gcleaner | 8fe23c7ce77f896f97eb21dc5551854519c68efe224c646f6146e7e21683d820

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-06-2023 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Adobe Photoshop 2023 29.7.5.320 (x64) + Crack.exe
Size

7.9MB
MD5

2d998c4036a0b19b9c774ba6f6e757fa
SHA1

f5439f14e60f82ae08e4fcf6fe1a7064af62bd95
SHA256

8fe23c7ce77f896f97eb21dc5551854519c68efe224c646f6146e7e21683d820
SHA512

42e9cb87da3028988aac976f810ba055a8e7bf222bdd929a49fa34ae960b897bed67b6a25d4fd619a55e52441a666e5f82590630ddee7bc6825c0630e06e868f
SSDEEP

196608:dYODeNKfSlDUi8FMkMYTdbdODeNKfSlDUDt5o9x:OKEK6LiMkMwKEK60o9x

Score

10^/10

gcleaner discovery loader persistence

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET5C39.tmp	RunDLL32.Exe
File created	C:\Windows\system32\DRIVERS\SET5C39.tmp	RunDLL32.Exe
File opened for modification	C:\Windows\system32\DRIVERS\bddci.sys	RunDLL32.Exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	s0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	WebCompanionInstaller.exe

Executes dropped EXE 12 IoCs

pid	Process
5084	Adobe Photoshop 2023 29.7.5.320 (x64) + Crack.tmp
732	setup.exe
2736	setup.tmp
1176	s0.exe
1200	s1.exe
4024	WebCompanionInstaller.exe
4232	DCIService.exe
4204	WebCompanion.exe
4532	WebCompanion.exe
1256	WebCompanion.exe
4844	s2.exe
5116	s2.exe

Loads dropped DLL 64 IoCs

pid	Process
2736	setup.tmp
4024	WebCompanionInstaller.exe
4024	WebCompanionInstaller.exe
4024	WebCompanionInstaller.exe
4024	WebCompanionInstaller.exe
4024	WebCompanionInstaller.exe
4024	WebCompanionInstaller.exe
4024	WebCompanionInstaller.exe
4024	WebCompanionInstaller.exe
4232	DCIService.exe
4232	DCIService.exe
4232	DCIService.exe
4232	DCIService.exe
4232	DCIService.exe
4232	DCIService.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4204	WebCompanion.exe
4532	WebCompanion.exe
4532	WebCompanion.exe
4532	WebCompanion.exe
4532	WebCompanion.exe
4532	WebCompanion.exe
4532	WebCompanion.exe
4532	WebCompanion.exe
4532	WebCompanion.exe
4532	WebCompanion.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RunDLL32.Exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Web Companion = "C:\\Program Files (x86)\\Lavasoft\\Web Companion\\Application\\WebCompanion.exe --minimize "	WebCompanion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autogen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\is-I22UK.tmp\\s2.exe"	s2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-rtlsupport-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ionic.Zip.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bddci.inf	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\it-IT\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-datetime-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-heap-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-interlocked-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\msvcp140.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\de-DE\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-process-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\concrt140.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WcfService.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.pdb	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-console-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-runtime-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\LZ4.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bridge_uninstall.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-file-l2-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\vcruntime140d.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\vcruntime140_1.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Omni.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\pop3.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebcompaionReimageIcon.ico	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\BDUpdateServiceCom.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-string-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bdnc.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-conio-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-time-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bittorrent.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\OnlineThreatsSimple.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\BCUEngineS.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\fr-CA\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe.config	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-utility-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bdnc.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bridge_stop.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Search.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-sysinfo-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bddci_uninstall.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bdnc.ini	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci_install.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-processthreads-l1-1-1.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bddci_install_boot.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.adblocker.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\tr-TR\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-synch-l1-2-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-profile-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bittorrent.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\MozCompressor.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Adobe Photoshop 2023 29.7.5.320 (x64) + Crack\unins000.dat	Adobe Photoshop 2023 29.7.5.320 (x64) + Crack.tmp
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.SqlLite.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-environment-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-heap-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\smb.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.Service.Logger.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\zh-Hans\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bddci_stop.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-synch-l1-1-0.dll	WebCompanionInstaller.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	WebCompanion.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	WebCompanion.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	WebCompanionInstaller.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	WebCompanionInstaller.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3268	sc.exe
3728	sc.exe
2960	sc.exe
4292	sc.exe
5048	sc.exe
2452	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
3092	1176	WerFault.exe	89
1696	1176	WerFault.exe	89
4292	1176	WerFault.exe	89
1428	1176	WerFault.exe	89
5044	1176	WerFault.exe	89
4484	1176	WerFault.exe	89
4876	1176	WerFault.exe	89
400	1176	WerFault.exe	89
3452	1176	WerFault.exe	89

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
768	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	WebCompanionInstaller.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	WebCompanionInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanionInstaller.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
5084	Adobe Photoshop 2023 29.7.5.320 (x64) + Crack.tmp
5084	Adobe Photoshop 2023 29.7.5.320 (x64) + Crack.tmp
4024	WebCompanionInstaller.exe
4024	WebCompanionInstaller.exe
4024	WebCompanionInstaller.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
648	Process not Found

