7c4c29521545d8bb875e91b5ebbf342a39d336fbc77f566bc2cfaefc70454777

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68e56acafcb0fe632ef7fc0d9d9a6588_JaffaCakes118.exe
Size

326KB
MD5

68e56acafcb0fe632ef7fc0d9d9a6588
SHA1

99bd546220ff8fadee2335cff747c485c9d5c72e
SHA256

7c4c29521545d8bb875e91b5ebbf342a39d336fbc77f566bc2cfaefc70454777
SHA512

c42f673feab8c17fcacec2f0aa0a6f8bae92e1d984ae4325dfba50e13b4221b2b701a32313fc698a48951bfa51436e193b0daefde7e71d289cdbf0d656901069
SSDEEP

6144:T3VTflVq72ECrYhiH6it/PMyWPC7EHwksThzkHY8AOoAt4qLTz754Z:T3VTdVq72ECrYhiH/t0a+wb9mY8OA7Ty

Score

10^/10

discovery evasion execution persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

68e56acafcb0fe632ef7fc0d9d9a6588_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	68e56acafcb0fe632ef7fc0d9d9a6588_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	68e56acafcb0fe632ef7fc0d9d9a6588_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	68e56acafcb0fe632ef7fc0d9d9a6588_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	68e56acafcb0fe632ef7fc0d9d9a6588_JaffaCakes118.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

Processes:

RunDLL32.Exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\SET5D3E.tmp	RunDLL32.Exe
File created	C:\Windows\system32\DRIVERS\SET5D3E.tmp	RunDLL32.Exe
File opened for modification	C:\Windows\system32\DRIVERS\bddci.sys	RunDLL32.Exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WebCompanionInstaller.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	WebCompanionInstaller.exe

Executes dropped EXE 3 IoCs

Processes:

WCInstaller.exeWebCompanionInstaller.exeDCIService.exe

pid process

1972 WCInstaller.exe
540 WebCompanionInstaller.exe
4480 DCIService.exe

pid	process
1972	WCInstaller.exe
540	WebCompanionInstaller.exe
4480	DCIService.exe

Loads dropped DLL 23 IoCs

Processes:

WebCompanionInstaller.exeDCIService.exe

pid	process
540	WebCompanionInstaller.exe
540	WebCompanionInstaller.exe
540	WebCompanionInstaller.exe
540	WebCompanionInstaller.exe
540	WebCompanionInstaller.exe
540	WebCompanionInstaller.exe
540	WebCompanionInstaller.exe
540	WebCompanionInstaller.exe
4480	DCIService.exe
4480	DCIService.exe
4480	DCIService.exe
4480	DCIService.exe
4480	DCIService.exe
4480	DCIService.exe
4480	DCIService.exe
4480	DCIService.exe
4480	DCIService.exe
4480	DCIService.exe
4480	DCIService.exe
4480	DCIService.exe
4480	DCIService.exe
4480	DCIService.exe
4480	DCIService.exe

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

RunDLL32.Exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" RunDLL32.Exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RunDLL32.Exe

flow	ioc
4	ip-api.com

Drops file in Program Files directory 64 IoCs

Processes:

WebCompanionInstaller.exe

description	ioc	process
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bdnc.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\OnlineThreatsSimple.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\liblz4.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ja-JP\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bdnc.ini	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bittorrent.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\vcruntime140.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.adblocker.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-file-l1-2-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-processenvironment-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-convert-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-processthreads-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Omni.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.pdb	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\zh-CHS\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\BCUSDK.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\System.Data.SQLite.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ad-Aware Web Companion.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-interlocked-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-file-l2-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci_start.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\ucrtbase.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Automation.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-environment-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\sav.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bddci_core.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bridge_uninstall.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\DCIService.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-synch-l1-2-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bridge_install.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\NCalc.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\sav.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.exe.config	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-libraryloader-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\it-IT\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-libraryloader-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-timezone-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\BDUpdateServiceCom.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\msvcp140_1.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.IEController.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionIcon.ico	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-environment-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-utility-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-sysinfo-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.Service.Logger.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-locale-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci.inf	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-processthreads-l1-1-1.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bddci_reinstall_boot.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-timezone-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\lsa.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\smtp.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-runtime-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-util-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\vcruntime140_1.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Esent.Interop.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-heap-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci.sys	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\msvcp140_1.dll	WebCompanionInstaller.exe

Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2044 sc.exe
5092 sc.exe
1340 sc.exe
432 sc.exe
824 sc.exe
1504 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2044	sc.exe
5092	sc.exe
1340	sc.exe
432	sc.exe
824	sc.exe
1504	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

runonce.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423183120"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108250"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e00148539aacda01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108250"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1388012123"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1388480903"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f04643539aacda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000150dfb3d7d297149b53fa5015b24f8440000000002000000000010660000000100002000000053508277191f491ecacadb5329daa22fa8e086c4e4e548311335da2dcff7caaa000000000e8000000002000020000000255b6217825ed046ee942ef28fe8b67da025f3277c6323915f618511bf84a46b200000000ef6865a9022793a97b524db3f1236fb1fc7ad8b53440a6aeee879da29c09c0040000000fe302e525f7954da79697dfa673489c0c3c991aff465e0fe7ee54609dcf3746b7807ada67456e4800e86a54060080ff0cc798ac257baf0db5253b11dc9d6628e	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108250"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1388480903"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7E4D1046-188D-11EF-B865-5EBA24C12ACF} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1388012123"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108250"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000150dfb3d7d297149b53fa5015b24f844000000000200000000001066000000010000200000006c5b5ad0117f80c6e4d3aa86a7c0e99d18138c5102d83c7d5733c75dfa529d0c000000000e80000000020000200000003f59b21a7cb0da81b3d572cc99a3e6a7a755438b17443c76d62cce1ff458e58020000000afd52728654246bbfccf0a151cf50a3339f1a4e2ae53c25decbebcc394102853400000000ab7711bc379d0c30a8dbe7ae4d7758983ee70ae684ea2f339f92623d13f0bdcd667b23ec052a43028607158d63e66e8db246f85d076d2249feee344ec944097	IEXPLORE.EXE

Modifies registry class 1 IoCs

Processes:

WebCompanionInstaller.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings WebCompanionInstaller.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	WebCompanionInstaller.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

WebCompanionInstaller.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanionInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanionInstaller.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

68e56acafcb0fe632ef7fc0d9d9a6588_JaffaCakes118.exeWebCompanionInstaller.exe

pid	process
4856	68e56acafcb0fe632ef7fc0d9d9a6588_JaffaCakes118.exe
4856	68e56acafcb0fe632ef7fc0d9d9a6588_JaffaCakes118.exe
540	WebCompanionInstaller.exe
540	WebCompanionInstaller.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

652
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WebCompanionInstaller.exe

description pid process

Token: SeDebugPrivilege 540 WebCompanionInstaller.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2652 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2652 IEXPLORE.EXE
2652 IEXPLORE.EXE
1952 IEXPLORE.EXE
1952 IEXPLORE.EXE
1952 IEXPLORE.EXE
1952 IEXPLORE.EXE

pid	process
652

description	pid	process
Token: SeDebugPrivilege	540	WebCompanionInstaller.exe

pid	process
2652	IEXPLORE.EXE

pid	process
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
1952	IEXPLORE.EXE
1952	IEXPLORE.EXE
1952	IEXPLORE.EXE
1952	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

68e56acafcb0fe632ef7fc0d9d9a6588_JaffaCakes118.exeiexplore.exeIEXPLORE.EXEWCInstaller.exeWebCompanionInstaller.exeRunDLL32.Exerunonce.exenet.execmd.exe

