f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

Resubmissions

03-07-2024 22:59

240703-2yn7wszhlp 10

03-07-2024 16:13

03-07-2024 16:11

10-05-2024 16:25

24-08-2023 11:16

Analysis

max time kernel
1792s
max time network
1755s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Archive.zip__ccacaxs2tbz2t6ob3e.exe
Size

430KB
MD5

a3cab1a43ff58b41f61f8ea32319386b
SHA1

94689e1a9e1503f1082b23e6d5984d4587f3b9ec
SHA256

005d3b2b78fa134092a43e53112e5c8518f14cf66e57e6a3cc723219120baba6
SHA512

8f084a866c608833c3bf95b528927d9c05e8d4afcd8a52c3434d45c8ba8220c25d2f09e00aade708bbbc83b4edea60baf826750c529e8e9e05b1242c56d0198d
SSDEEP

6144:vU9Q9tD5WuDQa4t3BMgLkzvCOnYxcEaSAOPou8BWinO8DR:8Q9tD5WyQlBBVAnYxRhr8DR

Score

8^/10

discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\bddci.sys	RunDLL32.Exe
File opened for modification	C:\Windows\system32\DRIVERS\SETA332.tmp	RunDLL32.Exe
File created	C:\Windows\system32\DRIVERS\SETA332.tmp	RunDLL32.Exe

Executes dropped EXE 9 IoCs

pid	Process
2840	6B51.tmp.exe
1824	WCInstaller.exe
1272	WebCompanionInstaller.exe
480	Process not Found
2856	DCIService.exe
2344	WebCompanion.exe
2480	Lavasoft.WCAssistant.WinService.exe
2120	WebCompanion.exe
1548	Lavasoft.Search.exe

Loads dropped DLL 64 IoCs

pid	Process
3020	Archive.zip__ccacaxs2tbz2t6ob3e.exe
3020	Archive.zip__ccacaxs2tbz2t6ob3e.exe
1824	WCInstaller.exe
1272	WebCompanionInstaller.exe
1272	WebCompanionInstaller.exe
1272	WebCompanionInstaller.exe
1272	WebCompanionInstaller.exe
1272	WebCompanionInstaller.exe
1272	WebCompanionInstaller.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
2856	DCIService.exe
1272	WebCompanionInstaller.exe
1272	WebCompanionInstaller.exe
1272	WebCompanionInstaller.exe
2344	WebCompanion.exe
2344	WebCompanion.exe
2344	WebCompanion.exe
2344	WebCompanion.exe
2344	WebCompanion.exe
2344	WebCompanion.exe
2344	WebCompanion.exe
2344	WebCompanion.exe
2344	WebCompanion.exe
2344	WebCompanion.exe
2344	WebCompanion.exe
2344	WebCompanion.exe
2344	WebCompanion.exe
2344	WebCompanion.exe
2344	WebCompanion.exe
2344	WebCompanion.exe
2344	WebCompanion.exe
2344	WebCompanion.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RunDLL32.Exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Web Companion = "C:\\Program Files (x86)\\Lavasoft\\Web Companion\\Application\\WebCompanion.exe --minimize "	WebCompanion.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	iplogger.org
7	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	Lavasoft.WCAssistant.WinService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	Lavasoft.WCAssistant.WinService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	Lavasoft.WCAssistant.WinService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	Lavasoft.WCAssistant.WinService.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\MozCompressor.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-interlocked-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-sysinfo-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-util-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci_stop.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci_uninstall.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\zh-Hans\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-console-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-timezone-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\msvcp140_codecvt_ids.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\pop3.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Esent.Interop.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionExtensionIE.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-string-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\ssl.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-math-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.adblocker.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Microsoft.mshtml.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-memory-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-convert-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-math-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-multibyte-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bddci_install_boot.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\sav.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\de-DE\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ru-RU\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bddci_core.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-file-l1-2-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.IWshRuntimeLibrary.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebcompaionReimageIcon.ico	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe.config	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bddci_stop.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-conio-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bddci.inf	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\msvcp140_2.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\WebFilteringSimple.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-errorhandling-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-synch-l1-2-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-private-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci_install_boot.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ucrtbased.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-namedpipe-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Extension.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\de-DE\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\it-IT\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-errorhandling-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-file-l1-2-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-process-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-profile-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-heap-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\msvcp140.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-datetime-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\DCIService.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe.config	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\BDUpdateServiceCom.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\7za.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.Service.Logger.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\it-IT\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\scan.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WcfService.dll	WebCompanionInstaller.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	WebCompanionInstaller.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	WebCompanionInstaller.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	Lavasoft.Search.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	Lavasoft.Search.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	RunDLL32.Exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	WebCompanion.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	WebCompanion.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1788	sc.exe
3044	sc.exe
2860	sc.exe
952	sc.exe
1604	sc.exe
2400	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Lavasoft.WCAssistant.WinService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Lavasoft.WCAssistant.WinService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Lavasoft.WCAssistant.WinService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Lavasoft.WCAssistant.WinService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	Lavasoft.WCAssistant.WinService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Lavasoft.WCAssistant.WinService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Lavasoft.WCAssistant.WinService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	Lavasoft.WCAssistant.WinService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	Lavasoft.WCAssistant.WinService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Lavasoft.WCAssistant.WinService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Lavasoft.WCAssistant.WinService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Lavasoft.WCAssistant.WinService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	Lavasoft.WCAssistant.WinService.exe