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	768	taskkill.exe
Token: SeDebugPrivilege	4024	WebCompanionInstaller.exe
Token: SeDebugPrivilege	4204	WebCompanion.exe
Token: SeDebugPrivilege	4532	WebCompanion.exe
Token: SeDebugPrivilege	1256	WebCompanion.exe
Token: 35	5116	s2.exe
Token: SeIncreaseQuotaPrivilege	1952	WMIC.exe
Token: SeSecurityPrivilege	1952	WMIC.exe
Token: SeTakeOwnershipPrivilege	1952	WMIC.exe
Token: SeLoadDriverPrivilege	1952	WMIC.exe
Token: SeSystemProfilePrivilege	1952	WMIC.exe
Token: SeSystemtimePrivilege	1952	WMIC.exe
Token: SeProfSingleProcessPrivilege	1952	WMIC.exe
Token: SeIncBasePriorityPrivilege	1952	WMIC.exe
Token: SeCreatePagefilePrivilege	1952	WMIC.exe
Token: SeBackupPrivilege	1952	WMIC.exe
Token: SeRestorePrivilege	1952	WMIC.exe
Token: SeShutdownPrivilege	1952	WMIC.exe
Token: SeDebugPrivilege	1952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1952	WMIC.exe
Token: SeRemoteShutdownPrivilege	1952	WMIC.exe
Token: SeUndockPrivilege	1952	WMIC.exe
Token: SeManageVolumePrivilege	1952	WMIC.exe
Token: 33	1952	WMIC.exe
Token: 34	1952	WMIC.exe
Token: 35	1952	WMIC.exe
Token: 36	1952	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1952	WMIC.exe
Token: SeSecurityPrivilege	1952	WMIC.exe
Token: SeTakeOwnershipPrivilege	1952	WMIC.exe
Token: SeLoadDriverPrivilege	1952	WMIC.exe
Token: SeSystemProfilePrivilege	1952	WMIC.exe
Token: SeSystemtimePrivilege	1952	WMIC.exe
Token: SeProfSingleProcessPrivilege	1952	WMIC.exe
Token: SeIncBasePriorityPrivilege	1952	WMIC.exe
Token: SeCreatePagefilePrivilege	1952	WMIC.exe
Token: SeBackupPrivilege	1952	WMIC.exe
Token: SeRestorePrivilege	1952	WMIC.exe
Token: SeShutdownPrivilege	1952	WMIC.exe
Token: SeDebugPrivilege	1952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1952	WMIC.exe
Token: SeRemoteShutdownPrivilege	1952	WMIC.exe
Token: SeUndockPrivilege	1952	WMIC.exe
Token: SeManageVolumePrivilege	1952	WMIC.exe
Token: 33	1952	WMIC.exe
Token: 34	1952	WMIC.exe
Token: 35	1952	WMIC.exe
Token: 36	1952	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5084	Adobe Photoshop 2023 29.7.5.320 (x64) + Crack.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 5084	4112	Adobe Photoshop 2023 29.7.5.320 (x64) + Crack.exe	84
PID 4112 wrote to memory of 5084	4112	Adobe Photoshop 2023 29.7.5.320 (x64) + Crack.exe	84
PID 4112 wrote to memory of 5084	4112	Adobe Photoshop 2023 29.7.5.320 (x64) + Crack.exe	84
PID 5084 wrote to memory of 732	5084	Adobe Photoshop 2023 29.7.5.320 (x64) + Crack.tmp	86
PID 5084 wrote to memory of 732	5084	Adobe Photoshop 2023 29.7.5.320 (x64) + Crack.tmp	86
PID 5084 wrote to memory of 732	5084	Adobe Photoshop 2023 29.7.5.320 (x64) + Crack.tmp	86
PID 732 wrote to memory of 2736	732	setup.exe	87
PID 732 wrote to memory of 2736	732	setup.exe	87
PID 732 wrote to memory of 2736	732	setup.exe	87
PID 2736 wrote to memory of 1176	2736	setup.tmp	89
PID 2736 wrote to memory of 1176	2736	setup.tmp	89
PID 2736 wrote to memory of 1176	2736	setup.tmp	89
PID 1176 wrote to memory of 3664	1176	s0.exe	110
PID 1176 wrote to memory of 3664	1176	s0.exe	110
PID 1176 wrote to memory of 3664	1176	s0.exe	110
PID 3664 wrote to memory of 768	3664	cmd.exe	114
PID 3664 wrote to memory of 768	3664	cmd.exe	114
PID 3664 wrote to memory of 768	3664	cmd.exe	114
PID 2736 wrote to memory of 1200	2736	setup.tmp	117
PID 2736 wrote to memory of 1200	2736	setup.tmp	117
PID 2736 wrote to memory of 1200	2736	setup.tmp	117
PID 1200 wrote to memory of 4024	1200	s1.exe	118
PID 1200 wrote to memory of 4024	1200	s1.exe	118
PID 1200 wrote to memory of 4024	1200	s1.exe	118
PID 4024 wrote to memory of 3268	4024	WebCompanionInstaller.exe	119
PID 4024 wrote to memory of 3268	4024	WebCompanionInstaller.exe	119
PID 4024 wrote to memory of 3268	4024	WebCompanionInstaller.exe	119
PID 4024 wrote to memory of 3728	4024	WebCompanionInstaller.exe	121
PID 4024 wrote to memory of 3728	4024	WebCompanionInstaller.exe	121
PID 4024 wrote to memory of 3728	4024	WebCompanionInstaller.exe	121
PID 4024 wrote to memory of 2960	4024	WebCompanionInstaller.exe	123
PID 4024 wrote to memory of 2960	4024	WebCompanionInstaller.exe	123
PID 4024 wrote to memory of 2960	4024	WebCompanionInstaller.exe	123
PID 4024 wrote to memory of 1068	4024	WebCompanionInstaller.exe	125
PID 4024 wrote to memory of 1068	4024	WebCompanionInstaller.exe	125
PID 1068 wrote to memory of 2496	1068	RunDLL32.Exe	126
PID 1068 wrote to memory of 2496	1068	RunDLL32.Exe	126
PID 2496 wrote to memory of 5112	2496	runonce.exe	127
PID 2496 wrote to memory of 5112	2496	runonce.exe	127
PID 4024 wrote to memory of 3848	4024	WebCompanionInstaller.exe	129
PID 4024 wrote to memory of 3848	4024	WebCompanionInstaller.exe	129
PID 4024 wrote to memory of 4292	4024	WebCompanionInstaller.exe	130
PID 4024 wrote to memory of 4292	4024	WebCompanionInstaller.exe	130
PID 4024 wrote to memory of 4292	4024	WebCompanionInstaller.exe	130
PID 3848 wrote to memory of 1552	3848	net.exe	133
PID 3848 wrote to memory of 1552	3848	net.exe	133
PID 4024 wrote to memory of 5048	4024	WebCompanionInstaller.exe	134
PID 4024 wrote to memory of 5048	4024	WebCompanionInstaller.exe	134
PID 4024 wrote to memory of 5048	4024	WebCompanionInstaller.exe	134
PID 4024 wrote to memory of 3816	4024	WebCompanionInstaller.exe	136
PID 4024 wrote to memory of 3816	4024	WebCompanionInstaller.exe	136
PID 4024 wrote to memory of 3816	4024	WebCompanionInstaller.exe	136
PID 3816 wrote to memory of 2452	3816	cmd.exe	138
PID 3816 wrote to memory of 2452	3816	cmd.exe	138
PID 3816 wrote to memory of 2452	3816	cmd.exe	138
PID 4024 wrote to memory of 4676	4024	WebCompanionInstaller.exe	140
PID 4024 wrote to memory of 4676	4024	WebCompanionInstaller.exe	140
PID 4024 wrote to memory of 4676	4024	WebCompanionInstaller.exe	140
PID 4676 wrote to memory of 5068	4676	cmd.exe	142
PID 4676 wrote to memory of 5068	4676	cmd.exe	142
PID 4676 wrote to memory of 5068	4676	cmd.exe	142
PID 4024 wrote to memory of 4204	4024	WebCompanionInstaller.exe	143
PID 4024 wrote to memory of 4204	4024	WebCompanionInstaller.exe	143
PID 4024 wrote to memory of 4204	4024	WebCompanionInstaller.exe	143

C:\Users\Admin\AppData\Local\Temp\Adobe Photoshop 2023 29.7.5.320 (x64) + Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Adobe Photoshop 2023 29.7.5.320 (x64) + Crack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Users\Admin\AppData\Local\Temp\is-K9ED2.tmp\Adobe Photoshop 2023 29.7.5.320 (x64) + Crack.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-K9ED2.tmp\Adobe Photoshop 2023 29.7.5.320 (x64) + Crack.tmp" /SL5="$E0056,7406371,832512,C:\Users\Admin\AppData\Local\Temp\Adobe Photoshop 2023 29.7.5.320 (x64) + Crack.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Users\Admin\AppData\Local\Temp\is-ENN5F.tmp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-ENN5F.tmp\setup.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:732
  - - C:\Users\Admin\AppData\Local\Temp\is-9A99I.tmp\setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-9A99I.tmp\setup.tmp" /SL5="$101F6,922170,832512,C:\Users\Admin\AppData\Local\Temp\is-ENN5F.tmp\setup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Users\Admin\AppData\Local\Temp\is-I22UK.tmp\s0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-I22UK.tmp\s0.exe" /mixten SUB=2500
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1176
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 456
        6⤵
        Program crash
        