description	pid	process	target process
PID 4856 wrote to memory of 1196	4856	68e56acafcb0fe632ef7fc0d9d9a6588_JaffaCakes118.exe	iexplore.exe
PID 4856 wrote to memory of 1196	4856	68e56acafcb0fe632ef7fc0d9d9a6588_JaffaCakes118.exe	iexplore.exe
PID 4856 wrote to memory of 1196	4856	68e56acafcb0fe632ef7fc0d9d9a6588_JaffaCakes118.exe	iexplore.exe
PID 1196 wrote to memory of 2652	1196	iexplore.exe	IEXPLORE.EXE
PID 1196 wrote to memory of 2652	1196	iexplore.exe	IEXPLORE.EXE
PID 2652 wrote to memory of 1952	2652	IEXPLORE.EXE	IEXPLORE.EXE
PID 2652 wrote to memory of 1952	2652	IEXPLORE.EXE	IEXPLORE.EXE
PID 2652 wrote to memory of 1952	2652	IEXPLORE.EXE	IEXPLORE.EXE
PID 4856 wrote to memory of 1972	4856	68e56acafcb0fe632ef7fc0d9d9a6588_JaffaCakes118.exe	WCInstaller.exe
PID 4856 wrote to memory of 1972	4856	68e56acafcb0fe632ef7fc0d9d9a6588_JaffaCakes118.exe	WCInstaller.exe
PID 4856 wrote to memory of 1972	4856	68e56acafcb0fe632ef7fc0d9d9a6588_JaffaCakes118.exe	WCInstaller.exe
PID 1972 wrote to memory of 540	1972	WCInstaller.exe	WebCompanionInstaller.exe
PID 1972 wrote to memory of 540	1972	WCInstaller.exe	WebCompanionInstaller.exe
PID 1972 wrote to memory of 540	1972	WCInstaller.exe	WebCompanionInstaller.exe
PID 540 wrote to memory of 2044	540	WebCompanionInstaller.exe	sc.exe
PID 540 wrote to memory of 2044	540	WebCompanionInstaller.exe	sc.exe
PID 540 wrote to memory of 2044	540	WebCompanionInstaller.exe	sc.exe
PID 540 wrote to memory of 5092	540	WebCompanionInstaller.exe	sc.exe
PID 540 wrote to memory of 5092	540	WebCompanionInstaller.exe	sc.exe
PID 540 wrote to memory of 5092	540	WebCompanionInstaller.exe	sc.exe
PID 540 wrote to memory of 1340	540	WebCompanionInstaller.exe	sc.exe
PID 540 wrote to memory of 1340	540	WebCompanionInstaller.exe	sc.exe
PID 540 wrote to memory of 1340	540	WebCompanionInstaller.exe	sc.exe
PID 540 wrote to memory of 1328	540	WebCompanionInstaller.exe	RunDLL32.Exe
PID 540 wrote to memory of 1328	540	WebCompanionInstaller.exe	RunDLL32.Exe
PID 1328 wrote to memory of 4468	1328	RunDLL32.Exe	runonce.exe
PID 1328 wrote to memory of 4468	1328	RunDLL32.Exe	runonce.exe
PID 4468 wrote to memory of 4572	4468	runonce.exe	grpconv.exe
PID 4468 wrote to memory of 4572	4468	runonce.exe	grpconv.exe
PID 540 wrote to memory of 876	540	WebCompanionInstaller.exe	net.exe
PID 540 wrote to memory of 876	540	WebCompanionInstaller.exe	net.exe
PID 540 wrote to memory of 432	540	WebCompanionInstaller.exe	sc.exe
PID 540 wrote to memory of 432	540	WebCompanionInstaller.exe	sc.exe
PID 540 wrote to memory of 432	540	WebCompanionInstaller.exe	sc.exe
PID 876 wrote to memory of 912	876	net.exe	net1.exe
PID 876 wrote to memory of 912	876	net.exe	net1.exe
PID 540 wrote to memory of 824	540	WebCompanionInstaller.exe	sc.exe
PID 540 wrote to memory of 824	540	WebCompanionInstaller.exe	sc.exe
PID 540 wrote to memory of 824	540	WebCompanionInstaller.exe	sc.exe
PID 540 wrote to memory of 2732	540	WebCompanionInstaller.exe	cmd.exe
PID 540 wrote to memory of 2732	540	WebCompanionInstaller.exe	cmd.exe
PID 540 wrote to memory of 2732	540	WebCompanionInstaller.exe	cmd.exe
PID 2732 wrote to memory of 1504	2732	cmd.exe	sc.exe
PID 2732 wrote to memory of 1504	2732	cmd.exe	sc.exe
PID 2732 wrote to memory of 1504	2732	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\68e56acafcb0fe632ef7fc0d9d9a6588_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\68e56acafcb0fe632ef7fc0d9d9a6588_JaffaCakes118.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4856

