hxxps://webcompanion[.]com/nano_download[.]php?savename=Setup[.]exe&partner=IN240402&nonadmin&direct&tych&campaign=21127515562

Analysis

max time kernel
82s
max time network
87s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2024 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://webcompanion.com/nano_download.php?savename=Setup.exe&partner=IN240402&nonadmin&direct&tych&campaign=21127515562

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 11 IoCs

pid	Process
4544	WebCompanion-Installer.exe
2768	WebCompanion-Installer.exe
4976	WebCompanion-Installer.exe
5180	WebCompanion-Installer.exe
5608	WebCompanion-Installer.exe
5800	WebCompanion-Installer.exe
5980	WebCompanion-Installer.exe
1128	WebCompanion-Installer.exe
5388	WebCompanion-Installer.exe
4740	WebCompanion-Installer.exe
5804	WebCompanion-Installer.exe

Loads dropped DLL 44 IoCs

pid	Process
2768	WebCompanion-Installer.exe
2768	WebCompanion-Installer.exe
4544	WebCompanion-Installer.exe
4544	WebCompanion-Installer.exe
4976	WebCompanion-Installer.exe
4976	WebCompanion-Installer.exe
5180	WebCompanion-Installer.exe
5180	WebCompanion-Installer.exe
5608	WebCompanion-Installer.exe
5608	WebCompanion-Installer.exe
5800	WebCompanion-Installer.exe
5800	WebCompanion-Installer.exe
5980	WebCompanion-Installer.exe
5980	WebCompanion-Installer.exe
5180	WebCompanion-Installer.exe
5180	WebCompanion-Installer.exe
4544	WebCompanion-Installer.exe
4544	WebCompanion-Installer.exe
4976	WebCompanion-Installer.exe
4976	WebCompanion-Installer.exe
1128	WebCompanion-Installer.exe
1128	WebCompanion-Installer.exe
2768	WebCompanion-Installer.exe
2768	WebCompanion-Installer.exe
5800	WebCompanion-Installer.exe
5800	WebCompanion-Installer.exe
5608	WebCompanion-Installer.exe
5608	WebCompanion-Installer.exe
5980	WebCompanion-Installer.exe
5980	WebCompanion-Installer.exe
1128	WebCompanion-Installer.exe
1128	WebCompanion-Installer.exe
5388	WebCompanion-Installer.exe
5388	WebCompanion-Installer.exe
5388	WebCompanion-Installer.exe
5388	WebCompanion-Installer.exe
4740	WebCompanion-Installer.exe
4740	WebCompanion-Installer.exe
4740	WebCompanion-Installer.exe
4740	WebCompanion-Installer.exe
5804	WebCompanion-Installer.exe
5804	WebCompanion-Installer.exe
5804	WebCompanion-Installer.exe
5804	WebCompanion-Installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3820	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2768	WebCompanion-Installer.exe
2768	WebCompanion-Installer.exe
4544	WebCompanion-Installer.exe
4544	WebCompanion-Installer.exe
4976	WebCompanion-Installer.exe
4976	WebCompanion-Installer.exe
5180	WebCompanion-Installer.exe
5180	WebCompanion-Installer.exe
5608	WebCompanion-Installer.exe
5608	WebCompanion-Installer.exe
5800	WebCompanion-Installer.exe
5800	WebCompanion-Installer.exe
5980	WebCompanion-Installer.exe
5980	WebCompanion-Installer.exe
4544	WebCompanion-Installer.exe
4544	WebCompanion-Installer.exe
5180	WebCompanion-Installer.exe
5180	WebCompanion-Installer.exe
4976	WebCompanion-Installer.exe
4976	WebCompanion-Installer.exe
4976	WebCompanion-Installer.exe
4544	WebCompanion-Installer.exe
5180	WebCompanion-Installer.exe
1128	WebCompanion-Installer.exe
1128	WebCompanion-Installer.exe
2768	WebCompanion-Installer.exe
2768	WebCompanion-Installer.exe
2768	WebCompanion-Installer.exe
5800	WebCompanion-Installer.exe
5800	WebCompanion-Installer.exe
5608	WebCompanion-Installer.exe
5608	WebCompanion-Installer.exe
5608	WebCompanion-Installer.exe
5980	WebCompanion-Installer.exe
5980	WebCompanion-Installer.exe
4976	WebCompanion-Installer.exe
4976	WebCompanion-Installer.exe
5180	WebCompanion-Installer.exe
4544	WebCompanion-Installer.exe
4544	WebCompanion-Installer.exe
5180	WebCompanion-Installer.exe