        PID:3092
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 764
        6⤵
        Program crash
        
        PID:1696
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 772
        6⤵
        Program crash
        
        PID:4292
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 772
        6⤵
        Program crash
        
        PID:1428
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 836
        6⤵
        Program crash
        
        PID:5044
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 984
        6⤵
        Program crash
        
        PID:4484
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 984
        6⤵
        Program crash
        
        PID:4876
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1364
        6⤵
        Program crash
        
        PID:400
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "s0.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\is-I22UK.tmp\s0.exe" & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "s0.exe" /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 516
        6⤵
        Program crash
        
        PID:3452
    - - C:\Users\Admin\AppData\Local\Temp\is-I22UK.tmp\s1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-I22UK.tmp\s1.exe" --silent --partner=IT210801
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1200
      - C:\Users\Admin\AppData\Local\Temp\7zS0B461327\WebCompanionInstaller.exe
        
        .\WebCompanionInstaller.exe --partner=IT210801 --version=8.9.0.371 --silent --partner=IT210801
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" Create "WCAssistantService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= auto
        7⤵
        Launches sc.exe
        
        PID:3268
        
        C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" failure WCAssistantService reset= 30 actions= restart/60000
        7⤵
        Launches sc.exe
        
        PID:3728
        
        C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" description "WCAssistantService" "Ad-Aware Web Companion Internet security service"
        7⤵
        Launches sc.exe
        
        PID:2960
        
        C:\Windows\system32\RunDLL32.Exe
        
        "C:\Windows\sysnative\RunDLL32.Exe" syssetup,SetupInfObjectInstallAction BootInstall 128 C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci.inf
        7⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        8⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        9⤵
        
        PID:5112
        
        C:\Windows\system32\net.exe
        
        "C:\Windows\sysnative\net.exe" start bddci
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start bddci
        8⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" Create "DCIService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe" DisplayName= "DCIService" start= auto
        7⤵
        Launches sc.exe
        
        PID:4292
        
        C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" description "DCIService" "Webprotection Bridge service"
        7⤵
        Launches sc.exe
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bridge_start.cmd"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\SysWOW64\sc.exe
        
        sc start DCIService
        8⤵
        Launches sc.exe
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh http add urlacl url=http://+:9007/ user=Everyone
        8⤵
        
        PID:5068
        
        C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
        
        "C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --install --geo=
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4204
        
        C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
        
        "C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --afterinstall
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
    - - C:\Users\Admin\AppData\Local\Temp\is-I22UK.tmp\s2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-I22UK.tmp\s2.exe" /S
        5⤵
        Executes dropped EXE
        
        PID:4844
      - C:\Users\Admin\AppData\Local\Temp\is-I22UK.tmp\s2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-I22UK.tmp\s2.exe" /S
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:2108
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1176 -ip 1176
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1176 -ip 1176
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1176 -ip 1176
1⤵
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1176 -ip 1176
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1176 -ip 1176
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1176 -ip 1176
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1176 -ip 1176
1⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1176 -ip 1176
1⤵
PID:680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1176 -ip 1176
1⤵
PID:2744

C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4232

C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --startmenu
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Lavasoft\WEBCOM~1\Service\x64\bddci.sys

Filesize
358KB

MD5
7e8d2dd117579f79f574f8f410364f42

SHA1
44d730b09ac3d193680a0bb2bc985765d636225a

SHA256
bd44c3509f3095551bc3d9379e3e06ca49aac622a6c9d878e07eeb714141530e

SHA512
781dea6b7692646eec06216433c01d1852504c0740560d7083de78f78f186ec0bb7ed992d1dd32950513c66e38921062b5f93094da93799a7cba857e498059fc

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll

Filesize
199KB

MD5
8512d942e79befb7d29249d8829d1d38

SHA1
ae8dcd0ba4c5c57080efed0915b91bed17427bf0

SHA256
e8e1669fe87e99c8095ded0a86beb632a066c9a71e3d16e687d10b042ef921d8

SHA512
2d857b3057039ba64db3a353ccd82adabf461cba173ebd773162e2455bf5cb706d98e444e368a8d1df06c8dc5e0e10b83d5fc0c8e02d6e4945c75fb714f97ab8

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll

Filesize
199KB

MD5
8512d942e79befb7d29249d8829d1d38

SHA1
ae8dcd0ba4c5c57080efed0915b91bed17427bf0

SHA256
e8e1669fe87e99c8095ded0a86beb632a066c9a71e3d16e687d10b042ef921d8

SHA512
2d857b3057039ba64db3a353ccd82adabf461cba173ebd773162e2455bf5cb706d98e444e368a8d1df06c8dc5e0e10b83d5fc0c8e02d6e4945c75fb714f97ab8

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll

Filesize
199KB

MD5
8512d942e79befb7d29249d8829d1d38

SHA1
ae8dcd0ba4c5c57080efed0915b91bed17427bf0

SHA256
e8e1669fe87e99c8095ded0a86beb632a066c9a71e3d16e687d10b042ef921d8

SHA512
2d857b3057039ba64db3a353ccd82adabf461cba173ebd773162e2455bf5cb706d98e444e368a8d1df06c8dc5e0e10b83d5fc0c8e02d6e4945c75fb714f97ab8

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll

Filesize
199KB

MD5
8512d942e79befb7d29249d8829d1d38

SHA1
ae8dcd0ba4c5c57080efed0915b91bed17427bf0

SHA256
e8e1669fe87e99c8095ded0a86beb632a066c9a71e3d16e687d10b042ef921d8

SHA512
2d857b3057039ba64db3a353ccd82adabf461cba173ebd773162e2455bf5cb706d98e444e368a8d1df06c8dc5e0e10b83d5fc0c8e02d6e4945c75fb714f97ab8

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll

Filesize
199KB

MD5
8512d942e79befb7d29249d8829d1d38

SHA1
ae8dcd0ba4c5c57080efed0915b91bed17427bf0

SHA256
e8e1669fe87e99c8095ded0a86beb632a066c9a71e3d16e687d10b042ef921d8

SHA512
2d857b3057039ba64db3a353ccd82adabf461cba173ebd773162e2455bf5cb706d98e444e368a8d1df06c8dc5e0e10b83d5fc0c8e02d6e4945c75fb714f97ab8

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll

Filesize
130KB

MD5
d18ff7adf23c62147a302ab8985b2dc3

SHA1
0a7b4c82912a00a75dc67beed3e1ac119deef58b

SHA256
5dec6c64e9f4ad92ba4f40791a7fb6dbbd0dc2f0dbafbdddabf3ac42bb747f77

SHA512
2e5417b2fb41b6135b00940b0c015da26b95439a537994b9508b9f4ae174e055d8772914994d473f05c77f743f0957b7386ef9c4e73f68685a7a983a7c32d3b0

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll

Filesize
130KB

MD5
d18ff7adf23c62147a302ab8985b2dc3

SHA1
0a7b4c82912a00a75dc67beed3e1ac119deef58b

SHA256
5dec6c64e9f4ad92ba4f40791a7fb6dbbd0dc2f0dbafbdddabf3ac42bb747f77

SHA512
2e5417b2fb41b6135b00940b0c015da26b95439a537994b9508b9f4ae174e055d8772914994d473f05c77f743f0957b7386ef9c4e73f68685a7a983a7c32d3b0