Modifies system certificate store 2 TTPs 16 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Archive.zip__ccacaxs2tbz2t6ob3e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Archive.zip__ccacaxs2tbz2t6ob3e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	Archive.zip__ccacaxs2tbz2t6ob3e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Archive.zip__ccacaxs2tbz2t6ob3e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Archive.zip__ccacaxs2tbz2t6ob3e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WebCompanionInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Archive.zip__ccacaxs2tbz2t6ob3e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Archive.zip__ccacaxs2tbz2t6ob3e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Archive.zip__ccacaxs2tbz2t6ob3e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Archive.zip__ccacaxs2tbz2t6ob3e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Archive.zip__ccacaxs2tbz2t6ob3e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Archive.zip__ccacaxs2tbz2t6ob3e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Archive.zip__ccacaxs2tbz2t6ob3e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Archive.zip__ccacaxs2tbz2t6ob3e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Archive.zip__ccacaxs2tbz2t6ob3e.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1272	WebCompanionInstaller.exe
1272	WebCompanionInstaller.exe
1272	WebCompanionInstaller.exe
2480	Lavasoft.WCAssistant.WinService.exe
2480	Lavasoft.WCAssistant.WinService.exe
2344	WebCompanion.exe
2344	WebCompanion.exe
2344	WebCompanion.exe
2344	WebCompanion.exe
2120	WebCompanion.exe
1548	Lavasoft.Search.exe
1548	Lavasoft.Search.exe
1548	Lavasoft.Search.exe
1548	Lavasoft.Search.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1272	WebCompanionInstaller.exe
Token: SeRestorePrivilege	2100	RunDLL32.Exe
Token: SeRestorePrivilege	2100	RunDLL32.Exe
Token: SeRestorePrivilege	2100	RunDLL32.Exe
Token: SeRestorePrivilege	2100	RunDLL32.Exe
Token: SeRestorePrivilege	2100	RunDLL32.Exe
Token: SeRestorePrivilege	2100	RunDLL32.Exe
Token: SeRestorePrivilege	2100	RunDLL32.Exe
Token: SeDebugPrivilege	2480	Lavasoft.WCAssistant.WinService.exe
Token: SeAssignPrimaryTokenPrivilege	2480	Lavasoft.WCAssistant.WinService.exe
Token: SeIncreaseQuotaPrivilege	2480	Lavasoft.WCAssistant.WinService.exe
Token: SeSecurityPrivilege	2480	Lavasoft.WCAssistant.WinService.exe
Token: SeTakeOwnershipPrivilege	2480	Lavasoft.WCAssistant.WinService.exe
Token: SeLoadDriverPrivilege	2480	Lavasoft.WCAssistant.WinService.exe
Token: SeSystemtimePrivilege	2480	Lavasoft.WCAssistant.WinService.exe
Token: SeBackupPrivilege	2480	Lavasoft.WCAssistant.WinService.exe
Token: SeRestorePrivilege	2480	Lavasoft.WCAssistant.WinService.exe
Token: SeShutdownPrivilege	2480	Lavasoft.WCAssistant.WinService.exe
Token: SeSystemEnvironmentPrivilege	2480	Lavasoft.WCAssistant.WinService.exe
Token: SeUndockPrivilege	2480	Lavasoft.WCAssistant.WinService.exe
Token: SeManageVolumePrivilege	2480	Lavasoft.WCAssistant.WinService.exe
Token: SeDebugPrivilege	2344	WebCompanion.exe
Token: SeDebugPrivilege	2120	WebCompanion.exe
Token: SeDebugPrivilege	1548	Lavasoft.Search.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2120	WebCompanion.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2120	WebCompanion.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2840	3020	Archive.zip__ccacaxs2tbz2t6ob3e.exe	29
PID 3020 wrote to memory of 2840	3020	Archive.zip__ccacaxs2tbz2t6ob3e.exe	29
PID 3020 wrote to memory of 2840	3020	Archive.zip__ccacaxs2tbz2t6ob3e.exe	29
PID 3020 wrote to memory of 2840	3020	Archive.zip__ccacaxs2tbz2t6ob3e.exe	29
PID 3020 wrote to memory of 1824	3020	Archive.zip__ccacaxs2tbz2t6ob3e.exe	33
PID 3020 wrote to memory of 1824	3020	Archive.zip__ccacaxs2tbz2t6ob3e.exe	33
PID 3020 wrote to memory of 1824	3020	Archive.zip__ccacaxs2tbz2t6ob3e.exe	33
PID 3020 wrote to memory of 1824	3020	Archive.zip__ccacaxs2tbz2t6ob3e.exe	33
PID 3020 wrote to memory of 1824	3020	Archive.zip__ccacaxs2tbz2t6ob3e.exe	33
PID 3020 wrote to memory of 1824	3020	Archive.zip__ccacaxs2tbz2t6ob3e.exe	33
PID 3020 wrote to memory of 1824	3020	Archive.zip__ccacaxs2tbz2t6ob3e.exe	33
PID 1824 wrote to memory of 1272	1824	WCInstaller.exe	34
PID 1824 wrote to memory of 1272	1824	WCInstaller.exe	34
PID 1824 wrote to memory of 1272	1824	WCInstaller.exe	34
PID 1824 wrote to memory of 1272	1824	WCInstaller.exe	34
PID 1824 wrote to memory of 1272	1824	WCInstaller.exe	34
PID 1824 wrote to memory of 1272	1824	WCInstaller.exe	34
PID 1824 wrote to memory of 1272	1824	WCInstaller.exe	34
PID 1272 wrote to memory of 2860	1272	WebCompanionInstaller.exe	36
PID 1272 wrote to memory of 2860	1272	WebCompanionInstaller.exe	36
PID 1272 wrote to memory of 2860	1272	WebCompanionInstaller.exe	36
PID 1272 wrote to memory of 2860	1272	WebCompanionInstaller.exe	36
PID 1272 wrote to memory of 952	1272	WebCompanionInstaller.exe	38
PID 1272 wrote to memory of 952	1272	WebCompanionInstaller.exe	38
PID 1272 wrote to memory of 952	1272	WebCompanionInstaller.exe	38
PID 1272 wrote to memory of 952	1272	WebCompanionInstaller.exe	38
PID 1272 wrote to memory of 1604	1272	WebCompanionInstaller.exe	40
PID 1272 wrote to memory of 1604	1272	WebCompanionInstaller.exe	40
PID 1272 wrote to memory of 1604	1272	WebCompanionInstaller.exe	40
PID 1272 wrote to memory of 1604	1272	WebCompanionInstaller.exe	40
PID 1272 wrote to memory of 2100	1272	WebCompanionInstaller.exe	42
PID 1272 wrote to memory of 2100	1272	WebCompanionInstaller.exe	42
PID 1272 wrote to memory of 2100	1272	WebCompanionInstaller.exe	42
PID 1272 wrote to memory of 2100	1272	WebCompanionInstaller.exe	42
PID 2100 wrote to memory of 1360	2100	RunDLL32.Exe	43
PID 2100 wrote to memory of 1360	2100	RunDLL32.Exe	43
PID 2100 wrote to memory of 1360	2100	RunDLL32.Exe	43
PID 1360 wrote to memory of 1256	1360	runonce.exe	44
PID 1360 wrote to memory of 1256	1360	runonce.exe	44
PID 1360 wrote to memory of 1256	1360	runonce.exe	44
PID 1272 wrote to memory of 2244	1272	WebCompanionInstaller.exe	46
PID 1272 wrote to memory of 2244	1272	WebCompanionInstaller.exe	46
PID 1272 wrote to memory of 2244	1272	WebCompanionInstaller.exe	46
PID 1272 wrote to memory of 2244	1272	WebCompanionInstaller.exe	46
PID 1272 wrote to memory of 2400	1272	WebCompanionInstaller.exe	47
PID 1272 wrote to memory of 2400	1272	WebCompanionInstaller.exe	47
PID 1272 wrote to memory of 2400	1272	WebCompanionInstaller.exe	47
PID 1272 wrote to memory of 2400	1272	WebCompanionInstaller.exe	47
PID 2244 wrote to memory of 2348	2244	net.exe	50
PID 2244 wrote to memory of 2348	2244	net.exe	50
PID 2244 wrote to memory of 2348	2244	net.exe	50
PID 1272 wrote to memory of 1788	1272	WebCompanionInstaller.exe	51
PID 1272 wrote to memory of 1788	1272	WebCompanionInstaller.exe	51
PID 1272 wrote to memory of 1788	1272	WebCompanionInstaller.exe	51
PID 1272 wrote to memory of 1788	1272	WebCompanionInstaller.exe	51
PID 1272 wrote to memory of 844	1272	WebCompanionInstaller.exe	53
PID 1272 wrote to memory of 844	1272	WebCompanionInstaller.exe	53
PID 1272 wrote to memory of 844	1272	WebCompanionInstaller.exe	53
PID 1272 wrote to memory of 844	1272	WebCompanionInstaller.exe	53
PID 844 wrote to memory of 3044	844	cmd.exe	55
PID 844 wrote to memory of 3044	844	cmd.exe	55
PID 844 wrote to memory of 3044	844	cmd.exe	55
PID 844 wrote to memory of 3044	844	cmd.exe	55
PID 1272 wrote to memory of 2444	1272	WebCompanionInstaller.exe	57