2768	WebCompanion-Installer.exe
2768	WebCompanion-Installer.exe
1128	WebCompanion-Installer.exe
1128	WebCompanion-Installer.exe
5608	WebCompanion-Installer.exe
5800	WebCompanion-Installer.exe
5608	WebCompanion-Installer.exe
5800	WebCompanion-Installer.exe
5980	WebCompanion-Installer.exe
5980	WebCompanion-Installer.exe
1128	WebCompanion-Installer.exe
5388	WebCompanion-Installer.exe
5388	WebCompanion-Installer.exe
5388	WebCompanion-Installer.exe
5388	WebCompanion-Installer.exe
5388	WebCompanion-Installer.exe
5388	WebCompanion-Installer.exe
5388	WebCompanion-Installer.exe
4740	WebCompanion-Installer.exe
4740	WebCompanion-Installer.exe
4740	WebCompanion-Installer.exe
4740	WebCompanion-Installer.exe
4740	WebCompanion-Installer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3820	vlc.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4544	WebCompanion-Installer.exe
Token: SeDebugPrivilege	2768	WebCompanion-Installer.exe
Token: SeDebugPrivilege	4976	WebCompanion-Installer.exe
Token: SeDebugPrivilege	5180	WebCompanion-Installer.exe
Token: SeDebugPrivilege	5608	WebCompanion-Installer.exe
Token: SeDebugPrivilege	5800	WebCompanion-Installer.exe
Token: SeDebugPrivilege	5980	WebCompanion-Installer.exe
Token: SeDebugPrivilege	1128	WebCompanion-Installer.exe
Token: SeDebugPrivilege	5388	WebCompanion-Installer.exe
Token: SeDebugPrivilege	4740	WebCompanion-Installer.exe
Token: SeDebugPrivilege	5804	WebCompanion-Installer.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
3820	vlc.exe
3820	vlc.exe
3820	vlc.exe
3820	vlc.exe
3820	vlc.exe
3820	vlc.exe
3820	vlc.exe
3820	vlc.exe
3820	vlc.exe
3820	vlc.exe
3820	vlc.exe
3820	vlc.exe
3820	vlc.exe
3820	vlc.exe
3820	vlc.exe
3820	vlc.exe
3820	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
3820	vlc.exe
3820	vlc.exe
3820	vlc.exe
3820	vlc.exe
3820	vlc.exe
3820	vlc.exe
3820	vlc.exe
3820	vlc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3820	vlc.exe
3820	vlc.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 4544	2052	Setup.exe	111
PID 2052 wrote to memory of 4544	2052	Setup.exe	111
PID 2052 wrote to memory of 4544	2052	Setup.exe	111
PID 212 wrote to memory of 2768	212	Setup.exe	112
PID 212 wrote to memory of 2768	212	Setup.exe	112
PID 212 wrote to memory of 2768	212	Setup.exe	112
PID 3676 wrote to memory of 4976	3676	Setup.exe	118
PID 3676 wrote to memory of 4976	3676	Setup.exe	118
PID 3676 wrote to memory of 4976	3676	Setup.exe	118
PID 3820 wrote to memory of 5180	3820	Setup.exe	120
PID 3820 wrote to memory of 5180	3820	Setup.exe	120
PID 3820 wrote to memory of 5180	3820	Setup.exe	120
PID 5480 wrote to memory of 5608	5480	Setup.exe	122
PID 5480 wrote to memory of 5608	5480	Setup.exe	122
PID 5480 wrote to memory of 5608	5480	Setup.exe	122
PID 5664 wrote to memory of 5800	5664	Setup.exe	125
PID 5664 wrote to memory of 5800	5664	Setup.exe	125
PID 5664 wrote to memory of 5800	5664	Setup.exe	125
PID 5792 wrote to memory of 5980	5792	Setup.exe	126
PID 5792 wrote to memory of 5980	5792	Setup.exe	126
PID 5792 wrote to memory of 5980	5792	Setup.exe	126
PID 5548 wrote to memory of 1128	5548	Setup.exe	131
PID 5548 wrote to memory of 1128	5548	Setup.exe	131
PID 5548 wrote to memory of 1128	5548	Setup.exe	131
PID 2932 wrote to memory of 5388	2932	Setup.exe	139
PID 2932 wrote to memory of 5388	2932	Setup.exe	139
PID 2932 wrote to memory of 5388	2932	Setup.exe	139
PID 5772 wrote to memory of 4740	5772	Setup.exe	142
PID 5772 wrote to memory of 4740	5772	Setup.exe	142
PID 5772 wrote to memory of 4740	5772	Setup.exe	142
PID 5624 wrote to memory of 5804	5624	Setup.exe	146
PID 5624 wrote to memory of 5804	5624	Setup.exe	146
PID 5624 wrote to memory of 5804	5624	Setup.exe	146