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll

Filesize
130KB

MD5
d18ff7adf23c62147a302ab8985b2dc3

SHA1
0a7b4c82912a00a75dc67beed3e1ac119deef58b

SHA256
5dec6c64e9f4ad92ba4f40791a7fb6dbbd0dc2f0dbafbdddabf3ac42bb747f77

SHA512
2e5417b2fb41b6135b00940b0c015da26b95439a537994b9508b9f4ae174e055d8772914994d473f05c77f743f0957b7386ef9c4e73f68685a7a983a7c32d3b0

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll

Filesize
130KB

MD5
d18ff7adf23c62147a302ab8985b2dc3

SHA1
0a7b4c82912a00a75dc67beed3e1ac119deef58b

SHA256
5dec6c64e9f4ad92ba4f40791a7fb6dbbd0dc2f0dbafbdddabf3ac42bb747f77

SHA512
2e5417b2fb41b6135b00940b0c015da26b95439a537994b9508b9f4ae174e055d8772914994d473f05c77f743f0957b7386ef9c4e73f68685a7a983a7c32d3b0

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll

Filesize
130KB

MD5
d18ff7adf23c62147a302ab8985b2dc3

SHA1
0a7b4c82912a00a75dc67beed3e1ac119deef58b

SHA256
5dec6c64e9f4ad92ba4f40791a7fb6dbbd0dc2f0dbafbdddabf3ac42bb747f77

SHA512
2e5417b2fb41b6135b00940b0c015da26b95439a537994b9508b9f4ae174e055d8772914994d473f05c77f743f0957b7386ef9c4e73f68685a7a983a7c32d3b0

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll

Filesize
105KB

MD5
921557abd07cb5600b615aca6d62f85b

SHA1
357577a9c6d41559bf40d1534dd134cedec8d39a

SHA256
e81a3c1b7c76523ee64e1b96f8861c4c9486a936db0c34233fadc47fa720fae1

SHA512
9779310ce7e187ffc552cc2bcf26508bbc2d22c578653b96c58ea1745d9d6b09aeb8f3ee88d9df6660cb62c2951ff6747008dd22e84e556e3d809a6fabe463d2

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll

Filesize
105KB

MD5
921557abd07cb5600b615aca6d62f85b

SHA1
357577a9c6d41559bf40d1534dd134cedec8d39a

SHA256
e81a3c1b7c76523ee64e1b96f8861c4c9486a936db0c34233fadc47fa720fae1

SHA512
9779310ce7e187ffc552cc2bcf26508bbc2d22c578653b96c58ea1745d9d6b09aeb8f3ee88d9df6660cb62c2951ff6747008dd22e84e556e3d809a6fabe463d2

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll

Filesize
105KB

MD5
921557abd07cb5600b615aca6d62f85b

SHA1
357577a9c6d41559bf40d1534dd134cedec8d39a

SHA256
e81a3c1b7c76523ee64e1b96f8861c4c9486a936db0c34233fadc47fa720fae1

SHA512
9779310ce7e187ffc552cc2bcf26508bbc2d22c578653b96c58ea1745d9d6b09aeb8f3ee88d9df6660cb62c2951ff6747008dd22e84e556e3d809a6fabe463d2

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll

Filesize
105KB

MD5
921557abd07cb5600b615aca6d62f85b

SHA1
357577a9c6d41559bf40d1534dd134cedec8d39a

SHA256
e81a3c1b7c76523ee64e1b96f8861c4c9486a936db0c34233fadc47fa720fae1

SHA512
9779310ce7e187ffc552cc2bcf26508bbc2d22c578653b96c58ea1745d9d6b09aeb8f3ee88d9df6660cb62c2951ff6747008dd22e84e556e3d809a6fabe463d2

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll

Filesize
105KB

MD5
921557abd07cb5600b615aca6d62f85b

SHA1
357577a9c6d41559bf40d1534dd134cedec8d39a

SHA256
e81a3c1b7c76523ee64e1b96f8861c4c9486a936db0c34233fadc47fa720fae1

SHA512
9779310ce7e187ffc552cc2bcf26508bbc2d22c578653b96c58ea1745d9d6b09aeb8f3ee88d9df6660cb62c2951ff6747008dd22e84e556e3d809a6fabe463d2

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll

Filesize
428KB

MD5
aed5b63ab78a29ba8405821329f2c4ce

SHA1
ad0b38042b530eea67734d9d1bb33d450adfa40d

SHA256
50bf9b5f54bcd54b57e2b1fcba41f2ce2650fd56aa4621a382010c1006379cab

SHA512
a1cbd4f8652132362f1ebbab9078936a13a51cfbf1606f6b708036b0629d5f1adfcb461878c5a744d0279ce50ff9992cf98e6b440c0b7de62ed285de102b1c02

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll

Filesize
428KB

MD5
aed5b63ab78a29ba8405821329f2c4ce

SHA1
ad0b38042b530eea67734d9d1bb33d450adfa40d

SHA256
50bf9b5f54bcd54b57e2b1fcba41f2ce2650fd56aa4621a382010c1006379cab

SHA512
a1cbd4f8652132362f1ebbab9078936a13a51cfbf1606f6b708036b0629d5f1adfcb461878c5a744d0279ce50ff9992cf98e6b440c0b7de62ed285de102b1c02

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll

Filesize
428KB

MD5
aed5b63ab78a29ba8405821329f2c4ce

SHA1
ad0b38042b530eea67734d9d1bb33d450adfa40d

SHA256
50bf9b5f54bcd54b57e2b1fcba41f2ce2650fd56aa4621a382010c1006379cab

SHA512
a1cbd4f8652132362f1ebbab9078936a13a51cfbf1606f6b708036b0629d5f1adfcb461878c5a744d0279ce50ff9992cf98e6b440c0b7de62ed285de102b1c02

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe

Filesize
8.8MB

MD5
2ddb76595361427259ad2733c0e2a92b

SHA1
1b0c897a1ae58c470f20fda67fee7f8f38936c04

SHA256
bbebe32f082f3277298a7a0f72ef8f66b639d91290c1c6bfd4ca4df4f7379690

SHA512
ad1b881eada6dd53ad307991746fbdb2a7e0c772f7c6f9d19e1708d42c18dd461ef20972f7ead5dfc722a61411159f47d9a27c5a5ae2c20eaf6a6d9027836798

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe

Filesize
8.8MB

MD5
2ddb76595361427259ad2733c0e2a92b

SHA1
1b0c897a1ae58c470f20fda67fee7f8f38936c04

SHA256
bbebe32f082f3277298a7a0f72ef8f66b639d91290c1c6bfd4ca4df4f7379690

SHA512
ad1b881eada6dd53ad307991746fbdb2a7e0c772f7c6f9d19e1708d42c18dd461ef20972f7ead5dfc722a61411159f47d9a27c5a5ae2c20eaf6a6d9027836798