C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe
"C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\6B51.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\6B51.tmp.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Users\Admin\AppData\Local\Temp\Temp\WCInstaller.exe
  C:\Users\Admin\AppData\Local\Temp\Temp\WCInstaller.exe --silent --partner=AE190201 --homepage=11 --search=7 --campaign=292
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Users\Admin\AppData\Local\Temp\7zS02721D79\WebCompanionInstaller.exe
    .\WebCompanionInstaller.exe --partner=AE190201 --campaign=292 --version=8.9.0.992 --silent --partner=AE190201 --homepage=11 --search=7 --campaign=292
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" Create "WCAssistantService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= auto
      4⤵
      Launches sc.exe
      PID:2860
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" failure WCAssistantService reset= 30 actions= restart/60000
      4⤵
      Launches sc.exe
      PID:952
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" description "WCAssistantService" "Ad-Aware Web Companion Internet security service"
      4⤵
      Launches sc.exe
      PID:1604
  - - C:\Windows\system32\RunDLL32.Exe
      "C:\Windows\sysnative\RunDLL32.Exe" syssetup,SetupInfObjectInstallAction BootInstall 128 C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci.inf
      4⤵
      Drops file in Drivers directory
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:1360
      - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:1256
  - - C:\Windows\system32\net.exe
      "C:\Windows\sysnative\net.exe" start bddci
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start bddci
        5⤵
        
        PID:2348
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" Create "DCIService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe" DisplayName= "DCIService" start= auto
      4⤵
      Launches sc.exe
      PID:2400
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" description "DCIService" "Webprotection Bridge service"
      4⤵
      Launches sc.exe
      PID:1788
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bridge_start.cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:844
    - - C:\Windows\SysWOW64\sc.exe
        
        sc start DCIService
        5⤵
        Launches sc.exe
        
        PID:3044
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
      4⤵
      PID:2444
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh http add urlacl url=http://+:9007/ user=Everyone
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1668
  - - C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
      "C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --install --geo=
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2344
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gvswnvq-.cmdline"
        5⤵
        
        PID:1752
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B2E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3B2D.tmp"
        6⤵
        
        PID:780
  - - C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
      "C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --afterinstall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2120
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\foobo7nc.cmdline"
        5⤵
        
