3e852da637bffdb51542ea3a2208ff73eb737554e43f7feead2b243c7f0f1083

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2024, 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

532KB
MD5

9e752b4955759a42d94b655b55d06784
SHA1

59d2eb1e6c35f1650dbfe0884a03a07c071e09f8
SHA256

3e852da637bffdb51542ea3a2208ff73eb737554e43f7feead2b243c7f0f1083
SHA512

cf8b87fe90613c2cb820c0d5f57d686843f57115f02b20a50f5c0bd8cddc92d466c3fa8d45b8b084abea203f03d6ac1328411cc3550c7a63bcf096f779180907
SSDEEP

12288:7G5knZfFKer58CGWoOKDtjMF3+nG4nsCGKZ+d+hSOjn4ZSVbsFGxz6:7G50ZfFKUboOMsGsClZ+dnOMZabsiz6

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Web Companion = "C:\\Users\\Admin\\AppData\\Roaming\\Lavasoft\\Web Companion\\Application\\WebCompanion.exe --minimize "	WebCompanion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Web Companion = "C:\\Users\\Admin\\AppData\\Roaming\\Lavasoft\\Web Companion\\Application\\WebCompanion.exe --minimize "	WebCompanion.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	WebCompanion-Installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 3 IoCs

pid	Process
4812	WebCompanion-Installer.exe
4400	WebCompanion.exe
4452	WebCompanion.exe

Loads dropped DLL 64 IoCs

pid	Process
4812	WebCompanion-Installer.exe
4812	WebCompanion-Installer.exe
4812	WebCompanion-Installer.exe
4812	WebCompanion-Installer.exe
4812	WebCompanion-Installer.exe
4812	WebCompanion-Installer.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WebCompanion.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WebCompanion.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	WebCompanion.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanion.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanion.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4812	WebCompanion-Installer.exe
4812	WebCompanion-Installer.exe
4812	WebCompanion-Installer.exe
4812	WebCompanion-Installer.exe
4812	WebCompanion-Installer.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4400	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4452	WebCompanion.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4812	WebCompanion-Installer.exe
Token: SeDebugPrivilege	4400	WebCompanion.exe
Token: SeDebugPrivilege	4452	WebCompanion.exe
Token: SeDebugPrivilege	4236	taskmgr.exe
Token: SeSystemProfilePrivilege	4236	taskmgr.exe
Token: SeCreateGlobalPrivilege	4236	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4452	WebCompanion.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4452	WebCompanion.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe
4236	taskmgr.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 4812	1828	Setup.exe	86
PID 1828 wrote to memory of 4812	1828	Setup.exe	86
PID 1828 wrote to memory of 4812	1828	Setup.exe	86
PID 4812 wrote to memory of 4852	4812	WebCompanion-Installer.exe	93
PID 4812 wrote to memory of 4852	4812	WebCompanion-Installer.exe	93
PID 4812 wrote to memory of 4852	4812	WebCompanion-Installer.exe	93
PID 4852 wrote to memory of 1816	4852	cmd.exe	95
PID 4852 wrote to memory of 1816	4852	cmd.exe	95
PID 4852 wrote to memory of 1816	4852	cmd.exe	95
PID 4812 wrote to memory of 4400	4812	WebCompanion-Installer.exe	96
PID 4812 wrote to memory of 4400	4812	WebCompanion-Installer.exe	96
PID 4812 wrote to memory of 4400	4812	WebCompanion-Installer.exe	96
PID 4812 wrote to memory of 4452	4812	WebCompanion-Installer.exe	99
PID 4812 wrote to memory of 4452	4812	WebCompanion-Installer.exe	99
PID 4812 wrote to memory of 4452	4812	WebCompanion-Installer.exe	99

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Users\Admin\AppData\Local\Temp\7zS42754477\WebCompanion-Installer.exe
  .\WebCompanion-Installer.exe --savename=Setup.exe --partner=IN230901 --nonadmin --direct --campaign --version=12.901.4.1003
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\SysWOW64\netsh.exe
      netsh http add urlacl url=http://+:9007/ user=Everyone
      4⤵
      PID:1816
- - C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe
    "C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe" --install --geo=
    3⤵
    - Adds Run key to start application
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4400
- - C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe
    "C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe" --afterinstall
    3⤵
    - Adds Run key to start application
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4452

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1940

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Lavasoft\Web Companion\Logs\Webcompanion\webcompanion.log

Filesize
4KB

MD5
b8434f309ff4aecf2fe4193dfd053a58

SHA1
0ea5357b958e124dd860f870df68f21714609cc9

SHA256
784a6857bf3aeba6b965ce78378a8478f1603367bbed2c3496537f0a07e4f8e5

SHA512
35df3c8a1171f21447cef4e5b00db0c74e2cc2ed9f2b0116d19cea87511b161eacfb9f28806e7dfc4e8a862e05784ccef1f7190cdedc694275eacb39784135a3

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_kleyaxrtenldtfqjmu2cbjmsn1otpqzk\12.901.4.1003\1re2dt40.newcfg

Filesize
1KB

MD5
503758332f80d2c0cd5445e7fcd507c1

SHA1
897977a2e51e562e20fce5af1af7cde0fa2ca136

SHA256
0022a59125e8f274ec86835d3218f0b89baaa85cf2d25a4d8cde5e7ab1626822

SHA512
fb7b9f690b73f559edd5e3ea60e450bda2ee7438f819aa766ada3485a67a683623f381337726f2682615f9e0e266bef2417fbda6870c31c65fe05000ac29b285