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://webcompanion.com/nano_download.php?savename=Setup.exe&partner=IN240402&nonadmin&direct&tych&campaign=21127515562
1⤵
PID:1008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3704 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:1
1⤵
PID:1984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4456 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:1
1⤵
PID:836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5736 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:8
1⤵
PID:448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5388 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:8
1⤵
PID:2716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=6028 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:1
1⤵
PID:4264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=5656 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:8
1⤵
PID:4116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=7020 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:1
1⤵
PID:3272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:8
1⤵
PID:4400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4180 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:8
1⤵
PID:4132

C:\Users\Admin\Downloads\Setup.exe
"C:\Users\Admin\Downloads\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:212
- C:\Users\Admin\AppData\Local\Temp\7zS4D026EB7\WebCompanion-Installer.exe
  .\WebCompanion-Installer.exe --savename=Setup.exe --partner=IN240402 --nonadmin --direct --tych --campaign=21127515562 --version=12.901.4.1003
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768

C:\Users\Admin\Downloads\Setup.exe
"C:\Users\Admin\Downloads\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Temp\7zS4083ABD7\WebCompanion-Installer.exe
  .\WebCompanion-Installer.exe --savename=Setup.exe --partner=IN240402 --nonadmin --direct --tych --campaign=21127515562 --version=12.901.4.1003
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5712 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:8
1⤵
PID:4388

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x48c 0x49c
1⤵
PID:924

C:\Users\Admin\Downloads\Setup.exe
"C:\Users\Admin\Downloads\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Users\Admin\AppData\Local\Temp\7zSC5E820E7\WebCompanion-Installer.exe
  .\WebCompanion-Installer.exe --savename=Setup.exe --partner=IN240402 --nonadmin --direct --tych --campaign=21127515562 --version=12.901.4.1003
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4976

C:\Users\Admin\Downloads\Setup.exe
"C:\Users\Admin\Downloads\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3820
- C:\Users\Admin\AppData\Local\Temp\7zSCEECFF97\WebCompanion-Installer.exe
  .\WebCompanion-Installer.exe --savename=Setup.exe --partner=IN240402 --nonadmin --direct --tych --campaign=21127515562 --version=12.901.4.1003
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5180

C:\Users\Admin\Downloads\Setup.exe
"C:\Users\Admin\Downloads\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5480
- C:\Users\Admin\AppData\Local\Temp\7zS8653D6E7\WebCompanion-Installer.exe
  .\WebCompanion-Installer.exe --savename=Setup.exe --partner=IN240402 --nonadmin --direct --tych --campaign=21127515562 --version=12.901.4.1003
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5608

C:\Users\Admin\Downloads\Setup.exe
"C:\Users\Admin\Downloads\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5664
- C:\Users\Admin\AppData\Local\Temp\7zS026A8FE7\WebCompanion-Installer.exe
  .\WebCompanion-Installer.exe --savename=Setup.exe --partner=IN240402 --nonadmin --direct --tych --campaign=21127515562 --version=12.901.4.1003
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5800

C:\Users\Admin\Downloads\Setup.exe
"C:\Users\Admin\Downloads\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5792
- C:\Users\Admin\AppData\Local\Temp\7zS0A6022E7\WebCompanion-Installer.exe
  .\WebCompanion-Installer.exe --savename=Setup.exe --partner=IN240402 --nonadmin --direct --tych --campaign=21127515562 --version=12.901.4.1003
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5980

C:\Users\Admin\Downloads\Setup.exe
"C:\Users\Admin\Downloads\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5548
- C:\Users\Admin\AppData\Local\Temp\7zSCA574197\WebCompanion-Installer.exe
  .\WebCompanion-Installer.exe --savename=Setup.exe --partner=IN240402 --nonadmin --direct --tych --campaign=21127515562 --version=12.901.4.1003
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1128