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://hostas.ga/bb/tds.php
2⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://hostas.ga/bb/tds.php
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:17410 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Users\Admin\AppData\Local\Temp\WCInstaller.exe
C:\Users\Admin\AppData\Local\Temp\WCInstaller.exe --silent --partner=AE190201 --homepage=11 --search=7 --campaign=292
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\7zS4B79CA38\WebCompanionInstaller.exe
.\WebCompanionInstaller.exe --partner=AE190201 --campaign=292 --version=8.9.0.992 --silent --partner=AE190201 --homepage=11 --search=7 --campaign=292
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\sc.exe
"sc.exe" Create "WCAssistantService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= auto
4⤵
- Launches sc.exe
PID:2044

C:\Windows\SysWOW64\sc.exe
"sc.exe" failure WCAssistantService reset= 30 actions= restart/60000
4⤵
- Launches sc.exe
PID:5092

C:\Windows\SysWOW64\sc.exe
"sc.exe" description "WCAssistantService" "Ad-Aware Web Companion Internet security service"
4⤵
- Launches sc.exe
PID:1340

C:\Windows\system32\RunDLL32.Exe
"C:\Windows\sysnative\RunDLL32.Exe" syssetup,SetupInfObjectInstallAction BootInstall 128 C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci.inf
4⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
5⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
6⤵
PID:4572

C:\Windows\system32\net.exe
"C:\Windows\sysnative\net.exe" start bddci
4⤵
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start bddci
5⤵
PID:912

C:\Windows\SysWOW64\sc.exe
"sc.exe" Create "DCIService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe" DisplayName= "DCIService" start= auto
4⤵
- Launches sc.exe
PID:432

C:\Windows\SysWOW64\sc.exe
"sc.exe" description "DCIService" "Webprotection Bridge service"
4⤵
- Launches sc.exe
PID:824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bridge_start.cmd"
4⤵
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\sc.exe
sc start DCIService
5⤵
- Launches sc.exe
PID:1504

C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Lavasoft\WEBCOM~1\Service\x64\bddci.sys

Filesize
781KB

MD5
2a241af18d9f0466aff6cd77c1561f9b

SHA1
2c6bfc8e583ed026fdf9ec01265d99e22d39305a

SHA256
528804013487cdb1da617e512d1de68060602887bcc8a7822bdb1346a2995ffd

SHA512
6779667bb57c87fdbf4dee57682e7851b5ad5bea39deb09fcb596ae48eb571317749ff59e825f91bd57527dab7477deac5b24bdbd86471844fad36876c08dd28

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe

Filesize
3.3MB

MD5
3827ca1c0ec114a29bb576bef431f070

SHA1
1189dd380f160046de9f5f2f1d74459958f31a4b

SHA256
dd45886108aa85350feaa6d9fcc6c922b0874dfa18bbfe23111cc8edcb37fcb1

SHA512
480b6a1fc02fdec7fc2316f01b239bce98a6d8152770d329ddc4bfb37e2e00a7987a702900523ccc0380caabbee38a404683dbb20fe9c9b9456083559afb8218

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\MSVCP140.dll

Filesize
576KB

MD5
e74caf5d94aa08d046a44ed6ed84a3c5

SHA1
ed9f696fa0902a7c16b257da9b22fb605b72b12e

SHA256
3dedef76c87db736c005d06a8e0d084204b836af361a6bd2ee4651d9c45675e8

SHA512
d3128587bc8d62e4d53f8b5f95eb687bc117a6d5678c08dc6b59b72ea9178a7fd6ae8faa9094d21977c406739d6c38a440134c1c1f6f9a44809e80d162723254

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci.inf

Filesize
4KB

MD5
e8b58a307f96dc9ce1eb2729f86e13b0

SHA1
5cee60f070930dc971e4d35d48e30364f623aad2

SHA256
2c9a7118ef74c3b168663c8ec6f3a7b27653896e193129ed0bc5e9aa55a0afbb

SHA512
7cd9fe7bcc8c8ec1466acc1adc7ab8c9ab6bdaf7c7c27dcc6c0cb43bab741f2519a88647ce43f74d7e9caf4ae39ae172dc639ed1b2027b9e8f15f35353613d91