        PID:1856
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61B1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC61B0.tmp"
        6⤵
        
        PID:2756
    - - C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Search.exe
        
        "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Search.exe" --searchConfigPath="C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\SearchMetadata.txt" --eventConfigPath="C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\EventMetadata.txt"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548

C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856

C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
  2⤵
  PID:2284
- - C:\Windows\system32\netsh.exe
    netsh http add urlacl url=http://+:9007/ user=Everyone
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - Modifies data under HKEY_USERS
    PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Lavasoft\WEBCOM~1\Service\x64\bddci.sys

Filesize
781KB

MD5
2a241af18d9f0466aff6cd77c1561f9b

SHA1
2c6bfc8e583ed026fdf9ec01265d99e22d39305a

SHA256
528804013487cdb1da617e512d1de68060602887bcc8a7822bdb1346a2995ffd

SHA512
6779667bb57c87fdbf4dee57682e7851b5ad5bea39deb09fcb596ae48eb571317749ff59e825f91bd57527dab7477deac5b24bdbd86471844fad36876c08dd28

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe

Filesize
8.8MB

MD5
2c178ebc4ac7466f63236e00d9e77b54

SHA1
6a5152b6c1fa9d5856c0ab2deed4c9912d05d9a6

SHA256
55b1802b3cae0d58ef5d88b3b9a61f6635d8d568dab2bee7f2aed392a91ab0f1

SHA512
ffc647865e75bb5b54b9bad5d218121c38ab8c7abc8b8770a18956a9443766c45820f19c4dc56008792f27951176449c637ca37998310efec44a644509bf4237

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci.inf

Filesize
4KB

MD5
e8b58a307f96dc9ce1eb2729f86e13b0

SHA1
5cee60f070930dc971e4d35d48e30364f623aad2

SHA256
2c9a7118ef74c3b168663c8ec6f3a7b27653896e193129ed0bc5e9aa55a0afbb

SHA512
7cd9fe7bcc8c8ec1466acc1adc7ab8c9ab6bdaf7c7c27dcc6c0cb43bab741f2519a88647ce43f74d7e9caf4ae39ae172dc639ed1b2027b9e8f15f35353613d91

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bridge_start.cmd

Filesize
49B

MD5
95e8c6cd0a911f1ab4969c06b8cf77a2

SHA1
be1b1f8abd0420f59ecab7bcf8120cdc2ce34195

SHA256
de795f6d8591577054813bee79e7c5b4ee13360039d29aa73971c6b985d26ebd

SHA512
e5eefaf761be7bf3cea207e22e98398093fa0a9d3b459af7df22bfbf07755816737a7b8b261acf01aec8b10b5d8f0d90132a4ecdd83c242b2cde883039fac1ff

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Logs\Webcompanion\webcompanion.log

Filesize
4KB

MD5
049b699dc0fba41b51ad3f393a74f4ba

SHA1
d927a9350e7ba981e09596c62020707e6f05825b

SHA256
56bdc11c2f6b5a4dfde0d8471bd3b73e321866c1a7237c9a7e1fe22fc53a8c73

SHA512
7e5d3f05ff0ef1578b3a824904538090e007f43f9dc817c2b7dddc6188fdb79b4f98c396a86dcabbc1b44c48b844c113de4fab4727c7abfe80dd53ad6c4155db

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Options\ActiveFeatures.zip.tmp

Filesize
17KB

MD5
80e1acb2c9fd443f4298bce8af7ccc25

SHA1
0caed9af7e3e11395246eb697b35532c6d752013

SHA256
8fdb29858290d88f953e7eabbbbf6ef7362a54fc50108e9b148cdadc35ed3ac3

SHA512
cb89672e2f7b5a596a9d1eb9df1a405c763e24a65d2c5def0ecf9671c5f22b207a48aa44c7e06179b93ecb564df4ed0f5edd26873e47985d99939bcbe034502d

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Options\ServicePartnerInfo.txt

Filesize
186B

MD5
5ab2b9736c7c90d41347c6bd20058f9e

SHA1
7336d6780991fc7424f31a0a38bc2ae151c61810

SHA256
92ab59300131479510afb4201edd31c38434f3e4f2b7edda73db899f7e9cd38e

SHA512
5272016c0f0ee216c7805fd4e7e93fd8f8a831109c8638221b8de817d560a6ad2e2a130fe7ab3efd19583512940d3eccd7ecca84611aa6bfe1b0598e529f910d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2bb73d2d56812317c39966caeac0c631

SHA1
27abd2af4166f5769e466930844a5b25f5e0adc7

SHA256
66b723f3ab7880559e86c429abd370083a796e46a7eda4b1f0ddff2136ba026d

SHA512
350ab9811522e7f695651c2a02398a1f7aa2f4691bd382b8da85e70bde5a6bb1f12c701ec0afbfaee45d529fa5bd2706423f8d59ddf45b410ce04f1046e50557

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d502f027d9897e2d3dc3db43d2154708

SHA1
e27dadf11e56b7ae198a815feff3f7008c628a3c

SHA256
573f26f220c43834d53158c29153df805fa8ba86b3c2f63efa1f3bb654c7cf54

SHA512
28f63d1ce3f8d485e834e5dbb28b5851b20593ea87d6f66ce2bc28322e721475888eb7362129ade2f34bbd03ae659804581f2d85209269801b8e0b81f7d25509

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a76baf8f91cf6f8b98834f539c602cf

SHA1
f13eb91c7567f39085b694404ff2f395810b614a

SHA256
92533f03aefa1c5a55155f474b1f37792f07b9b2592c14c0adcda78235effab6

SHA512
384adaebaf67d8f0dee5150a301644453a5d424a99c6942510810af68542f18f1fd6cc6288f3cab50c1956198b1c1fe8cd968ff4c80250f612463cb92b7ee907