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_kleyaxrtenldtfqjmu2cbjmsn1otpqzk\12.901.4.1003\5kpmwccx.newcfg

Filesize
2KB

MD5
13f52d960519e45a65ff44755ae03f66

SHA1
4aa2b27ebd3ed476d1a674b8e67d3cc32494b96e

SHA256
e9c02ab5d3d05926dfbc682b2466a7cf82b52218f20402604b176e02733dca47

SHA512
bda2cf27a4dadeb633eb89bacd63895c47f8f83315d479c5ee3699228d8482fa6794bfd0a2464246e766da84ce60d750434d417c2ad6843bf320ea2fa3c04d68

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_kleyaxrtenldtfqjmu2cbjmsn1otpqzk\12.901.4.1003\dlaplvxs.newcfg

Filesize
1KB

MD5
1e3f56b1c69ea172acdbf14f6cba39e4

SHA1
628d53d6eace73ecdf0f7800bb24dded714a4c11

SHA256
e8e3b3086a50e2ddbfa5f007435d0c03310cfa7d11fd9f06b04b6f1073612281

SHA512
1e1852e61aab29c1fa271cdbd05217c550b20a76fe38defb6006e4c3dd970fcaa56a9ad9812fe272e96c312ab60d8331fae5edb0ada1b9b17c2ffd0f0488719b

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_kleyaxrtenldtfqjmu2cbjmsn1otpqzk\12.901.4.1003\eauxffzv.newcfg

Filesize
723B

MD5
eae39683b5f9117fcde036e28aa6ea09

SHA1
b362a0882a2afb7d470b94ec9d72dcacad82737d

SHA256
e205315b625f88ba5db9fab72956be091f45fdc9e298f06d3408f04bacf183a0

SHA512
44d032ef7a455e11f20425ad351c743363d5583554db23003f3cdfa3aa12a0fd7c175f5b0e2d363619909d76ba92617784705f370ccb902295f2e96c2b6ce5fd

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_kleyaxrtenldtfqjmu2cbjmsn1otpqzk\12.901.4.1003\jnbssfea.newcfg

Filesize
462B

MD5
6c7428ee170827af95a42c36eea3c79b

SHA1
0f3c9a3ed6b8ddb27afe69932de2b96a5ec2a84a

SHA256
acb6dd2a0049c987baaa2d46c6fcd6de74cc90aa79f3b5a5713454fceb299a46

SHA512
e4fe547e171e2d90a48876592dbfcd688ac61d63ff2c69fca4ab9bd4935600f362bf18ebcee1d7b2e2a8c16f15695627c28133d55e79be18d48c27c63c2e5b54

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_kleyaxrtenldtfqjmu2cbjmsn1otpqzk\12.901.4.1003\kxyirika.newcfg

Filesize
2KB

MD5
23c9fa5dc63a44608bb57b81e4f7a2c1

SHA1
76fda7ad565c3e05b5e2b27434a9f072e152ce98

SHA256
f9bda22ad60a69c1f7dc3d8fe583065c194fdbf62103384904a142c29def7fec

SHA512
6e4f232e31f805dbb0c16461d214217ff90b9f74aa1380e00aecbf9b91a32bd1800988dbb586dffa75069f2e8b22db539ad4c810931030ffe5e479244ad5903c

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_kleyaxrtenldtfqjmu2cbjmsn1otpqzk\12.901.4.1003\pneghxss.newcfg

Filesize
2KB

MD5
a5b56f51276c78b3862e1f06f4648eb7

SHA1
ea074b5c9eaa99764d658101248636810e725ce9

SHA256
d3a1d496ce85155bbcb117f928fd344be8b6ab9d9f8f5fdcb3cdea0b72a5cc82

SHA512
8b5c761f501f6b47a69fe193c3a1f6ee56e918cde2307d2d0b26b65e45cb954a83ce01691738b76a774345d22938ca4e034a4b9d48589a9ba85e9a2d14e1a8db

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_kleyaxrtenldtfqjmu2cbjmsn1otpqzk\12.901.4.1003\puuwculw.newcfg

Filesize
2KB

MD5
b397b5296eb44167d7b7142297da5956

SHA1
078d99a1a17ab7db22aaafe6b3c3b15a6e5edc06

SHA256
1b1e70379ab51a01e0c1c99c89efdac99eccd0db081cf6650c437724a8cc8ac3

SHA512
d1fc5872be4e5db2e8fdaeeec968aa150b05a03a6b0b0f2d8d7067a010fbe2846cb9468fbe431218385b6cde8a27d99465ce8ca93bf57f847b56e0aee88b77e7

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_kleyaxrtenldtfqjmu2cbjmsn1otpqzk\12.901.4.1003\qoyeyyqb.newcfg

Filesize
861B

MD5
8fcfed0307b17dbe792fd477141ebaa7

SHA1
eadeff417fee31215a1449982f3e58b9f52330bb

SHA256
04119e97067e832137e094aceaa61f131aa4984fff9a8930592ca8c30914f982

SHA512
ffa98e1347556f207e958c923f0a98f84891682ed5c28f60e81b2b7d8ef10d5fcaec81dfe440d51eff53dbcd77249596bb8c471e0056f807a7985a3f47e27544

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_kleyaxrtenldtfqjmu2cbjmsn1otpqzk\12.901.4.1003\r4a3wers.newcfg