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6048

C:\Users\Admin\Downloads\Setup.exe
"C:\Users\Admin\Downloads\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\7zS47B60358\WebCompanion-Installer.exe
  .\WebCompanion-Installer.exe --savename=Setup.exe --partner=IN240402 --nonadmin --direct --tych --campaign=21127515562 --version=12.901.4.1003
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=6620 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:8
1⤵
PID:2096

C:\Users\Admin\Downloads\Setup.exe
"C:\Users\Admin\Downloads\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5772
- C:\Users\Admin\AppData\Local\Temp\7zSC8676778\WebCompanion-Installer.exe
  .\WebCompanion-Installer.exe --savename=Setup.exe --partner=IN240402 --nonadmin --direct --tych --campaign=21127515562 --version=12.901.4.1003
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:8
1⤵
PID:832

C:\Users\Admin\Downloads\Setup.exe
"C:\Users\Admin\Downloads\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5624
- C:\Users\Admin\AppData\Local\Temp\7zS8F5D6928\WebCompanion-Installer.exe
  .\WebCompanion-Installer.exe --savename=Setup.exe --partner=IN240402 --nonadmin --direct --tych --campaign=21127515562 --version=12.901.4.1003
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:5804

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\BackupPop.3gpp"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS4083ABD7\WebCompanion-Installer.exe

Filesize
428KB

MD5
f6271b5d4729c2fd7dd9950f41d57c8b

SHA1
b201f20d58d3d0de4edbc513b25c4af8d3790d13

SHA256
04e8c3de51503351b4d52fa9b010aebb41d3cca46387046e8e689fbaa7063c16

SHA512
8e4ff8ec79b154211d2b6ded28025b92c4f09e36ee160be689af986ae2aeb0f444d834b04f2c6887e757f618f1d7dfe049f8d8e6a6c460c99f79a80a1580db9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D026EB7\WebCompanion-Installer.exe.config

Filesize
2KB

MD5
be34b448b611dc35dd383ed545e8fa96

SHA1
6c9dcd8d936f0e39648f8fa80e7f07d9ce6f550e

SHA256
deeba89fab938088e2e65942e93210e6e368eef6bc1ca8e8724ed43154701851

SHA512
796bc2ee8672b64d9f5859f0b091e76de9523beb91a7c8a1aaf59be30902bb73f5d197f271d9d50ba6139b109b00f121efa11929f322af71fe9d32c683ad8c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5E820E7\ICSharpCode.SharpZipLib.dll

Filesize
208KB

MD5
b0040d764201abd71c26560e798bfa7f

SHA1
a3f32be47621d353d67c6a72b7059b553801a9b8

SHA256
13c3e0fec7ff29eb8ab28b321102c2d27afcbb410884cd693cfd3d211bbef1d5

SHA512
104f157b822901375cacbb22121c1c866254eca5979422741768aed5536b0d51f5efce24b6106927cb16843276fc8e4b8f70ba20f5ac3c48a75460b2ab14e478

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5E820E7\Newtonsoft.Json.dll

Filesize
428KB

MD5
746c1f0ea5a5c0a67fe96dba4e32ac76

SHA1
cb31834984b5c7509499f0a9a5febe2e3575de78

SHA256
9ee20b0b7e54e633eff1a25b6e379201d499552689ad29eebd5ad90f221b1386

SHA512
b07f6032d609291f3f3d6e75abc055cbc0751c2cde4cfb4eb5ab93611ad8391e877dad92009dec70c0c2a7fb96b20cb4392a1a51634006466bca06fec36ce358

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5E820E7\de-DE\WebCompanion-Installer.resources.dll

Filesize
6KB

MD5
882d661d8e16dbbb09ac9b31454130f2

SHA1
338b00ed41992bdd219c8837a4930cf598f3cc9f

SHA256
91b10f5bb33ce0a3c1d10ba53ac71dbd95a5702cb7b183a65210c54ffb9cd585

SHA512
17c75ace7df1f31318f43e77ce9351024dde9bd9fdb7031536ad049d9b3876afe3d5c2dcdf529ff91e3d0b5246b6195817d05239945a5e6cc5cf0fd89b1ed3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5E820E7\en-US\WebCompanion-Installer.resources.dll