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
89f0129d2413aee03f666179a3c65700

SHA1
a2bf1071d5760f31bf6ffad5ab7bbe94bfadae1f

SHA256
54ddc2bc88b04a6b6b3549d591a572ec28198ada024377f251bf7d956b5caf28

SHA512
5dbc5929a95c320a876300cca96566c2f68f399bc1c94d956df7f7b4fa4ca883963a22ca795ec3900193dee7ff67f1d83e94d7e4680a9db9b3ba29c051576482

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\Search\Logs\search.log

Filesize
4KB

MD5
a4af236d0679f9b005bb4b0c7fe62a24

SHA1
bd9078617aef590af98d140f3a58eed44c237ce1

SHA256
bfa625e551088e489957c06528d1988211ccd0cb2084ae3335cf1983a70d4c7e

SHA512
3fbedd47e3fdf1f9d3395a0f8495a772f298d0639807d08f55c17d960013a169d7fc12d944fb07fdc75fd682d8164524194341dde623c72ac9edd5357472beeb

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\f4_rmn7t.newcfg

Filesize
2KB

MD5
11f06d0ad6ffd5bba69c33dd652f1bf4

SHA1
16955cf7eff60e17006f1dc334524674952a1484

SHA256
3ca9011a3a97508dc4d1bffa39f237dd4d145d49018d589e8810f7315b1cdb36

SHA512
75d0027a8c19e9e947965a5749f99f4586ec07245c2642cff233aee6c5bcbf599be1604cefd9edb0a559796f55ad510bc564d60b8c1446bd2317d1a50ddcb7d1

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\hk5xaiae.newcfg

Filesize
3KB

MD5
604da96f5f25050abb864bd2757d0540

SHA1
c827df05008ced61d3878512f60ede84837fc24c

SHA256
ec578dfa2dccfe18b8f0c6fc878767736fc4c538bd1e9ab7b534458410d31476

SHA512
b1f788d1978e26b62b79db7df9035e9a007c3b736b6474088f5983a123b2c98c9ae22ec22ff98ac9f38af817285b2cc82ac28c027bf5199dfa25ee61986082a8

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\k0iron-z.newcfg

Filesize
2KB

MD5
be3e19351e2afb06a6bcd5216b56245a

SHA1
e3ef54ab7faa2a40d423721cba243046eb1ace7c

SHA256
847b1e5f7c2644b1f7e8962aac81f40ed7d3b8f9839916985fe655c890a24450

SHA512
ee53127e61211a5bf969d372f28160916787c170d111bc172ce9df4732795e013c1f4e2253a747d6c39d94c65469d669edc45b3db09fe8b147d9e97e66f2942a

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\l7g7jicv.newcfg

Filesize
4KB

MD5
97010abe2a3f071c9619eec52c8e5fd4

SHA1
1be1c087354fd4c1d55694840fe706f86a601526

SHA256
9e6e6170f83f489698252550ab8c4e0ed8997b752557a86d936ca32cbcddff2a

SHA512
e14dd3c905af439ba4ae77d4a766b14bd39257682b65573732d8da62311838de961fd6a0c8eb9a4ba9263e3b28eaea94bf81cf3a78a9aad1643e94b7311c03f1

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\ljmblp6-.newcfg

Filesize
2KB

MD5
ef12bea72f5f2b272fe26b197b3ca184

SHA1
7126b27288d8e5108fb15111b779b5eb8f77e902

SHA256
692e2d91afcd905969c5aa8fcbbb96b662207df6d1b78a595556bd3012533d39

SHA512
b9be043de3eed4e836c31405818a7c13de1da341907f809d809f2c0d093bc6c0a17964ba2e0d9df1faf2708f2f91915a73787c6221c7e829b037d3ada08051e9

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\mpdjvjfp.newcfg

Filesize
2KB

MD5
0f52567ff36ee6655a32219f21b54887

SHA1
4fb341e09eaf176bc4e2d97f37a9de5d0c30872e

SHA256
89deccb3a952f09d39de0a9644cf37fd83afdb4ab97b52d9e0a9935f8a6ed152

SHA512
c44616767f441448cb32e40c3ae9c0f7836a726989424fa9d37c0f40af8779d8bb0f035b6763e7280063c3baa500dac59a3edf002195960cb85f53c2c9aa8c48

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\myl3ne1n.newcfg

Filesize
4KB

MD5
d14101a1780d1964e87fe275b2049305

SHA1
5640be48e069e15330a86a6f37615ceb7cb1436a

SHA256
20ce903ec7594e720d350ff15eb88645ce7c52311f273e4bbc5baa993db6d880

SHA512
cfec903a1acdbfd5eb03f11756b899769e67eb256c1fcec0436f511d29480e91416403a5ea96c3eedbf077eb88da4f9f6ae92e91a9266c2ba33fcc9df34fdd5d

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\qwim4dfa.newcfg

Filesize
1KB

MD5
e4308a22084be6f951aa99648cdbe1c2

SHA1
dbef8d6b73e101397816c3ade09d4f156987a53b

SHA256
f96bacba602816427d078505dea2b0423bd391313950e8b60258471d7372b446

SHA512
8d1aa1380a5623d247fea0d8e0178cc1dbb61141c7dc45c095930a420a904efbf7f80f3febb5411cb8a152ee12e5e667f6466cf33de58dcdf89e0199fd959867