Filesize
2KB

MD5
7c813e4129b5272a26b6a5bca80fd010

SHA1
b4d378e179e75dbaf4e7d0baa64143a2266391e4

SHA256
68ffd8a69aafe857ea95715f8bde69bf9a21a62cceadc4fa153b212b2f8b9681

SHA512
ac67a4bd3a7b5eb30b0b53e25e167ba9aab3a293e7b3a90c3f33bee5bd3ee05099e3afd4ef1e029b4a44827d2f0c5592708f8625d2f466f09170baa78bbd5c7d

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_kleyaxrtenldtfqjmu2cbjmsn1otpqzk\12.901.4.1003\riwgpwlj.newcfg

Filesize
2KB

MD5
848c5b27c5b910671169eb53245a81dc

SHA1
32a37b90cbbd249a6f98db2d2cd76f732f37aa81

SHA256
89d46091af363ba6e9765d6f60d8bd2f8a3721b7e798a9dacbec1db3be86e46e

SHA512
1d1f7007d09930e1a4951aa34b75d10a93f9c4921421b673f7c02f1b97b2c4a5fd124df5e148d46b74471fe4aae94f128de4405a2120764bf67f497757faaeb8

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_kleyaxrtenldtfqjmu2cbjmsn1otpqzk\12.901.4.1003\rpmbmzbz.newcfg

Filesize
1KB

MD5
3ca50cb800e914f2df7f077445f938d5

SHA1
ed755218897db88fd162d3428e9b4a3f27a55587

SHA256
7caaad9e5143a6e692529f2c94a103509725a9ff84f37c360889919ddf57a57a

SHA512
e08f796e605a93801ede49ba8e833cd726d54f69709c942cc599d6fff0b6c5c823effa215ad10d1dfe3febf1232ad600218336567548e5c5f0f24ddc9db25bf2

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_kleyaxrtenldtfqjmu2cbjmsn1otpqzk\12.901.4.1003\tcwu3b0t.newcfg

Filesize
594B

MD5
d2a31af04b72f10b334cf6d83e329178

SHA1
87ce6a8c7c38b66bf229932daa43d10acd43f5df

SHA256
be6034c3d1169b8b945d3a6e939cfd25759ac788ade5b59dde8aa299d1cec49b

SHA512
f5dcd0d132ee4119550ef8f2c6675120e03647d36e2a1dd4e5bcae2bef0445398f4fcb4dac8287ba745a14e89d93c7cdae7c6701e4c6ede89a869c5b354f95bb

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_kleyaxrtenldtfqjmu2cbjmsn1otpqzk\12.901.4.1003\tfvqsnkc.newcfg

Filesize
1KB

MD5
45484bd71e74ee07e69ef8e6f553dccf

SHA1
b01cf05ab517e1c784258c9ceaab36e1ee46062a

SHA256
6904fef541d8286ec4c0d4a2fd5f3cdff593f0ef76fe5bc491eb9ffbc6c708b6

SHA512
391a8cd595e5c33d71d48a9e80ccad377aea136d534532df00f39d105d2f9c2b732d69f9f1a8d396110f193ba93c9170e31e331a4ba909bc3f4d86d89d2b527c

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_kleyaxrtenldtfqjmu2cbjmsn1otpqzk\12.901.4.1003\user.config

Filesize
330B

MD5
335d8b10a6988eb38995ef38644b1552

SHA1
6e7f535cfa1e3ba2a2117a5a0801a00c6ec1e523

SHA256
aa0da1dc9950d1e0ef36e6429976cd1388561b5320aefef1f3f99a1a7b05c1dd

SHA512
f5060a2e0f2d5d5bba229a8a34442efe0b5334b41c9b76fd52f09325efcf6efc599f87e59f3a904ee299fbc9eb6519843559d539396ac25039a4696f045bb3ba

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_kleyaxrtenldtfqjmu2cbjmsn1otpqzk\12.901.4.1003\user.config

Filesize
2KB

MD5
f5f52fee9eede03b5966c612b7b0a550

SHA1
209eb99c3fb837e15f90aaa4a7438473906f5567

SHA256
079a347675be1ee7d91d9b0c75c76f7ca31e5738cf730518810933d2e505859c

SHA512
0c26e0e501a6a2ea37711331fb90e7730326928bbb3d07768008624db6c60d421d99ff0e66ede54c63c6d776c8e84cdbbd800ad28c5d5aef5bcbce4dfefe7f2b

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_kleyaxrtenldtfqjmu2cbjmsn1otpqzk\12.901.4.1003\wgp1lvn5.newcfg

Filesize
2KB

MD5
5fc80ddf074eb697ba633f891e9859d0

SHA1
eb9961056890a5a798d4cffe816ad213ae2962ef

SHA256
68e0858baffce028dd2f42be54ae3752d829d15c63940774941bb729d82d8499

SHA512
a704b77801bce048f8b5cf9335b4c1b4f7fa706b16f0cceeca167d26d6060e12c8a5c6f1e3cb08344b5bdba895430b67891725812de359a18111860ebd747959

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42754477\ICSharpCode.SharpZipLib.dll

Filesize
208KB

MD5
b0040d764201abd71c26560e798bfa7f

SHA1
a3f32be47621d353d67c6a72b7059b553801a9b8

SHA256
13c3e0fec7ff29eb8ab28b321102c2d27afcbb410884cd693cfd3d211bbef1d5

SHA512
104f157b822901375cacbb22121c1c866254eca5979422741768aed5536b0d51f5efce24b6106927cb16843276fc8e4b8f70ba20f5ac3c48a75460b2ab14e478

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42754477\Newtonsoft.Json.dll