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci_core.dll

Filesize
1.5MB

MD5
13efc649989e224c8346c52ae3cc9a93

SHA1
bf907fee6fce0745601219f3faa89bc2c08434b0

SHA256
f994e407e9f78d521f335f25b7a4217fdcc4a5e6dc050fdf90d7870fda1e0ef7

SHA512
7c6f65858e3803ab9abe075c2e257e322594b875bd6001be5a6c6bde0ab271844ccd7f869394666a2ce9b535abb46e0332697d2c19836f886241881a60697ce0

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddcihttp.dll

Filesize
2.6MB

MD5
53f6774df73cc44d29f354aecbdef948

SHA1
894158c553f39f8000c858c84ad772714e215d75

SHA256
d1130318e699b81f1918f468a8b49c9be7b8b4293c1078da4a17dac6ad999ec6

SHA512
5151804071c371fe2458c2fc67441441b01602a529582bed48b0e0226e051f933981dce1f84e3ac0f2ebe608b463fe1e9c226d058edd3bf6c5b35be9e8a9e234

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bittorrent.dll

Filesize
106KB

MD5
74d7799c00c804296c0f1b99324b513f

SHA1
527380e0e44c9fd8ca5f73d103e8e9f56eb13142

SHA256
66c0b9d01afab9db8f87164c747dc6bdd05ffae25092ab4627a8a47857118ab0

SHA512
3140d32d4199cc246fddb292400ec31bcc098e18349d9991828fc1462f7cd6aa3a0666037e569511b37b1cb6baf34c94be2fdc70a9685125a72fdd44e427cdac

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bridge_start.cmd

Filesize
49B

MD5
95e8c6cd0a911f1ab4969c06b8cf77a2

SHA1
be1b1f8abd0420f59ecab7bcf8120cdc2ce34195

SHA256
de795f6d8591577054813bee79e7c5b4ee13360039d29aa73971c6b985d26ebd

SHA512
e5eefaf761be7bf3cea207e22e98398093fa0a9d3b459af7df22bfbf07755816737a7b8b261acf01aec8b10b5d8f0d90132a4ecdd83c242b2cde883039fac1ff

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\ftp.dll

Filesize
121KB

MD5
b7c081f03a50c391f5b22a0ee16b8a1e

SHA1
2fa63728dddb2e25f69adf0e02cbd75d053a9965

SHA256
42ccb6c597d0952042c3d3fdc0027634c3e9d118706a286277a32a7f6af6bd30

SHA512
8590e537d7df9523f934cd4bb18c7515d89e74fc8b3e8e35ce70b368c9a99659bf59dedb020fb470cf8577248f607ed271d52107015cdffc8a0a9f7e8ac2880b

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\http.dll

Filesize
189KB

MD5
c0d7a16ba0340ffaeadedb5fd82f6984

SHA1
63ac374a7322e4ecb9b8fed7e67ffcf01b71fc75

SHA256
e07a6f752e45e3240c95cbb890b22a154b1cca571c17fb57f11ef0b86108a7bb

SHA512
3e50f009b7a43d2fb58f28f0eaab4555d9fc68ed72af970f6a6bd875dab30b5ad32300e95ac570ddf0d925499e709457ea8757033580493f4bbae14a20d06c42

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\lsa.dll

Filesize
106KB

MD5
f89b978400b6c035f975efc6ab7303a8

SHA1
173f9f2bc814b19870c7b98057c948b0292340f9

SHA256
ca621b67c0aa1fe669c99abc0ee1a52807321f5be4092bad7c49d4291c194b7c

SHA512
d0fc9d302ee3b8be6c65ccb2a2d387a1a914ed9a453ce0cad6734f2c9d59a0ea8694e39b81382ee7b6f6c61b96db81f7ad1c227727b65a5a61c0471a35c39e33