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe.config

Filesize
18KB

MD5
feed0f743db90fbc95e33f081b50acb0

SHA1
a2cc752167b06ed562c6ec00a4f994d8a59ad7f4

SHA256
a1f55fb8a5e389b7727a683b2265c678d903a4f9cb08272afbd922f41f18d7d2

SHA512
5d627768db6ce3d1a100a6a72e40ca477687e9785efa9f78c23d375889ca8c748e432f5c25323d22f600768490da25e7803e804b5b62d2f89696a5c1db972241

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll

Filesize
316KB

MD5
58d6b3665dc20ff0d53c29bc3790bade

SHA1
b632aecc2cc1e77f2fbca82f40a370ce40ac63b9

SHA256
83c5f412b47bcdb5606631067fecb413a946f735984c53328493293f2581d362

SHA512
021a7433c2423e8673c8f5da66f5cfb8d18141be682bb5bb5594d9774fba2899a5348a9ed89fb2b409a2b7cccabec5d39e6e969448576b8694a544d91fd61260

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll

Filesize
316KB

MD5
58d6b3665dc20ff0d53c29bc3790bade

SHA1
b632aecc2cc1e77f2fbca82f40a370ce40ac63b9

SHA256
83c5f412b47bcdb5606631067fecb413a946f735984c53328493293f2581d362

SHA512
021a7433c2423e8673c8f5da66f5cfb8d18141be682bb5bb5594d9774fba2899a5348a9ed89fb2b409a2b7cccabec5d39e6e969448576b8694a544d91fd61260

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll

Filesize
316KB

MD5
58d6b3665dc20ff0d53c29bc3790bade

SHA1
b632aecc2cc1e77f2fbca82f40a370ce40ac63b9

SHA256
83c5f412b47bcdb5606631067fecb413a946f735984c53328493293f2581d362

SHA512
021a7433c2423e8673c8f5da66f5cfb8d18141be682bb5bb5594d9774fba2899a5348a9ed89fb2b409a2b7cccabec5d39e6e969448576b8694a544d91fd61260

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll

Filesize
316KB

MD5
58d6b3665dc20ff0d53c29bc3790bade

SHA1
b632aecc2cc1e77f2fbca82f40a370ce40ac63b9

SHA256
83c5f412b47bcdb5606631067fecb413a946f735984c53328493293f2581d362

SHA512
021a7433c2423e8673c8f5da66f5cfb8d18141be682bb5bb5594d9774fba2899a5348a9ed89fb2b409a2b7cccabec5d39e6e969448576b8694a544d91fd61260

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll

Filesize
316KB

MD5
58d6b3665dc20ff0d53c29bc3790bade

SHA1
b632aecc2cc1e77f2fbca82f40a370ce40ac63b9

SHA256
83c5f412b47bcdb5606631067fecb413a946f735984c53328493293f2581d362

SHA512
021a7433c2423e8673c8f5da66f5cfb8d18141be682bb5bb5594d9774fba2899a5348a9ed89fb2b409a2b7cccabec5d39e6e969448576b8694a544d91fd61260

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe

Filesize
3.3MB

MD5
3f48b52e8516a306407bb51b0336a228

SHA1
23c5ebd76217dcdd27a89e3f8f73f7825ad29092

SHA256
749622c27fb3fb25531d29dcc0325a9b252e0168e3ce57b7182e88704451763d

SHA512
e9d0b18f92de2f6ff1012b4bd7525d20bebbd97e32248ae2fd75b254eb37c3ce8d35f10a773081437dfd0b7fb03b7020652d868eeb6ce54e85c3c6dd312d632a

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe

Filesize
3.3MB

MD5
3f48b52e8516a306407bb51b0336a228

SHA1
23c5ebd76217dcdd27a89e3f8f73f7825ad29092

SHA256
749622c27fb3fb25531d29dcc0325a9b252e0168e3ce57b7182e88704451763d

SHA512
e9d0b18f92de2f6ff1012b4bd7525d20bebbd97e32248ae2fd75b254eb37c3ce8d35f10a773081437dfd0b7fb03b7020652d868eeb6ce54e85c3c6dd312d632a

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\MSVCP140.dll

Filesize
576KB

MD5
e74caf5d94aa08d046a44ed6ed84a3c5

SHA1
ed9f696fa0902a7c16b257da9b22fb605b72b12e

SHA256
3dedef76c87db736c005d06a8e0d084204b836af361a6bd2ee4651d9c45675e8

SHA512
d3128587bc8d62e4d53f8b5f95eb687bc117a6d5678c08dc6b59b72ea9178a7fd6ae8faa9094d21977c406739d6c38a440134c1c1f6f9a44809e80d162723254

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\VCRUNTIME140.dll

Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\VCRUNTIME140_1.dll

Filesize
43KB

MD5
21ae0d0cfe9ab13f266ad7cd683296be

SHA1
f13878738f2932c56e07aa3c6325e4e19d64ae9f

SHA256
7b8f70dd3bdae110e61823d1ca6fd8955a5617119f5405cdd6b14cad3656dfc7

SHA512
6b2c7ce0fe32faffb68510bf8ae1b61af79b2d8a2d1b633ceba3a8e6a668a4f5179bb836c550ecac495b0fc413df5fe706cd6f42e93eb082a6c68e770339a77c

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci.inf

Filesize
2KB

MD5
58b2e13bac1f78e521a408ec5ca8a606

SHA1
e40139e0a3f8b2f5d3a457d1701b527b83bc1541

SHA256
a84e4b890c7cfd488653eaf6cf38f283d8b7e12f467f241a2046818cb9e762de

SHA512
5e25997da0769f2d1217c754efa2b72a1117f1849ec86c90ad3945ec899f52b9237d0d39d8c43df3fdf93b52c26b47f6eafe6009e7cc62389e96d26f84a3f96e

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddcihttp.dll

Filesize
2.8MB

MD5
386f99a088759fe02aea6df2cffc6ce3

SHA1
b9ae9a1b3e4439e3576b034d3db86c1a9d1b3e82

SHA256
f0aa60421c203447feb2283e2e3e050ff2f6c33fd6f196613405cd12f70609b9

SHA512
d0fdd37b5adffbded901f5ce9492763e3f8717ab46a02034a59629488efe41cc3cb0d7ea265015db97ca1b79a1f41755ce32c5ac2189bd8856ac78b3ed93db9c

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddcihttp.dll

Filesize
2.8MB

MD5
386f99a088759fe02aea6df2cffc6ce3

SHA1
b9ae9a1b3e4439e3576b034d3db86c1a9d1b3e82

SHA256
f0aa60421c203447feb2283e2e3e050ff2f6c33fd6f196613405cd12f70609b9

SHA512
d0fdd37b5adffbded901f5ce9492763e3f8717ab46a02034a59629488efe41cc3cb0d7ea265015db97ca1b79a1f41755ce32c5ac2189bd8856ac78b3ed93db9c

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bridge_start.cmd

Filesize
49B

MD5
95e8c6cd0a911f1ab4969c06b8cf77a2

SHA1
be1b1f8abd0420f59ecab7bcf8120cdc2ce34195

SHA256
de795f6d8591577054813bee79e7c5b4ee13360039d29aa73971c6b985d26ebd

SHA512
e5eefaf761be7bf3cea207e22e98398093fa0a9d3b459af7df22bfbf07755816737a7b8b261acf01aec8b10b5d8f0d90132a4ecdd83c242b2cde883039fac1ff

