82dda35f859dd16c0bbce2fb6d3bced053a3b4867b8ed5958863d4c6b1cd8a0bcea31686b9b71ed800f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS800FB2D7\WebCompanionInstaller.exe.config
Filesize
1KB

MD5
0d86e732c7d385b99b69eb1ec27af0a3

SHA1
f5ff2bfc03b4b7704f5c2add6f7efcd7e177006e

SHA256
b33e2cb24a9641d16dab02ba41564b7b3a6cfd9c81843878d04f93b4a6ea875e

SHA512
87b8a4de11c14b9d0f3b93b26f8bab47c53feae3a00d4d11da7a1ff4dd3fd4408ffb9a2157752608800f0a0beaba15fb4dadaaa0d16db28c6604ca400979c36b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCInstaller.exe
Filesize
495KB

MD5
f949b0ade05cfb46a4486bc150f52095

SHA1
60187fe5345fbf4568a375d973b183ae2cfc0207

SHA256
3b12f9f12434aafb4a532e14f458ae32f339eebe4cef303b35566dd5194b2e0a

SHA512
013882c96a1bcbdb63f9436807c9f6135d1d4a937d743530829faa59a6a178de803eebde3b93096ef9919373087d0f9716161d39544e6ca911e9435b7dfa127e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCInstaller.exe
Filesize
495KB

MD5
f949b0ade05cfb46a4486bc150f52095

SHA1
60187fe5345fbf4568a375d973b183ae2cfc0207

SHA256
3b12f9f12434aafb4a532e14f458ae32f339eebe4cef303b35566dd5194b2e0a

SHA512
013882c96a1bcbdb63f9436807c9f6135d1d4a937d743530829faa59a6a178de803eebde3b93096ef9919373087d0f9716161d39544e6ca911e9435b7dfa127e

Download Submit
memory/364-214-0x0000000000000000-mapping.dmp

Download
memory/364-215-0x0000000070B00000-0x00000000710B1000-memory.dmp

Filesize
5.7MB

Download
memory/364-217-0x000000006D530000-0x000000006D542000-memory.dmp

Filesize
72KB

Download
memory/384-148-0x0000000000000000-mapping.dmp

Download
memory/428-151-0x0000000000000000-mapping.dmp

Download
memory/776-211-0x0000000000000000-mapping.dmp

Download
memory/840-206-0x0000000000000000-mapping.dmp

Download
memory/1056-219-0x0000000000000000-mapping.dmp

Download
memory/1224-205-0x00007FFEA9660000-0x00007FFEAA096000-memory.dmp

Filesize
10.2MB

Download
memory/1224-210-0x0000000000B3A000-0x0000000000B3F000-memory.dmp

Filesize
20KB

Download
memory/1928-133-0x0000000000000000-mapping.dmp

Download
memory/1928-137-0x0000000070B00000-0x00000000710B1000-memory.dmp

Filesize
5.7MB

Download
memory/2008-152-0x0000000000000000-mapping.dmp

Download
memory/2512-212-0x0000000000000000-mapping.dmp

Download
memory/2516-218-0x0000000000000000-mapping.dmp

Download
memory/2768-213-0x0000000000000000-mapping.dmp

Download
memory/3788-216-0x00007FFEA9660000-0x00007FFEAA096000-memory.dmp

Filesize
10.2MB

Download
memory/4008-207-0x0000000000000000-mapping.dmp

Download
memory/4012-204-0x000000006D240000-0x000000006D252000-memory.dmp

Filesize
72KB

Download
memory/4012-153-0x0000000000000000-mapping.dmp

Download
memory/4012-161-0x0000000070B00000-0x00000000710B1000-memory.dmp

Filesize
5.7MB

Download
memory/4044-149-0x0000000000000000-mapping.dmp

Download
memory/4068-150-0x0000000000000000-mapping.dmp

Download
memory/4104-130-0x0000000000000000-mapping.dmp

Download
memory/4460-208-0x0000000000000000-mapping.dmp

Download
memory/4616-209-0x0000000000000000-mapping.dmp

Download