Filesize
428KB

MD5
746c1f0ea5a5c0a67fe96dba4e32ac76

SHA1
cb31834984b5c7509499f0a9a5febe2e3575de78

SHA256
9ee20b0b7e54e633eff1a25b6e379201d499552689ad29eebd5ad90f221b1386

SHA512
b07f6032d609291f3f3d6e75abc055cbc0751c2cde4cfb4eb5ab93611ad8391e877dad92009dec70c0c2a7fb96b20cb4392a1a51634006466bca06fec36ce358

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42754477\WebCompanion-Installer.exe

Filesize
428KB

MD5
f6271b5d4729c2fd7dd9950f41d57c8b

SHA1
b201f20d58d3d0de4edbc513b25c4af8d3790d13

SHA256
04e8c3de51503351b4d52fa9b010aebb41d3cca46387046e8e689fbaa7063c16

SHA512
8e4ff8ec79b154211d2b6ded28025b92c4f09e36ee160be689af986ae2aeb0f444d834b04f2c6887e757f618f1d7dfe049f8d8e6a6c460c99f79a80a1580db9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42754477\WebCompanion-Installer.exe.config

Filesize
2KB

MD5
be34b448b611dc35dd383ed545e8fa96

SHA1
6c9dcd8d936f0e39648f8fa80e7f07d9ce6f550e

SHA256
deeba89fab938088e2e65942e93210e6e368eef6bc1ca8e8724ed43154701851

SHA512
796bc2ee8672b64d9f5859f0b091e76de9523beb91a7c8a1aaf59be30902bb73f5d197f271d9d50ba6139b109b00f121efa11929f322af71fe9d32c683ad8c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42754477\en-US\WebCompanion-Installer.resources.dll

Filesize
6KB

MD5
e4266f63970e9bb702fded23abb07ad7

SHA1
fb53dbbc93788d7ac3672520706195ab3eb75fd0

SHA256
83cf07757ca5e7c3dd2a8cabc44ba246b6b6f24c3d7042ceb3fc91ddfa8c4160

SHA512
4632e8af8c60b242d7213ec4eebfff358c59e0408e2f6d1821bd87553877e0ff4c9e874992242b303d26a2c53ac53e628674ce2ddb0dc0102e581c05f25c5f54

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\FeatureComponent.dll

Filesize
144KB

MD5
296ec9745c31ba135e6b6b25eb0f103a

SHA1
9b4445ff18ea2a01c739be0fa1198243b9de49c0

SHA256
61a70774acbb150536270936b7109fef7556d73a5ba581798f5296b2bc5cc4f3

SHA512
1cb4e99ca9b9c2d6ff8eae2a3adf21273b366243d7dfcb6ccc8b9d46875e31f7df192256a1bacd47073d50aa2af08124f31ea41549454eb988d43f4d899993e2

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll

Filesize
208KB

MD5
31b456ee6302eac0f8449ffbe8bd3c1b

SHA1
d2cc42ed0fc28889fdee975e4920f5be22f11bbf

SHA256
7cbad3a0b469191b24f1d4a38a53d9219ab40c26b4e427123c813553ae8e2ce2

SHA512
7d5ab6b0b5b3a4c94ba572840da4b1ede30eacc167ae929b9abab36ae6284525f26d3025ee8b83efefbfaae20d1794f8aa0768bc0afb5c27795e15928fe8c870

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\Ionic.Zip.dll

Filesize
464KB

MD5
f0fb6728c9d8c0a1a16acc28552000f2

SHA1
0d3880b1e0c5e424b89a01b1fdfa4e4da54f4d0d

SHA256
690af8f5e2b90dc00964ee389d7db004c4531c0edde101e04cf9009ee2156006

SHA512
40581aa78a0ffbd494ff99e161f0bfab0aff23b02f81f5e539509d6346226476a5be7231f47d3776ee246333229bb3e54c550e4117ac5e5b37481c5e97363d06

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll

Filesize
118KB

MD5
e9e26816ee6dfa0d4c30357008311c01

SHA1
d4d2f690a08f1ab85b9b02d267b8e138278f2329

SHA256
91ca690f23473476ac201cada9527f71dae1b15f6c272398253f3f0425b34825

SHA512
efe8d18d57b1e95c117789181f51d652eda53849872cbb5331cf5fd73955b04a08e360707d105b7901d72aeb86496baf2644111da289306c2022a7c9f5ee7440

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.Events.dll

Filesize
136KB

MD5
b4e90ff038a9640cde9c1eb897cd2878

SHA1
fb26404d6d6630f983d8d95eecb00cd28f1809dc

SHA256
1884da1809e9d5b24f777524e8a9df261d3e39cdbb25846d5b594feb123abbec

SHA512
8fb8b6f4af754c5d2333cb622a953fcc3ed2fc13b604f5f17a94271b82151466f3aac50bc52116e5cdf7269854e4e3ce323cdeeb504551439cadb5b41f4c403c

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll

Filesize
37KB

MD5
e7cd1c3e0226f7ee3c4aedfb56186607

SHA1
5cc527e045a5ec0672c5f2c5580b604151af28c2

SHA256
0cf2529bea447f1e91faf4ecc1b01964575a47e1f21868140e96e37e307f8c3b

SHA512
b4bc8a995c0f137e78702a2fa0bdbef76563183a3b4345d2cb43176089961c5e18c3cba50dfca504eb62e2ec0f9ff1c7c53f8df0709d86e52267eb6b732d2cd1