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\msvcp140.dll

Filesize
576KB

MD5
e74caf5d94aa08d046a44ed6ed84a3c5

SHA1
ed9f696fa0902a7c16b257da9b22fb605b72b12e

SHA256
3dedef76c87db736c005d06a8e0d084204b836af361a6bd2ee4651d9c45675e8

SHA512
d3128587bc8d62e4d53f8b5f95eb687bc117a6d5678c08dc6b59b72ea9178a7fd6ae8faa9094d21977c406739d6c38a440134c1c1f6f9a44809e80d162723254

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\vcruntime140.dll

Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\vcruntime140.dll

Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\vcruntime140_1.dll

Filesize
43KB

MD5
21ae0d0cfe9ab13f266ad7cd683296be

SHA1
f13878738f2932c56e07aa3c6325e4e19d64ae9f

SHA256
7b8f70dd3bdae110e61823d1ca6fd8955a5617119f5405cdd6b14cad3656dfc7

SHA512
6b2c7ce0fe32faffb68510bf8ae1b61af79b2d8a2d1b633ceba3a8e6a668a4f5179bb836c550ecac495b0fc413df5fe706cd6f42e93eb082a6c68e770339a77c

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\vcruntime140_1.dll

Filesize
43KB

MD5
21ae0d0cfe9ab13f266ad7cd683296be

SHA1
f13878738f2932c56e07aa3c6325e4e19d64ae9f

SHA256
7b8f70dd3bdae110e61823d1ca6fd8955a5617119f5405cdd6b14cad3656dfc7

SHA512
6b2c7ce0fe32faffb68510bf8ae1b61af79b2d8a2d1b633ceba3a8e6a668a4f5179bb836c550ecac495b0fc413df5fe706cd6f42e93eb082a6c68e770339a77c

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Logs\Webcompanion\webcompanion.log

Filesize
5KB

MD5
898b46a72b577d8a890053ae2d6a9eba

SHA1
b87504c5c26a58a330f978177aff1e6356b0f68d

SHA256
175832db657d69598158fb12e85c05233bffdd6775d42b630e1bad4e31e66ef0

SHA512
bff798da7b32b883221d249a753d6ef033677312e81267a843555848ead687284129df58eecdc7558bd241c17e082cc1370484c15914c9a58156c47d45d481b9

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Options\ActiveFeatures.zip

Filesize
17KB

MD5
f73194a31d358c8b154bddb32cb3845b

SHA1
5eba0a11c128a564be4bd35ccf331d326f07090f

SHA256
365d64720bf60a75f792f2c3253806f96229ccb2ec8e587bb75c2e7613ecf2ad

SHA512
d00868310865bb483a9a728ecf211941e38cad0c83c3e59a7c841bbaee11b1d50af873e9c687da771c30a693cbcfa40c18722459d3301916ca563161b2ec7167

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Options\ServicePartnerInfo.txt

Filesize
174B

MD5
02079594e1e93a30e601500042498bb1

SHA1
8709c8d67f0635e4ce39644a28e5f9e0a1af7ce8

SHA256
6f8157ee32a8d195c2df6959489d7cd72cd47bea7f0793722167b69717f1caf7

SHA512
f36aa4939c974f8e70e5c75f336f927479f3a128a3390d08d1b79399e0517b8e09db07aca949613f1df1928e431611aa7190126a9f507297e4b6db32eb024872

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.371\97smnx1s.newcfg

Filesize
476B

MD5
d688075f2a14f59ebd6b4db562d7ca9b

SHA1
bf6d5a03785ae61a8ba65aae063178ad4429c8dc

SHA256
ba30553d3d84be781cfa6bfc6b8aec74714874232b41f188cb16e98ac0baed10

SHA512
f3485e3a244c123674a91824fb62c3f81a724d7da259e5d2297427825e8365914738b53f4a44098a00770dbe40effbff024082a1972c043d7fa4b06b48be6660

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.371\edkn-1m3.newcfg

Filesize
611B

MD5
db5a5229e8031c16476ada576e33eeac

SHA1
ba94a4d307940a5cef1b0e1687f77cace8c9a417

SHA256
d652d71f99e5e8d1d8c4e794806fb4391adfe29cc4e3047ef7acebad225f2520

SHA512
19605ed23f78b45a19dd7698c4ff5b322bb2cd0a5c594ee2ac156d56e59a2bcf1032780c17e1b955d377505e140c3d2dc9f4e4e743ac175a238670804ee3f786

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.371\jzhbaw0r.newcfg

Filesize
600B

MD5
f45fbf2840b83157a163c07002870999

SHA1
7d99a5ac807b4405ea93fcbac01b7681ad1b8186

SHA256
06d4c8f2f79d3293da27d3cc69cd59c14f3ec02c3ea622608b6e6ffd0316ef70

SHA512
b8ffb396648642bfc2d1ba374adb74cefd54ea449fb95bfb19e46becf828fac028716050436766ac19d61ce553395cf4aa4361adb2d7bee482e03e1efe870244

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.371\me5o4ipz.newcfg

Filesize
1KB

MD5
3589061668e83d2e320e6772f72060e4

SHA1
5e6a7d90eb9dff98ed88772f1f6813b3a0937bdb

SHA256
078987da39fa63c02c13ac4935ab9bf76d8248af3f1625b947098a614a2a7ade

SHA512
90414e0f9d31a9406baed7ea197b72f1b347d8a8e7cd1b7a169e1ce4ce75f44707509242ecd92460eadac4647a522b7c1da86f7c5e9948d5137e85e5567a3401

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.371\nj3fvchp.newcfg

Filesize
1KB

MD5
e4308a22084be6f951aa99648cdbe1c2

SHA1
dbef8d6b73e101397816c3ade09d4f156987a53b

SHA256
f96bacba602816427d078505dea2b0423bd391313950e8b60258471d7372b446

SHA512
8d1aa1380a5623d247fea0d8e0178cc1dbb61141c7dc45c095930a420a904efbf7f80f3febb5411cb8a152ee12e5e667f6466cf33de58dcdf89e0199fd959867

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.371\user.config

Filesize
338B

MD5
0a35fbae99f45bc0dccdb777ecfd0436

SHA1
65e295fde91f90d55b107680e060895654fe66e4

SHA256
19af84c48a15820c94367390d58588ddad8164b0ac4056c258a766c726329550

SHA512
db3a0973a373c039603c750f0f196cbf65553cddb83739f1942402eaacbe178a775be87c4b034feb706830ae69d20158c3e3ecad8d5d3febc45146b487c3c42c

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.371\ycqmrlkh.newcfg

Filesize
480B

MD5
e5842e68e01a61b15603df392c77d3b9

SHA1
e8dfdd9ef58dc7e155149ad7aeb4b86da88d9b2d

SHA256
a80104003be8199a4fd4e8ecf55039bd89c611debc7d7ff21c563a596eb67af5

SHA512
0258c6c602620e556833ada35f6ff37145d4700fec275b64a783aa004615e905d4ebe29c2a11709776f59f1641edbdaee2ae303cae87b37147c31ec7f49dcf1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B461327\ICSharpCode.SharpZipLib.dll