Filesize
6KB

MD5
e4266f63970e9bb702fded23abb07ad7

SHA1
fb53dbbc93788d7ac3672520706195ab3eb75fd0

SHA256
83cf07757ca5e7c3dd2a8cabc44ba246b6b6f24c3d7042ceb3fc91ddfa8c4160

SHA512
4632e8af8c60b242d7213ec4eebfff358c59e0408e2f6d1821bd87553877e0ff4c9e874992242b303d26a2c53ac53e628674ce2ddb0dc0102e581c05f25c5f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5E820E7\es-ES\WebCompanion-Installer.resources.dll

Filesize
6KB

MD5
49097a52ee5bb99275f10224fbdf8def

SHA1
8afe2adc0e2d0fec32e836c8b4083d769f5dc70a

SHA256
8922f2be98bdef22ca58cb24ad75cac9cc9a6eeeb5e61c359cc9d639b0ca72b9

SHA512
dc3dbc1ddd4a783ddbb3faca720fe0865f743742d1fe6143edc26ba22e9d7cf3f86b49a33b41851e3dc6afe6904db7a2f4d6538bd0ff8ccc810cf0d50192565b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5E820E7\fr-CA\WebCompanion-Installer.resources.dll

Filesize
6KB

MD5
e3f8a037101b250e7d355aebbe6df9ed

SHA1
2822c620fe0e1f2f0e01118b86ed4883b204478e

SHA256
c9e73b71a6f04a113e2765e7ffaa6051e09e5f3e86ce2f67d264b3db05f9e19a

SHA512
2a09442330aa864aa614fdedaa9909dc3633a35bd80a29eb2680912d24e198cca2490d46eb0e178ee0dc5ebfc04ab1d957f80a7d8922e62fd32c7c461ed05c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5E820E7\it-IT\WebCompanion-Installer.resources.dll

Filesize
5KB

MD5
b1e13550602007500ab49888607320e7

SHA1
ec2ab57b495ca7d139035c8bd0f1032572bff6b6

SHA256
5126c176226ef22564ced739e43f65a50ee96034f4d709ab184a3e1c07d53797

SHA512
3075daf5b34c968795717f8b2b8a280cd5b645559c7c9d042c1219461404d33dad0a6c1b47ec1df97040e15daf621f252a4b4b8e848ad0d034bf4ba1c16fefdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5E820E7\ja-JP\WebCompanion-Installer.resources.dll

Filesize
5KB

MD5
6d043830cba47195b2dd06dafc9216ba

SHA1
620032581018c0c7c0dc7ecba7498af17e11470c

SHA256
dcd3bd4fbf91bf5348f071ad284866725dff07907641c9f52f9ee99c26ec3eb5

SHA512
1aaaef89db71e424c758ea89bc06d3affe13749630cbbdf10d1bbb16e4f04ba007158787b0d72da9939af1893749c42374a074f879ea73614f24616449561033

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5E820E7\pt-BR\WebCompanion-Installer.resources.dll

Filesize
6KB

MD5
917bc855c6178351a99ae65dc3c45129

SHA1
38c95fc10ac543c9ed6d225f027986c9e50adda0

SHA256
2960ae10ebe3bce868c0d7ff416ffb462f2b6e3032a5d576c7154ff451acc713

SHA512
070ef17be2f6714c1219810709a6793c0a26d7880467545515f9a9517060647e078c9420db23495bee97ac78e4a6a55736a272ce8312f53dac8fba2dd703a589

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5E820E7\ru-RU\WebCompanion-Installer.resources.dll

Filesize
7KB

MD5
f0d226185c695ea2479fdb885a7fb704

SHA1
e35dc6ed24397c2e86668df85b2833d55b39f429

SHA256
53435a7c3e55c7f3e9733f704e60014c2bd12512c902f16134492c2ae1c591bb

SHA512
6005b7788086dd388b372b624505265dc054dbd3ef3ba5b56cbddedc8c97ab3a50dd4c6d92a9f85d25ae5b4ad647b697a1740c89afe507e0c696e403d4ca0c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5E820E7\tr-TR\WebCompanion-Installer.resources.dll

Filesize
5KB

MD5
dd93abf6bc320748f8981c9815c533b1

SHA1
d1d7e9c82f9ad8f013a1637c82b9e9ee4e9cb824

SHA256
486d1257c3b23a868c3dff1b08d6d03a0333df9ee1024bd0cca961165cdaed85

SHA512
c6c625fda3b77eac734536ebbcdcc99c713803e4a29b8b709120e5cff8c65ab089d5458cde3c9cffa0d493d93d10948e9589f5d9d0aa44fcbacf6e354c8a93a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5E820E7\zh-CHS\WebCompanion-Installer.resources.dll