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.Utils.SqlLite.dll

Filesize
22KB

MD5
90b40e1e48bb9d32bf7071580f99eee0

SHA1
2b144eef4a4a9cd2364d7d430b0c146440e922bf

SHA256
8d99ef65121e6d824c9ce8902fe7ccf63ab48385b0c3b379080711603c263353

SHA512
10ad49b97c8d8b3b6689f4242ca0bcf4c772d20949e687db8031c6f22236bab0c1fcaf57366b33ddcd095ccc5f507db47f9942e120ebddfccaccc865d90aeec9

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll

Filesize
108KB

MD5
522a44cd2e255dff02c5e5c67a61b85a

SHA1
c8a9ec53407f729c81126dbb9db81af235b43b58

SHA256
4649fb49605bac2da3925ba3255bbd4017f5a9115206d67de6d51d5a1035b2c3

SHA512
3ea6b1bbd0cb4b78674b58d3ad77cb5d93a6f27be5dd5a4a83feddeacd55d1b8f17a12ee7664d866e32a929debef7183e3991c53a9ad8e056721e7b70d92d252

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\MozCompressor.dll

Filesize
65KB

MD5
d7ddf9e550e3aea75828fdb478b828d3

SHA1
013eadba5dc5907b9e606eefae3378cb8bb3d342

SHA256
43a8aee7ffcc38dc74bb5a60a20c706bcddc6cb76cb8f707cf44cc906e021d5c

SHA512
98efa04647e3c05ef315430eed5c615eaea3c54aaa9a845a42bb8eb3b1fd5ec1a6c22f4775a407638c6fd03d24a7fa437c2781035ab90c95803aade70fcd19f1

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll

Filesize
428KB

MD5
90adbed40eccb88261b426a3edbe7d64

SHA1
b9a2a4545a494a4bf282bce760c20952c907a225

SHA256
50905ff3732052549c0b3c0519998d84f6d4b6b92c5ed99639d3f9955edcdab3

SHA512
0254cc18fdb0803d27da99d35b99fb0df7adece7acd35d5a8ee2fd889b3e57d2edee2588352784a0c9e941a0b75e7e89710c2fd6bbf1573e4abe0d68b3df4d02

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\System.Data.SQLite.dll

Filesize
284KB

MD5
b6740a4ae51a502d1cc6f4c4aeaa599c

SHA1
1a550de829e3e9a2ae2d6fa2bacfc2a2b0390417

SHA256
01e87e1587a26f245438cf9a1f6f7c6bbe8eeac588c3f6680240dc238f36e3cf

SHA512
8c3156d165c7b10aac9d457af6bb843d553203c444afd22f05fdcdc68409966e779badded16551946223bd3d02ba78d62855ba9437d3c4dc7548354c1755bed5

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe

Filesize
3.3MB

MD5
a89871f4fb8517d47eaf356fcba5f9c2

SHA1
4a19ea78e1ea859447c584a4eee2fd62a1c3903f

SHA256
afc118ca9b161f9b2439a63c84a1a172d6e854540aa8a24538ac73e83a09273b

SHA512
3574660b1156f1501d42a1406093c416237457f8331fac32419e26a8cdb6a8e582a17c0be1c960bc86206b7a12d0324b588e51ebc9a87933233507ecaec8991f

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe.config

Filesize
11KB

MD5
cd4e494e258c7eb0585fe76ebe9e6233

SHA1
e93eb57e6c38e496fda92dbcb31021b34ae47cfe

SHA256
bf61730717f05b95c4f43d425b6d7d15deac39d53e28eb302e5723c7a9b7b0b2

SHA512
413b3727a71126e3f35551232607d95f8bd79342526c0144cbca929e6dd3e65aab56b2d1f37baafad53ea23dca4c55bdd363cd45d0c54792c3118726ea45c07c

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\liblz4.dll

Filesize
133KB

MD5
148d06eedb7e5d678737b0db1de41854

SHA1
8a1f616124c2b1a4207fb25a278ce8ff2b45c605

SHA256
4f300a4f2b2c54d270c817198e83396cae24badcd186778f5e1aed72f3da222a

SHA512
9ad9ad9d78a16bef0dc518abb9f6ae0803e60d50c6a35081c1ea046453c7e64dd9b5cf15e39de0ae5690f48a6cfd0067c24a1338ee50318c961cf5c6b6ab7a06

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\log4net.dll

Filesize
316KB

MD5
2354866890cf03971a066b1b0a6e2376

SHA1
a446317cfed4875d5f6b82b507bb9097029277a6

SHA256
83f5dfb7e27c8316ae780d39eaefe6583dfd119a4e9e556a6552df799f300e0d

SHA512
c681e0a545812198f7a89eba33bde9fb0637a3b94b50a63980767f40279618433ed71082c7575c84d5ab1ca2f664bba573c8f3d7fe0a39e8d3229fb85158372a

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\ucrtbased.dll

Filesize
1.6MB

MD5
38a817eccad491efc1837c6898c47405

SHA1
b64a392cef5f002561e7012e2064c044aaefca54

SHA256
eeca89b65f569ab698dd17370985955856bf7660395804af5fea08db926bd494

SHA512
f199c154939e7fbd94b9e12a9794c0c5258b3c0aa387e4a4f056665377998736add55b41f5ce62fae6f1639088add32570a4c9bd0017c04eee95f46f2d95da9b

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\vcruntime140d.dll

Filesize
106KB

MD5
2d4432c819cb81f66577be18d3af05bd

SHA1
8225b327176a8fa9bc6f80608fac635cda56b918

SHA256
18b5786e3770ab51795207589cd7fc13453ff26a9537bc83ee287e0c7c28b76f

SHA512
05faf84248a76e71604512f94d7cf3d9eebcfd2898e4c89365821f474f60d879393f16e3275c20d6e6a7d7d8f9e6474d9a632a02613882a422a15f8402440029