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\rrdzifxn.newcfg

Filesize
2KB

MD5
a497c6afc7b9535bedd94cc9dd1817a2

SHA1
b6b2633d316d69972f126aac7e942fba3ad0302d

SHA256
9706ccf99eb1b465cad514bcb54b8a8c7b826e6a8b28b7df8954cfbdcac42c3d

SHA512
330f3c7707f70f0b8f8d12df72baf9fd9dd049430c96a8b3648f64a3fdcdaddc2fbcc72fbf33e86d7ab901a904d041ae5defd4d0e5243f11882761a7a9739abe

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\user.config

Filesize
338B

MD5
0a35fbae99f45bc0dccdb777ecfd0436

SHA1
65e295fde91f90d55b107680e060895654fe66e4

SHA256
19af84c48a15820c94367390d58588ddad8164b0ac4056c258a766c726329550

SHA512
db3a0973a373c039603c750f0f196cbf65553cddb83739f1942402eaacbe178a775be87c4b034feb706830ae69d20158c3e3ecad8d5d3febc45146b487c3c42c

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\user.config

Filesize
4KB

MD5
56d172ad5625e1e60a3a59d11685534b

SHA1
da1794625c4d5a187db0a410a4860b6070968eea

SHA256
e990cde703271d80a811bffa3093e4f28b30b0802c14b4491f7902a27eb0b99a

SHA512
6782173a280546a3bed40ecbf0717495e329f34a7db53f532d9013664c065d74ba6bddbc317f37c8e3cd7a0bae868d309d61a6334cac446f09ee1617e95c0eef

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\user.config

Filesize
5KB

MD5
0b6ccd8001f5888cf50cf3393f48b4c0

SHA1
7c302b34ddaab38fe59d2718caf2ad82c06086f5

SHA256
35b36bfc6bf73698a7865bfd63937312d6e02c9da7fb668730b2429dbfa45895

SHA512
6f1f757fb1441f132fc5fcc98fbd16d9cc640003a91efed8926358c3682154bdcde30314c3dd6adeca39526285e632c2dd4c431fb6e35b4ef4170f77a220a736

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\user.config

Filesize
4KB

MD5
a55b12641684271e313c031af077378c

SHA1
0e513e7c1791dc28086e38bfdc1a31000272ad1d

SHA256
faa31e92244e410efda5059bac3bc3355dd9d1f02cf0237e75f6f0404bdbc58c

SHA512
68cfda3e90f6dcfd1569b51301c56d22e8fa718c994a057f8d170dca79f41067f1c85b15739e8c74c54ca6e8f46a5e7104669270ad811d510bd24390c0dc0536

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\user.config

Filesize
4KB

MD5
c685c9488463ed1d289f88a39f6d1a50

SHA1
869ae6ce4ebb116bb3acbf56e143f1a10ec0852d

SHA256
52e0f5ad606d362f3165185c5969ea8be8028e8a0e39058078fbebc72212edc9

SHA512
e835974b822d4f205086b71b1b1df24c68f7a32952937785eab560b938c20d3ae7b5f710481eaa3f0ef4d86d1f988e5140a0572781bce250c5f958288e437771

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\z5iu2vem.newcfg

Filesize
2KB

MD5
a073d793190729d4638437ae1e77c0f3

SHA1
d81735cf97a80779c851b29ab948b79c15345270

SHA256
eb11d1d5a3d754ad8b31df868276e0b8bd82a595d1a845bae37d121c8c442ef4

SHA512
8a4b728323b18e28a16280969767678f7b5ec543501a954ca7efb14c2659899de0cba6b7eb0fa1316f9d7227c310435baba96166547e7d0f9803ae1222f8a908

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS02721D79\ICSharpCode.SharpZipLib.dll

Filesize
208KB

MD5
b4ecb8001f71894c1a17860476981441

SHA1
72d28f2aa50082a152cb6b3e25895855188fe9b8

SHA256
e6133baa62122e214ab9c114e9fff73bf25956518907a88577a85c8fb88c561f

SHA512
930e1b8181048790fffc1a5bd7f9dde91eeb757f1f8f35e01373f9414794963a53c03239b4ccc60b5c38049aba9e4db0ef5c166e278751c15c136a331ae495b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS02721D79\Newtonsoft.Json.dll

Filesize
428KB

MD5
eb259a0e2377f4c0bfb8712b773456fe

SHA1
d9123b055df58e33aa2ab2f242b30fc6a37f1cad

SHA256
4f9d1e187920dadd4e7693897f8240621e498ffd1709915c3b8394aaa1a34b43

SHA512
1f6e7c2233307a90dda68eaaa4ac08848b0499b464d3a307390a4b95ec1751d00b923572f92588b55f049ae6f4282d4126d2425e5caf8a95c8260f7600dc574a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS02721D79\WebCompanionInstaller.exe.config

Filesize
2KB

MD5
8faad08d58b1207cff53b7dc1a35af91

SHA1
e74f806a6cfea16c2e5c6c90ff6a66111b61cea8

SHA256
091d2aae6d9f4a9b403e45ebc578e0cf27a08d16e9b8784e614c8710080f2cca

SHA512
dc0cfe69c6a3f715875f1badbf44eb90aeb97ebb5fc7b9f3dd4b4f4561de4c403b086709730f4f11de0815828f212591bf63b0fc591e8445ba7a320c574ea2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5D5E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5E8D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Search\ProfileInfo.txt

Filesize
78B

MD5
59b9156d40e280973df6f2e14db47e4e

SHA1
0e6205f1205ea5f3974c53c58e2b4fc650ea6c68

SHA256
286929ab8054dbf0065ebd7104ac6c96b876f98507a454ce746c3bef2575fcd0

SHA512
56786593566a53c0c467945f622b51e38b6e53baee20038964183c115a1e7a7e1c924f8022455362bd4632dcc60af8bfc1b574eefed4f10da66e34aa1677b74c

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Search\searchenginetemplate.xml