Filesize
203KB

MD5
a93dac647ee7cddb93f549dcd783b323

SHA1
8569eeb79bf29c67b8bb4aeaa305f37bb3288ed8

SHA256
4f6eb0fe1f4cb547cf03ff19f9a1c051bf0cac1c793b88650f174c360ded3e39

SHA512
44a82d60a560f32aea5370871f1d4b38b0f20bcac0ed46686093efc45a361470085fcc0071e8cc91cdab99fc00438adf220faba802343f84a3cebd46b32d4886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B461327\ICSharpCode.SharpZipLib.dll

Filesize
203KB

MD5
a93dac647ee7cddb93f549dcd783b323

SHA1
8569eeb79bf29c67b8bb4aeaa305f37bb3288ed8

SHA256
4f6eb0fe1f4cb547cf03ff19f9a1c051bf0cac1c793b88650f174c360ded3e39

SHA512
44a82d60a560f32aea5370871f1d4b38b0f20bcac0ed46686093efc45a361470085fcc0071e8cc91cdab99fc00438adf220faba802343f84a3cebd46b32d4886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B461327\ICSharpCode.SharpZipLib.dll

Filesize
203KB

MD5
a93dac647ee7cddb93f549dcd783b323

SHA1
8569eeb79bf29c67b8bb4aeaa305f37bb3288ed8

SHA256
4f6eb0fe1f4cb547cf03ff19f9a1c051bf0cac1c793b88650f174c360ded3e39

SHA512
44a82d60a560f32aea5370871f1d4b38b0f20bcac0ed46686093efc45a361470085fcc0071e8cc91cdab99fc00438adf220faba802343f84a3cebd46b32d4886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B461327\ICSharpCode.SharpZipLib.dll

Filesize
203KB

MD5
a93dac647ee7cddb93f549dcd783b323

SHA1
8569eeb79bf29c67b8bb4aeaa305f37bb3288ed8

SHA256
4f6eb0fe1f4cb547cf03ff19f9a1c051bf0cac1c793b88650f174c360ded3e39

SHA512
44a82d60a560f32aea5370871f1d4b38b0f20bcac0ed46686093efc45a361470085fcc0071e8cc91cdab99fc00438adf220faba802343f84a3cebd46b32d4886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B461327\ICSharpCode.SharpZipLib.dll

Filesize
203KB

MD5
a93dac647ee7cddb93f549dcd783b323

SHA1
8569eeb79bf29c67b8bb4aeaa305f37bb3288ed8

SHA256
4f6eb0fe1f4cb547cf03ff19f9a1c051bf0cac1c793b88650f174c360ded3e39

SHA512
44a82d60a560f32aea5370871f1d4b38b0f20bcac0ed46686093efc45a361470085fcc0071e8cc91cdab99fc00438adf220faba802343f84a3cebd46b32d4886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B461327\Newtonsoft.Json.dll

Filesize
423KB

MD5
32d2b354d49a144ad9cc73fda584c11c

SHA1
8024998509d082f984b84f8235637b626944ba78

SHA256
ed30e38e44c49b859b801d05621d8e902d04d502ebf5de676de04c23825b0290

SHA512
c8d94823790264a0b3e9158c3453e4babf6523cd38ce626091f84d9b100e5fc5ab39d7ef6e082b207b54171e26136cce2033a99b7e2d1a17d8f0b2996723f491

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B461327\Newtonsoft.Json.dll

Filesize
423KB

MD5
32d2b354d49a144ad9cc73fda584c11c

SHA1
8024998509d082f984b84f8235637b626944ba78

SHA256
ed30e38e44c49b859b801d05621d8e902d04d502ebf5de676de04c23825b0290

SHA512
c8d94823790264a0b3e9158c3453e4babf6523cd38ce626091f84d9b100e5fc5ab39d7ef6e082b207b54171e26136cce2033a99b7e2d1a17d8f0b2996723f491

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B461327\Newtonsoft.Json.dll

Filesize
423KB

MD5
32d2b354d49a144ad9cc73fda584c11c

SHA1
8024998509d082f984b84f8235637b626944ba78

SHA256
ed30e38e44c49b859b801d05621d8e902d04d502ebf5de676de04c23825b0290

SHA512
c8d94823790264a0b3e9158c3453e4babf6523cd38ce626091f84d9b100e5fc5ab39d7ef6e082b207b54171e26136cce2033a99b7e2d1a17d8f0b2996723f491

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B461327\Newtonsoft.Json.dll

Filesize
423KB

MD5
32d2b354d49a144ad9cc73fda584c11c

SHA1
8024998509d082f984b84f8235637b626944ba78

SHA256
ed30e38e44c49b859b801d05621d8e902d04d502ebf5de676de04c23825b0290

SHA512
c8d94823790264a0b3e9158c3453e4babf6523cd38ce626091f84d9b100e5fc5ab39d7ef6e082b207b54171e26136cce2033a99b7e2d1a17d8f0b2996723f491

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B461327\Newtonsoft.Json.dll

Filesize
423KB

MD5
32d2b354d49a144ad9cc73fda584c11c

SHA1
8024998509d082f984b84f8235637b626944ba78

SHA256
ed30e38e44c49b859b801d05621d8e902d04d502ebf5de676de04c23825b0290

SHA512
c8d94823790264a0b3e9158c3453e4babf6523cd38ce626091f84d9b100e5fc5ab39d7ef6e082b207b54171e26136cce2033a99b7e2d1a17d8f0b2996723f491

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B461327\WebCompanionInstaller.exe

Filesize
451KB

MD5
fb2ce6e0d7d5944e86697425c10cd11f

SHA1
0d4bee7a0b9350a3906bc4704cae72159dd83729

SHA256
ded4d86bf32884b7ad4639e26b4c79c0140060b8bca23660d31ebbcd66fa25b8

SHA512
e6daec17cf11ce4d9ccb28a489be80f1960a0a639138d2c770a5f84ddf7593f64824078796df7aa72e8407aae596333f646fea225207563f3e46dfcb1140eb8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B461327\WebCompanionInstaller.exe

Filesize
451KB

MD5
fb2ce6e0d7d5944e86697425c10cd11f

SHA1
0d4bee7a0b9350a3906bc4704cae72159dd83729

SHA256
ded4d86bf32884b7ad4639e26b4c79c0140060b8bca23660d31ebbcd66fa25b8

SHA512
e6daec17cf11ce4d9ccb28a489be80f1960a0a639138d2c770a5f84ddf7593f64824078796df7aa72e8407aae596333f646fea225207563f3e46dfcb1140eb8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B461327\WebCompanionInstaller.exe.config

Filesize
2KB

MD5
d9385bdc6e1554260cb7d30f6464dd9e

SHA1
b26637f3a18a503f5fd0fcf5d6cc20c087082052

SHA256
80a15ac4f887309d99b0e6566644a6fb95c028e8e90b130ceec54d808879a81c

SHA512
4dee0f7e2dae834f171766c3f7097660faf0bcbdaa57dd248c5c484c290e36d1b9e5599edd75dbdf2cc730ff872ce3bf7a5329941c84475bfac0bb25f01f4667