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\x86\SQLite.Interop.dll

Filesize
824KB

MD5
27894a5da2338538e7403ac060d5d7f9

SHA1
76fa92b25490eaefc8b9ee878a63242e6a646f86

SHA256
1442d69bc8445d1f0ebb232081d23ac641bbcc375234cc35cd28ef521f395e1d

SHA512
8f630763b225d2f950c475d9a5fe15927d7449caccbf7b347c06c9ef6675cfef1c568120d9cb79df0358f91054baf3be394376a5db3afa296f35c6e1e5313ae9

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\ActiveFeatures.zip

Filesize
394B

MD5
b6f8919dc75e795876d6ecf0054de404

SHA1
c07687f78f09aaf3963027df4d4ad232fe50a230

SHA256
a45d860abd08f002b7c9f2a205c61f18ddc565d6dabc2be08f7c953b548dbb30

SHA512
64a2b712f9e3555bdeb8d14aef70d939453851f7d1369b218befd7951f48aa9afe3774b9c53d67d7f4dc3851f9e7406a89c2da7145ccd3696265cfc274dd3b4a

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\ActiveFeatures.zip

Filesize
394B

MD5
1760de0c16a706b9015832faf981bb58

SHA1
df23d0f0315ba42385fb2b8852c13fcdc354544c

SHA256
35691318c9be16bb449a3ed5405b4f556e6b1948a8fa389018e9c9aa1a9d3575

SHA512
b5351bdacab20328706d53202db091df2d42d333cb687c7733791cbfa44574e6f03c848e4e1bf504d8af558246f20d82fb7d363d1beed298a3bec29da418ecb0

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\AppSettings.txt

Filesize
332B

MD5
590fd86ad024f2b655deec8333e240a9

SHA1
f1946050248dd1aea834f139063ac8eb3e41677e

SHA256
7afe6a8c5bf14cace6e9bb2d40df2adb5f31325fc024f448138106cf7b63f7c1

SHA512
c19bf730552e548b6caaa27f5ff2c5b34d34ac9408b3b6e388361635ddfd4f619b9205fad76b9141f2804b8dd364cd843dcbabd4d9d7b7b712f320f6729d87ec

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\CData.txt

Filesize
209B

MD5
2e917257b70148cf98f30f74a2f7e622

SHA1
53fe51ff770f1a4a3c3708237b87c34fecb6715d

SHA256
5c77154636717a8ca291979199664120522688d6b33e8411f450d921428d092d

SHA512
f11455f95087282755c55be9e22e1fcf2870462eb6d03b4973153c71c9c92be094d020778761da8cbeb89b947e43854cbb069d423758cff50b85907b30fd4e59

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\EData.txt

Filesize
207B

MD5
899e810161c7e1c9eb5338e5a75a125a

SHA1
eb56e1796068a7544d4aa17b9a32e450b6bfe3de

SHA256
095c4e298932e846bd697c3f303ba17e5e7cbc6bd934d70e5248a2b93548a04a

SHA512
815859729613a6854a964c291a2b674c975713d2740b84db2a4b02c99f9e50d2ca524cec1923560f10d4b2d36cefba60fd7059660b837e307b2d5d247edd6041

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\FData.txt

Filesize
208B

MD5
139a463ccb961c2db87cec01e70bf1f8

SHA1
8b369c6c3141fbfd980b3ec9cd5b93fd6533b79c

SHA256
279b1389ab21b21344b131d6ced6bcb8796ba6370ce43a7423ec5f7e67407a92

SHA512
9a31f5f349139af40edfeaaeb1e8e3cf4d2bcd0f0802006ca54a4539fc2c471c6b3ef321b0f55c515c0f70417d1ce9767b538e95f0fb0b623a87c4305a632f4f

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\FeatureActions.zip

Filesize
656B

MD5
965f6b5ae465515efa795aa59b7ace16

SHA1
d43f4e1e73cd9c87cd6ed71d30d7ae96eb6e031b

SHA256
a4a643ed7f285f991bd00b2a7f6710f373f59a94c790291efc99f9452c57317a

SHA512
414de94e3ffe5eb668db99dc5e317e40b210c80bf8af30e1305c6c39767256fe784ae5e8bd90801d86d1d6bd6373908cbdf04c2b561e4960c2a141d8f1f992a4

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\FeatureActions.zip

Filesize
225B

MD5
dd440a934b76277890150b9ed5c27e2d

SHA1
bbc3fe5a4723fb8015ef8b93a45504c6c774c9c5

SHA256
940f5a5fefbe0c1104ef79e54d3427841439e0e27b169ed173d58c45043628af

SHA512
e8d040146d94c3de42a9d1d2fe62a2a685336227ea6283174b14acf3f1851c75164c51290f5e79f1407343ef5994e1e92687d29c444642b71e445f46edba04b6

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\Language.txt

Filesize
20B

MD5
3e682eb51baee9f27b0775287510ac6e

SHA1
0c62c14b2d05af414cdc225db43b60e79ec7b280

SHA256
05a960000c74ca2f31fac1800e5156e2e4d04a78873f005218aeeb8fbacbbff6

SHA512
885ffe4359bf0fd7793b304312c7c6c3e36e767490d0ee542be5b41a74e8c4a2567c4929bb0c4bf8021a3f07ed97cf05f3feac224b79bd76a0aac9f3b1bd3a06