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\pop3.dll

Filesize
108KB

MD5
4617113b1fa666e743f899d3781483d8

SHA1
0a1dadb7051c5a5ed9d108f78f83ac2b21419a84

SHA256
30af0cec58983ef5ccf2b30f074faad6ac348cd5fc88461c0b06977839a2c651

SHA512
92d0cd9e51de702a04bc2948e2966219b16c1bef93dadddccf801c58c2da1dd22ac5b9651583868957098959beeca2cfdd7465edece1120e364935ff65184675

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\rpc.dll

Filesize
107KB

MD5
fd8770a4368acd38c18ccb0298dcf587

SHA1
867772d872b84988bd7e9ea2271e470dd443874e

SHA256
e039a7e9bdecaf697bd73a47da557e5582fbffacc53f9a185790299156c85584

SHA512
e1123fa8cf304d082324cfaa5534ea34103226242cef1d6e1640bd2b343d19ae3bcec2302c3a6167c57f8196415190d86050fb55e2e6ba0d90aef189d5ca18c7

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\sav.dll

Filesize
726KB

MD5
47b40a1348a6eda7087a6241858ef9e1

SHA1
ca8ce0ba789baafc75b593fd8a98d4cf8afa4956

SHA256
cd83b1612c2823488ea267e88fe91a2aedf6b278bafdd39ff673bed3add39d6b

SHA512
dd43a1a08e0dd9386c0c4aa47c2e1a71a6ccd07dec1d70129c43845c5c32ec038efb617bec35320a467bbac77bad6abefd176c747b2a9113190d3e98d1b50130

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\smb.dll

Filesize
192KB

MD5
b4a0352a49d7661e64693765707a0a1a

SHA1
888f7e14cc08ef0ff4f6557bc8ec3a4ac36d18f3

SHA256
4295bbc2ce2ccb68b17df07b2364ef90b3bb802fc2f44c710b13c1477f424caa

SHA512
8647121a5cfc25fb7ff46308cebe3c261927bac40d2fafe89c01945346993e31ff6b0369e2a686f9f4a16cc61b74c887ed670f30a1a21252e04cd1ba781bb712

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\smtp.dll

Filesize
121KB

MD5
2b8265dfa5b53b61e875f7a83dde8680

SHA1
fa3c87c02750700ac0d20d21b88a90b8122be8e1

SHA256
748bac0cddaa20c4967f6f495db6b58f88fb675790c2039e211e42468afbe2eb

SHA512
9011bc9b204db910f7a06f89928986f03df234df39309b183b3fe226677eb0c435f0b8c3efaad9689a5fa44bee034ec99b7af2c6fc3a2056bc0a4c0d4d9d5de2

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\ssl.dll

Filesize
178KB

MD5
9592f5912b31b62193656497e67a2d9b

SHA1
b8a92656880a7016edcba43b1e206d83fe3847e0

SHA256
5978dd53996bc3856d01010e4ddc41215dc9d7fe046961feabec419972ce94bd

SHA512
ffab48be1db5cc30f61d88b3bc02e2ea30c8dcd44bfe9bed786bb7cd699dac8c456c1d390925c9a9ff2994a54cf98eee0e76984eba318792ec9838db1954b98d

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\vcruntime140.dll

Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\vcruntime140_1.dll

Filesize
43KB

MD5
21ae0d0cfe9ab13f266ad7cd683296be

SHA1
f13878738f2932c56e07aa3c6325e4e19d64ae9f

SHA256
7b8f70dd3bdae110e61823d1ca6fd8955a5617119f5405cdd6b14cad3656dfc7

SHA512
6b2c7ce0fe32faffb68510bf8ae1b61af79b2d8a2d1b633ceba3a8e6a668a4f5179bb836c550ecac495b0fc413df5fe706cd6f42e93eb082a6c68e770339a77c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
01409a92b179c99711ea8c28d307d0c4

SHA1
a9cc2b0c5727e2af14819f3908c4693f8e891392

SHA256
3034962a4c308ef5e66a2de7faf1ed2439b7e59086a8c07ad59ce3669b8ee01c

SHA512
8e86173a54d253f3e05443c603222b9018d63a3fb8e3a26b2b5602c083c07b117d5c53ede08056b6aa4503380562444c6704de32b2cce76f146478616b7278c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
c8996040a0fc0c2f1736a6150db29c42