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9A99I.tmp\setup.tmp

Filesize
3.1MB

MD5
8c50315d0a2325deaafa9cd9daa82cbf

SHA1
0e6cdc38d606805e98ceb863e468f445274815ae

SHA256
5c50d35d3436f667810b54e61aa844130415c117e8ae1283304e0cc772be6a4c

SHA512
e8a0ef621f84a4d45989d06d0e810c30e0e017da3c71f7cd6052ee41c2d96ed317d8d837a6d816070c31d60b067a5a7c003a2bb5858eddad221d86c569228a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ENN5F.tmp\setup.exe

Filesize
1.7MB

MD5
06b9def138d9a62dcb0032978264e89a

SHA1
c2690f268f82c228ac699d72726a1af484918603

SHA256
f17533345efe0b88151b44376e873c6bd980e03afc10045132023bb4c834a53f

SHA512
5957ef801ac7b457f5dc0ed250faeece9e70d81e43ddf3ceeb6bf8c2c1886014a78eefe495817bdb4977dbfc1601d410fc28010f123dd2de0c021ea3ac87c67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ENN5F.tmp\setup.exe

Filesize
1.7MB

MD5
06b9def138d9a62dcb0032978264e89a

SHA1
c2690f268f82c228ac699d72726a1af484918603

SHA256
f17533345efe0b88151b44376e873c6bd980e03afc10045132023bb4c834a53f

SHA512
5957ef801ac7b457f5dc0ed250faeece9e70d81e43ddf3ceeb6bf8c2c1886014a78eefe495817bdb4977dbfc1601d410fc28010f123dd2de0c021ea3ac87c67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ENN5F.tmp\setup.exe

Filesize
1.7MB

MD5
06b9def138d9a62dcb0032978264e89a

SHA1
c2690f268f82c228ac699d72726a1af484918603

SHA256
f17533345efe0b88151b44376e873c6bd980e03afc10045132023bb4c834a53f

SHA512
5957ef801ac7b457f5dc0ed250faeece9e70d81e43ddf3ceeb6bf8c2c1886014a78eefe495817bdb4977dbfc1601d410fc28010f123dd2de0c021ea3ac87c67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I22UK.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I22UK.tmp\s0.exe

Filesize
280KB

MD5
9b785f5fd2ae2d63b26ed46e7a11c082

SHA1
5faf5c3fcdb0677252ee7349c791365aa1c84f93

SHA256
469e2bfe039b0800faa99bbd49197946532c42c44de30245c9fd526cdd088a15

SHA512
e529020264e55d7e12b23c21b74f73a61f0a4d0bbca2e1c5c5aeef73368312b0bcbbebdd9fe686c3a7a421bfdeeb6b0a00e3ffe9d682cb4b50342a8a11ed4abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I22UK.tmp\s0.exe

Filesize
280KB

MD5
9b785f5fd2ae2d63b26ed46e7a11c082

SHA1
5faf5c3fcdb0677252ee7349c791365aa1c84f93

SHA256
469e2bfe039b0800faa99bbd49197946532c42c44de30245c9fd526cdd088a15

SHA512
e529020264e55d7e12b23c21b74f73a61f0a4d0bbca2e1c5c5aeef73368312b0bcbbebdd9fe686c3a7a421bfdeeb6b0a00e3ffe9d682cb4b50342a8a11ed4abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I22UK.tmp\s1.exe

Filesize
542KB

MD5
1fe97398b67bd17b9dacc347da9d5aec

SHA1
59411d138e4a77895e5f280ea63f2b47fce00723

SHA256
e384df976f21e80cda75ebfd070f3ddf564b21d313c198bec6b3d8c1c84c36d5

SHA512
f8736c58b1bb6de8ae0e18c01e2fcad4764275665bbca84ed0ae79620897f846f6a4ffec440d04615d734b8935901c8e7a124d3a7b81bf836d7e227ac7d5da8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I22UK.tmp\s1.exe

Filesize
542KB

MD5
1fe97398b67bd17b9dacc347da9d5aec

SHA1
59411d138e4a77895e5f280ea63f2b47fce00723

SHA256
e384df976f21e80cda75ebfd070f3ddf564b21d313c198bec6b3d8c1c84c36d5

SHA512
f8736c58b1bb6de8ae0e18c01e2fcad4764275665bbca84ed0ae79620897f846f6a4ffec440d04615d734b8935901c8e7a124d3a7b81bf836d7e227ac7d5da8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I22UK.tmp\status.log

Filesize
2B

MD5
444bcb3a3fcf8389296c49467f27e1d6

SHA1
7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

SHA256
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

SHA512
9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K9ED2.tmp\Adobe Photoshop 2023 29.7.5.320 (x64) + Crack.tmp

Filesize
3.1MB

MD5
92dcce0bc1ac275d46b591ea6a3656de

SHA1
3ee8b7c0f3cd7fa492b886bf4291c6e575defc6d

SHA256
bfd241454512188710a86c84c74b625fd260333abc7fc8e15bfacc7fe1750988

SHA512
6f96af5dc358479fc8131e455a6c8e1dc339a993a1549a1e90310fedd4d95bdf7a8d6892347f4a9509e7c4b1fe95fa4d155e32d7ec617683604c2efef9240499

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K9ED2.tmp\Adobe Photoshop 2023 29.7.5.320 (x64) + Crack.tmp

Filesize
3.1MB

MD5
92dcce0bc1ac275d46b591ea6a3656de

SHA1
3ee8b7c0f3cd7fa492b886bf4291c6e575defc6d

SHA256
bfd241454512188710a86c84c74b625fd260333abc7fc8e15bfacc7fe1750988

SHA512
6f96af5dc358479fc8131e455a6c8e1dc339a993a1549a1e90310fedd4d95bdf7a8d6892347f4a9509e7c4b1fe95fa4d155e32d7ec617683604c2efef9240499

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new

Filesize
466B

MD5
f89a0922237e986f8109782f076b0450

SHA1
0f63c253d94a2ead4e7852c1994b461372ccac99

SHA256
5d024e16d9839fd58abdca51ccd33d29a793292b10c83a0a8849443a607b2c04

SHA512
d3575259989075c39c17fb13b98bc651d23f25f78d0e1df74f9c196ad80edce7e6992eda05225cc5a9ed2e6c663fd9b796696b8fb1bf647334719ed3e3ab2939

Download Submit
memory/732-163-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/732-178-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1176-191-0x0000000000400000-0x000000000068C000-memory.dmp

Filesize
2.5MB

Download
memory/1176-185-0x00000000007E0000-0x0000000000822000-memory.dmp

Filesize
264KB

Download
memory/1256-1847-0x0000000001640000-0x0000000001650000-memory.dmp

Filesize
64KB

Download
memory/1256-1588-0x0000000001640000-0x0000000001650000-memory.dmp

Filesize
64KB

Download
memory/2736-190-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2736-248-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2736-179-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2736-1673-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2736-175-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/4024-232-0x00000000015C0000-0x00000000015D0000-memory.dmp

Filesize
64KB

Download
memory/4024-337-0x00000000015C0000-0x00000000015D0000-memory.dmp

Filesize
64KB

Download
memory/4112-133-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4112-140-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4204-766-0x0000000001D50000-0x0000000001D60000-memory.dmp

Filesize
64KB

Download
memory/4204-552-0x0000000001D50000-0x0000000001D60000-memory.dmp

Filesize
64KB

Download
memory/4532-1205-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/4532-1428-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/5084-141-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/5084-166-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/5084-139-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download