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\Partner.txt

Filesize
48B

MD5
f2a5063d1dddc762f781d18ac2f5f8ed

SHA1
807bea2e612fb9226583e7a871718f2d9b403073

SHA256
832c9255722b63f2e9b41f650fd34ad1b876532602d14c5ddc90a6748356ec55

SHA512
6ddc148f57bf7964e5af5e452f29be41d73051a9cd73ce601055196e229dcf3c60d972451718be2e07e157428bfae73b8c9445a94a42b9b075b7a3291f7366f9

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\ServicePartnerInfo.txt

Filesize
183B

MD5
20231614e7973f2fbd8ad6d13fba6df9

SHA1
5db52bcf31697f2ba6d98822665a197e75a9fdb4

SHA256
47d84dbd573b45b09dabfb37400d9050170a69dedbc66101e8e75308b63fd8b1

SHA512
feb84f3d0be7f899b1a80e483c10927f8291742120ad42f5e29f9843ee1372de2b61a9a8dc8ace18fcd01d9162d5a398418f892a674c5f04e4636ab253ff57af

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\Statistics.txt

Filesize
56B

MD5
4c87caf4a304aea9334097f4103e4eb8

SHA1
785621c79563c2bd7746fefb3ef6cee8aaf0e879

SHA256
5b4820bb9cff78f7b5404093882607aa000ba54d7102a8982b99b6841292f2f3

SHA512
15adf6fb6bf61a65684f79210a1d3a4dc5e4211b2ad2e5fdd0229532bc33eb4fcbb35f8dce2eacaf8cc2627f2740ee594ba56556c9d94890c801ea876838b5fa

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\WebProtectionConfig.txt

Filesize
308B

MD5
0cb1cc6ebd3113ffa4d08cb8e611b0c1

SHA1
c084178a890875d41c400e8950537e1f8a58a50f

SHA256
b578ec7cfe4cdf6690c83daa66b068fc585a8b35fc3a8722e29f2dc0fabb26e2

SHA512
c86f4c9a16249313e1a4e0561dc6241e931c5d382a830b64e3aa9d1447734716417bc2f08e4860edc0d2945cc5091170b90039194c90985395d33a36662fffec

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\statistic.db

Filesize
2KB

MD5
ce80c21024bbf5de90df4050c1422565

SHA1
34a8f2c0c8c4741a320237be978e0c74dbec6100

SHA256
9ebf2287376570662b0f6ddc09dcb05cc5bb6d0e07c7c9d0593182b6b496ae25

SHA512
c5ebea70c62694b9c22aa26642b7d4d163455027e0006d2c2fb123b713619a1e7b66b1ae35befb5fa3b6fc4f6fe8a40e10f4b70a5fb3e11a509cdab7d124fbb3

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\statistic.db

Filesize
2KB

MD5
3b6ac266201df797a03732a1ffe02246

SHA1
58084fbdb570971c7b895f3912c8fe020a79b12d

SHA256
68e13763454f119e3e332774e66582ea6ff896a2052b9ce3d3ad23cc364ae70f

SHA512
495dd40bcd1a64e784cccfe32e8c918484e9ba95170e138bc725555b17e16340f935aad45d38c6373cd27cad5c4a30a319a9fdc0d57c56bc1fb99678eed12919

Download Submit
memory/4236-1042-0x0000024617DD0000-0x0000024617DD1000-memory.dmp

Filesize
4KB

Download
memory/4236-1054-0x0000024617DD0000-0x0000024617DD1000-memory.dmp

Filesize
4KB

Download
memory/4236-1053-0x0000024617DD0000-0x0000024617DD1000-memory.dmp

Filesize
4KB

Download
memory/4236-1052-0x0000024617DD0000-0x0000024617DD1000-memory.dmp

Filesize
4KB

Download
memory/4236-1051-0x0000024617DD0000-0x0000024617DD1000-memory.dmp

Filesize
4KB

Download
memory/4236-1050-0x0000024617DD0000-0x0000024617DD1000-memory.dmp

Filesize
4KB

Download
memory/4236-1049-0x0000024617DD0000-0x0000024617DD1000-memory.dmp

Filesize
4KB

Download
memory/4236-1048-0x0000024617DD0000-0x0000024617DD1000-memory.dmp

Filesize
4KB

Download
memory/4236-1044-0x0000024617DD0000-0x0000024617DD1000-memory.dmp

Filesize
4KB

Download
memory/4236-1043-0x0000024617DD0000-0x0000024617DD1000-memory.dmp

Filesize
4KB

Download
memory/4400-591-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4400-180-0x0000000005B90000-0x0000000005BCC000-memory.dmp

Filesize
240KB

Download
memory/4400-163-0x0000000005610000-0x000000000562E000-memory.dmp

Filesize
120KB

Download
memory/4400-159-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/4400-158-0x0000000005490000-0x00000000054B0000-memory.dmp

Filesize
128KB

Download
memory/4400-154-0x0000000005080000-0x00000000050D0000-memory.dmp

Filesize
320KB

Download
memory/4400-150-0x0000000000540000-0x0000000000888000-memory.dmp

Filesize
3.3MB

Download
memory/4400-388-0x0000000007E80000-0x0000000007EB4000-memory.dmp

Filesize
208KB

Download
memory/4400-149-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4400-209-0x0000000006470000-0x0000000006482000-memory.dmp