SHA1
c2ed49ba4fa98486db1a32c6d145c66a9b92a885

SHA256
311847473020f741ffe5d47f9792cee698d44f21f1c3a9b97dedc00babc78c6c

SHA512
54f85316f3dc8936d02ec41cc5808c428c28ecdf502583391a5ca9bc64697eab795ff60dd4eb897f3bb7b0f9c9e1e21a93815a8fa335e4f616ead845f5583d74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verA44A.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q7QYTB89\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4B79CA38\ICSharpCode.SharpZipLib.dll

Filesize
208KB

MD5
b4ecb8001f71894c1a17860476981441

SHA1
72d28f2aa50082a152cb6b3e25895855188fe9b8

SHA256
e6133baa62122e214ab9c114e9fff73bf25956518907a88577a85c8fb88c561f

SHA512
930e1b8181048790fffc1a5bd7f9dde91eeb757f1f8f35e01373f9414794963a53c03239b4ccc60b5c38049aba9e4db0ef5c166e278751c15c136a331ae495b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4B79CA38\Newtonsoft.Json.dll

Filesize
428KB

MD5
eb259a0e2377f4c0bfb8712b773456fe

SHA1
d9123b055df58e33aa2ab2f242b30fc6a37f1cad

SHA256
4f9d1e187920dadd4e7693897f8240621e498ffd1709915c3b8394aaa1a34b43

SHA512
1f6e7c2233307a90dda68eaaa4ac08848b0499b464d3a307390a4b95ec1751d00b923572f92588b55f049ae6f4282d4126d2425e5caf8a95c8260f7600dc574a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4B79CA38\WebCompanionInstaller.exe

Filesize
456KB

MD5
994672c2aa0d63930a0d8614bafeac09

SHA1
94dc5848fd00f05589707fece3f60b8840aed26a

SHA256
c5a088842a698f1938c22f6314a141251282e32f263d99a6854c2d58fdee9272

SHA512
47a0d7bf14b46cddc90cc1dab0add345e40621fcd11d97786b3947a04bf9acf1cd4cc304562a51c1f83b7b8422302bdf7f8dd23dd949ee6847850f5e911d6e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4B79CA38\WebCompanionInstaller.exe.config

Filesize
2KB

MD5
8faad08d58b1207cff53b7dc1a35af91

SHA1
e74f806a6cfea16c2e5c6c90ff6a66111b61cea8

SHA256
091d2aae6d9f4a9b403e45ebc578e0cf27a08d16e9b8784e614c8710080f2cca

SHA512
dc0cfe69c6a3f715875f1badbf44eb90aeb97ebb5fc7b9f3dd4b4f4561de4c403b086709730f4f11de0815828f212591bf63b0fc591e8445ba7a320c574ea2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCInstaller.exe

Filesize
552KB

MD5
bc4c25ffc19286961d5cc54dd79a6d2d

SHA1
d1ca4a578a51946d38b0ceaf63a3a75c4b8fff5a

SHA256
409960971e9e9e31121d10d5033f27ec07ac228e52c32873292f2ee8567a8eaa

SHA512
0c4fc53d6d5fe5fa478f436616022a3c509d70a2d99714badfb945d88c6da9e005961b2d3409a124abdf5b5858001a0e385c58169c822f3b0d4cbd70327044a1

Download Submit
memory/540-48-0x000000006FAF0000-0x00000000700A1000-memory.dmp

Filesize
5.7MB

Download
memory/540-326-0x000000006FAF0000-0x00000000700A1000-memory.dmp

Filesize
5.7MB

Download
memory/540-325-0x000000006FAF2000-0x000000006FAF3000-memory.dmp

Filesize
4KB

Download
memory/540-324-0x000000006FAF0000-0x00000000700A1000-memory.dmp

Filesize
5.7MB

Download
memory/540-45-0x000000006FAF2000-0x000000006FAF3000-memory.dmp

Filesize
4KB

Download
memory/540-47-0x000000006FAF0000-0x00000000700A1000-memory.dmp

Filesize
5.7MB

Download