Filesize
1KB

MD5
b3c45cbea8dd3685f189db517db7992b

SHA1
e950121e65a194d735925fd9f8b6619acd735082

SHA256
6b391592ade248e6dfbc9711cc78c3e91090999e131c620de3dedb3f83202f75

SHA512
a3e2a6903c7a3daaeace184b1e54dad1b3896a62c3d613dac2b9d68bec12d9ed4af852835d1bc1432fddeff3fac1eaf567b2d8d4ea57a0986e647cea30f75b74

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\b_search.json

Filesize
463B

MD5
11480836741896f0a32c6d56db5c2130

SHA1
ba12af22fe651ab1bb79401b3f3b680f63dc98a6

SHA256
66ccb25ddd4a9bc6bdcb534fb6332ebfa5d7c4034907e7b77e2d27ce1e398199

SHA512
6bf7916b3b81cd748f966e36953dc13309082d0b7464cdef7945c25e0d8539a7129c12c1c8698d7a6655b9857d3063f23660e5efccda279a329a387ed54fa5e0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new

Filesize
466B

MD5
50ee87fa74a1477dc75cc1555d48dd43

SHA1
55954f59afff93ed71d1bd8b8d4984dca4c7f1b3

SHA256
ebb73334eabae5fe341898226d2b2d23f824bcdf0ad84b1ae125ac14bcf3006e

SHA512
61ff1b4a418c5e3eb1955413f455cc3727d4a99e5bf822ff5b950b3d1dba94b7b91021144412d534f0c88d01c9083817fc56cc5416dbb7fccc113f1d2e68b6b7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
b80145479ae03e6c4660b5a4ac0fa538

SHA1
93431ac25e907f9b535d319d5db3a2324009fcd2

SHA256
642442e75504b7f52cd05b61b06247f8401b12d97f5e6c049344cb6110f1521f

SHA512
142a43b314c1c06f3533aa3291ed7b614d9c7518756af84c66aa5fcf9d675d911ff625f8d1d6f30031784b774d619d6b5548aeed05601464486ebaa506f89912

Download Submit
C:\Windows\Temp\Cab2F6C.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe

Filesize
3.3MB

MD5
3827ca1c0ec114a29bb576bef431f070

SHA1
1189dd380f160046de9f5f2f1d74459958f31a4b

SHA256
dd45886108aa85350feaa6d9fcc6c922b0874dfa18bbfe23111cc8edcb37fcb1

SHA512
480b6a1fc02fdec7fc2316f01b239bce98a6d8152770d329ddc4bfb37e2e00a7987a702900523ccc0380caabbee38a404683dbb20fe9c9b9456083559afb8218

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
7041205ea1a1d9ba68c70333086e6b48

SHA1
5034155f7ec4f91e882eae61fd3481b5a1c62eb0

SHA256
eff4703a71c42bec1166e540aea9eeaf3dc7dfcc453fedcb79c0f3b80807869d

SHA512
aea052076059a8b4230b73936ef8864eb4bb06a8534e34fe9d03cc92102dd01b0635bfce58f4e8c073f47abfd95fb19b6fbfcdaf3bc058a188665ac8d5633eb1

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
8fd05f79565c563a50f23b960f4d77a6

SHA1
98e5e665ef4a3dd6f149733b180c970c60932538

SHA256
3eb57cda91752a2338ee6b83b5e31347be08831d76e7010892bfd97d6ace9b73

SHA512
587a39aecb40eff8e4c58149477ebaeb16db8028d8f7bea9114d34e22cd4074718490a4e3721385995a2b477fe33894a044058880414c9a668657b90b76d464f

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
769bf2930e7b0ce2e3fb2cbc6630ba2e

SHA1
b9df24d2d37ca8b52ca7eb5c6de414cb3159488a

SHA256
d10ff3164acd8784fe8cc75f5b12f32ce85b12261adb22b8a08e9704b1e5991a

SHA512
9abdcccc8ee21b35f305a91ea001c0b8964d8475680fa95b4afbdc2d42797df543b95fc1bcd72d3d2ccc1d26dff5b3c4e91f1e66753626837602dbf73fc8369b

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
6486e2f519a80511ac3de235487bee79

SHA1
b43fd61e62d98eea74cf8eb54ca16c8f8e10c906

SHA256
24cc30d7a3e679989e173ddc0a9e185d6539913af589ee6683c03bf3de485667

SHA512
02331c5b15d9ee5a86a7aaf93d07f9050c9254b0cd5969d51eff329e97e29eea0cb5f2dccfe2bfa30e0e9fc4b222b89719f40a46bd762e3ff0479dbac704792c

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
a639c64c03544491cd196f1ba08ae6e0

SHA1
3ee08712c85aab71cfbdb43dbef06833daa36ab2

SHA256
a4e57620f941947a570b5559ca5cce2f79e25e046fcb6519e777f32737e5fd60

SHA512
c940d1f4e41067e6d24c96687a22be1cb5ffd6b2b8959d9667ba8db91e64d777d4cd274d5877380d4cfef13f6486b4f0867af02110f96c040686cc0242d5234b

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
6f9f9d52087ae4d8d180954b9d42778b

SHA1
67419967a40cc82a0ca4151589677de8226f9693

SHA256
ef1d71fe621341c9751ee59e50cbec1d22947622ffaf8fb1f034c693f1091ef0

SHA512
22a0488613377746c13db9742f2e517f9e31bd563352cc394c3ae12809a22aa1961711e3c0648520e2e11f94411b82d3bb05c7ea1f4d1887aacf85045cf119d7

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
ebac9545734cc1bec37c1c32ffaff7d8