Filesize
72KB

Download
memory/4400-210-0x000000006B060000-0x000000006B072000-memory.dmp

Filesize
72KB

Download
memory/4400-193-0x0000000005D20000-0x0000000005D48000-memory.dmp

Filesize
160KB

Download
memory/4400-429-0x0000000007630000-0x000000000763C000-memory.dmp

Filesize
48KB

Download
memory/4400-185-0x0000000005C60000-0x0000000005C82000-memory.dmp

Filesize
136KB

Download
memory/4400-439-0x0000000007F80000-0x0000000007FF6000-memory.dmp

Filesize
472KB

Download
memory/4400-441-0x0000000008000000-0x000000000801E000-memory.dmp

Filesize
120KB

Download
memory/4400-167-0x0000000005690000-0x00000000056B6000-memory.dmp

Filesize
152KB

Download
memory/4400-181-0x0000000005B50000-0x0000000005B71000-memory.dmp

Filesize
132KB

Download
memory/4400-477-0x0000000008D40000-0x00000000092E4000-memory.dmp

Filesize
5.6MB

Download
memory/4400-197-0x00000000064C0000-0x000000000652E000-memory.dmp

Filesize
440KB

Download
memory/4400-177-0x0000000005730000-0x0000000005778000-memory.dmp

Filesize
288KB

Download
memory/4400-173-0x00000000056D0000-0x00000000056D8000-memory.dmp

Filesize
32KB

Download
memory/4400-330-0x0000000007450000-0x00000000074C8000-memory.dmp

Filesize
480KB

Download
memory/4400-559-0x0000000008350000-0x0000000008372000-memory.dmp

Filesize
136KB

Download
memory/4400-582-0x00000000661C0000-0x00000000661E2000-memory.dmp

Filesize
136KB

Download
memory/4400-590-0x00000000661C0000-0x00000000661E2000-memory.dmp

Filesize
136KB

Download
memory/4452-1013-0x0000000005B00000-0x0000000005B10000-memory.dmp

Filesize
64KB

Download
memory/4452-592-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4452-593-0x0000000005B00000-0x0000000005B10000-memory.dmp

Filesize
64KB

Download
memory/4452-596-0x000000006B060000-0x000000006B072000-memory.dmp

Filesize
72KB

Download
memory/4452-1016-0x0000000005B00000-0x0000000005B10000-memory.dmp

Filesize
64KB

Download
memory/4452-1014-0x0000000005B00000-0x0000000005B10000-memory.dmp

Filesize
64KB

Download
memory/4452-803-0x0000000005B00000-0x0000000005B10000-memory.dmp

Filesize
64KB

Download
memory/4452-970-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4452-967-0x00000000661C0000-0x00000000661E2000-memory.dmp

Filesize
136KB

Download
memory/4452-831-0x000000000BD70000-0x000000000BD78000-memory.dmp

Filesize
32KB

Download
memory/4452-802-0x0000000008BE0000-0x0000000008BEC000-memory.dmp

Filesize
48KB

Download
memory/4452-801-0x0000000008A20000-0x0000000008A76000-memory.dmp

Filesize
344KB

Download
memory/4452-804-0x0000000005B00000-0x0000000005B10000-memory.dmp

Filesize
64KB

Download
memory/4812-57-0x000000000A040000-0x000000000A078000-memory.dmp

Filesize
224KB

Download
memory/4812-38-0x0000000005A30000-0x0000000005A6C000-memory.dmp

Filesize
240KB

Download
memory/4812-39-0x00000000059C0000-0x0000000005A0C000-memory.dmp

Filesize
304KB

Download
memory/4812-37-0x00000000034F0000-0x0000000003502000-memory.dmp

Filesize
72KB

Download
memory/4812-36-0x0000000005970000-0x00000000059C0000-memory.dmp

Filesize
320KB

Download
memory/4812-35-0x0000000006050000-0x0000000006668000-memory.dmp

Filesize
6.1MB

Download
memory/4812-34-0x0000000005A20000-0x0000000005A30000-memory.dmp

Filesize
64KB

Download
memory/4812-40-0x0000000005C50000-0x0000000005D5A000-memory.dmp

Filesize
1.0MB

Download
memory/4812-45-0x0000000006B20000-0x0000000006B8E000-memory.dmp

Filesize
440KB

Download
memory/4812-33-0x0000000000F50000-0x0000000000FBE000-memory.dmp

Filesize
440KB

Download
memory/4812-32-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4812-46-0x0000000007180000-0x00000000071A0000-memory.dmp

Filesize
128KB

Download
memory/4812-47-0x00000000071A0000-0x00000000074F4000-memory.dmp

Filesize
3.3MB

Download
memory/4812-48-0x00000000076F0000-0x0000000007756000-memory.dmp

Filesize
408KB

Download
memory/4812-1021-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4812-52-0x00000000079D0000-0x00000000079D8000-memory.dmp

Filesize
32KB

Download
memory/4812-53-0x0000000005A20000-0x0000000005A30000-memory.dmp

Filesize
64KB

Download
memory/4812-315-0x0000000005A20000-0x0000000005A30000-memory.dmp

Filesize
64KB

Download
memory/4812-54-0x0000000007C00000-0x0000000007C92000-memory.dmp

Filesize
584KB

Download
memory/4812-55-0x0000000008210000-0x0000000008218000-memory.dmp

Filesize
32KB

Download
memory/4812-56-0x0000000008220000-0x0000000008228000-memory.dmp

Filesize
32KB

Download
memory/4812-58-0x000000000A010000-0x000000000A01E000-memory.dmp

Filesize
56KB

Download
memory/4812-63-0x000000000D860000-0x000000000D894000-memory.dmp

Filesize
208KB

Download
memory/4812-143-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4812-144-0x0000000005A20000-0x0000000005A30000-memory.dmp

Filesize
64KB

Download