Filesize
5KB

MD5
e3614e59f9f8c062a9b7b2a2e3d65c79

SHA1
b977f93411d7b1031aa53431a081af1c7a28278d

SHA256
2ffd832564129e2e3edbd0e505c222ee64d13b78641f83b284052bb32c808b1b

SHA512
e87035a488833d964c800cb5fc1aa378843c9dbb1ccbbc3230c1b19c3d5339820325a5d506fff2e5876e1adb56a4aea07fcd2dd2224ea72bc928a6f31abb9cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\Statistics.txt

Filesize
56B

MD5
5d49b6ef056f17c6accc39e0e092b5b9

SHA1
af0fe7dbb805ac0129c4850b07631e5c437c55e7

SHA256
9365ba203973d0f7d56555eeef26b386106c849aa21bb9c23dee42ad3c2efd17

SHA512
d1363aa21b689d6efd112077318472cb50f26d1fa5cf84d3bffcdeea634f36d3b10dc81013aea0f354064325c6dd5d227d9e85348ced64be9b12ab651b23bd8a

Download Submit
memory/1128-563-0x0000000001600000-0x0000000001610000-memory.dmp

Filesize
64KB

Download
memory/1128-305-0x0000000001600000-0x0000000001610000-memory.dmp

Filesize
64KB

Download
memory/1128-304-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/1128-411-0x0000000001600000-0x0000000001610000-memory.dmp

Filesize
64KB

Download
memory/1128-435-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/2768-148-0x0000000004E20000-0x0000000004E8E000-memory.dmp

Filesize
440KB

Download
memory/2768-66-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/2768-317-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/2768-323-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/2768-332-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/2768-410-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/2768-137-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

Filesize
72KB

Download
memory/2768-141-0x0000000004C90000-0x0000000004CDC000-memory.dmp

Filesize
304KB

Download
memory/2768-132-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/2768-135-0x0000000004B90000-0x0000000004BE0000-memory.dmp

Filesize
320KB

Download
memory/3820-663-0x00007FFB9A0B0000-0x00007FFB9A366000-memory.dmp

Filesize
2.7MB

Download
memory/3820-662-0x00007FFB9CF70000-0x00007FFB9CFA4000-memory.dmp

Filesize
208KB

Download
memory/3820-665-0x00007FFB97B70000-0x00007FFB97C7E000-memory.dmp

Filesize
1.1MB

Download
memory/3820-661-0x00007FF7C5040000-0x00007FF7C5138000-memory.dmp

Filesize
992KB

Download
memory/3820-664-0x00000135875B0000-0x0000013588660000-memory.dmp

Filesize
16.7MB

Download
memory/4544-133-0x0000000005910000-0x0000000005F28000-memory.dmp

Filesize
6.1MB

Download
memory/4544-346-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4544-64-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4544-65-0x0000000000930000-0x000000000099E000-memory.dmp

Filesize
440KB

Download
memory/4544-138-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/4544-330-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/4544-321-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/4544-192-0x00000000066E0000-0x0000000006700000-memory.dmp

Filesize
128KB

Download
memory/4544-313-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4740-567-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4740-565-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/4740-562-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/4740-561-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4976-348-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4976-318-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4976-131-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4976-136-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/4976-322-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/5180-140-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/5180-256-0x00000000070B0000-0x0000000007116000-memory.dmp

Filesize
408KB

Download
memory/5180-319-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/5180-134-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/5180-320-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/5180-193-0x0000000006B90000-0x0000000006EE4000-memory.dmp

Filesize
3.3MB

Download
memory/5180-310-0x0000000007510000-0x0000000007518000-memory.dmp

Filesize
32KB

Download
memory/5180-139-0x0000000005570000-0x00000000055AC000-memory.dmp

Filesize
240KB

Download
memory/5180-331-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/5180-347-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/5180-142-0x0000000005790000-0x000000000589A000-memory.dmp

Filesize
1.0MB

Download
memory/5388-564-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/5388-531-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/5388-530-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/5388-529-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/5608-190-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/5608-436-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/5608-336-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/5608-337-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/5608-338-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/5608-191-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/5800-339-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/5800-437-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/5800-257-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/5800-228-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/5800-340-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/5980-432-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/5980-341-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/5980-265-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/5980-261-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/5980-479-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download