SHA1
2b716ce57f0af28d1223f4794cc8696d49ae2f29

SHA256
d09b49f2a30dcc13b7f0de8242fa57d0bdeb22f3b7e6c224be73bc4dd98d3c26

SHA512
0396ea24a6744d48ce18f9ccb270880f74c4b6eab40f8f8baf5fd9b4ad2ac79b830f9b33c13a3fec0206a95ad3824395db6b1825302d1d401d26bdc9eef003b2

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
c7c4a49c6ee6b1272ade4f06db2fa880

SHA1
b4b5490a51829653cb2e9e3f6fbe9caf3ba5561e

SHA256
37f731e7b1538467288bf1d0e586405b20808d4bad05e47225673661bc8b4a9f

SHA512
62ccdfac19ef4e3d378122146e8b2cba0e1db2cc050b49522bedbf763127cc2103a56c5a266e161a51d5be6bd9a47222ee8bb344b383f13d0aac0baa41eab0ff

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
bef17bf1ba00150163a2e1699ff5840a

SHA1
89145a894b17427f4cb2b4e7e814c92457fd2a75

SHA256
48c71b2d0af6807f387d97ab22a3ba77b85bdf457f8a4f03ce79d13fbb891328

SHA512
489d1b4d405edbb5f46b087a3ebf57a344bf65478b3cd5fcf273736ea6fdd33e54b1806fbb751849e160370df8354f39fc7ca7896a05b4660ad577a9e0e683e4

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
fbfcf220f1bf1051e82a40f349d4beae

SHA1
43154ea6705ab1c34207b66a0a544ac211c1f37d

SHA256
9b9a43b9a32a3d3c3de72b2acca41e051b1e604b45be84985b6a62fb03355e6d

SHA512
e9ab17ceb5449e8303027a08afdbdd118cb59eaea0d5173819d66d3ee01f0cd370d7230a7d609a226b186b151fe2b13e811339fa21f3ec45f843075cedc2a5c0

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
2c8e5e31e996e2c0664f4a945cece991

SHA1
8522c378bdd189ce03a89199dd73ed0834b2fa95

SHA256
1c556505a926fd5f713004e88d7f8d68177d7d40a406f6ed04af7bacd2264979

SHA512
14b92e32fb0fd9c50aa311f02763cba50692149283d625a78b0549b811d221331cf1b1f46d42869500622d128c627188691d7de04c500f501acd720cea7c8050

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
a3f630a32d715214d6c46f7c87761213

SHA1
1078c77010065c933a7394d10da93bfb81be2a95

SHA256
d16db68b4020287bb6ce701b71312a9d887874c0d26b9ebd82c3c9b965029562

SHA512
920bb08310eadd7832011ac80edd3e12ce68e54e510949dbbde90adaac497debe050e2b73b9b22d9dc105386c45d558c3f9e37e1c51ed4700dd82b00e80410bc

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
c99c9eea4f83a985daf48eed9f79531b

SHA1
56486407c84beecadb88858d69300035e693d9a6

SHA256
7c416d52a7e8d6113ff85bf833cae3e11c45d1c2215b061a5bbd47432b2244a5

SHA512
78b8fd1faada381b7c4b7b6721454a19969011c1d1105fc02ba8246b477440b83dc16f0e0ce0b953a946da9d1971b65315ac29dbb6df237a11becb3d981b16b9

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
d3d72d7f4c048d46d81a34e4186600b4

SHA1
cdcad0a3df99f9aee0f49c549758ee386a3d915f

SHA256
fd8a73640a158857dd76173c5d97ceeba190e3c3eabf39446936b24032b54116

SHA512
6bf9d2fdc5c2d8cd08bf543ef7a0cdcb69d7658a12bee5601eeb9381b11d78d3c42ef9dd7e132e37d1ec34cc3dc66df0f50aefadfdc927904b520fdc2f994f18

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
a992f1e06c3c32ffe9799d4750af070a

SHA1
97ffd536d048720010133c3d79b6deed7fc82e58

SHA256
b401edaac4b41da73356de9b3358dc21f8b998a63413c868510dc734b1e4022f

SHA512
50bd08680fccff190454e6555e65e2787bdc0e8a9bf711e364eb0b065951c2430559e049202b8f330ac65e9d4cd588349c524a71f700e179859d7829d8e840b8

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Service\x64\msvcp140.dll

Filesize
576KB

MD5
e74caf5d94aa08d046a44ed6ed84a3c5

SHA1
ed9f696fa0902a7c16b257da9b22fb605b72b12e

SHA256
3dedef76c87db736c005d06a8e0d084204b836af361a6bd2ee4651d9c45675e8

SHA512
d3128587bc8d62e4d53f8b5f95eb687bc117a6d5678c08dc6b59b72ea9178a7fd6ae8faa9094d21977c406739d6c38a440134c1c1f6f9a44809e80d162723254

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Service\x64\ucrtbase.dll

Filesize
938KB

MD5
d4b22fb86c88c071335fe2fb623e40ce

SHA1
cc722eb1098b3a630a990dbceb62e3338b064110

SHA256
2195fef9bd0a01d6b10a2ab77ff4f5bbca01d65d5f6590befc98d80102372605

SHA512
369fb5d80535cb1f8d46512234d7777754648aeab6a3ff1536edc64ca0097a8e8eaa7c68feeabf756de474706f0c7c896b14c4c39cbd5916ad9258f2ed3fcdf1

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Service\x64\vcruntime140.dll

Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
\Program Files (x86)\Lavasoft\Web Companion\Service\x64\vcruntime140_1.dll

Filesize
43KB

MD5
21ae0d0cfe9ab13f266ad7cd683296be

SHA1
f13878738f2932c56e07aa3c6325e4e19d64ae9f

SHA256
7b8f70dd3bdae110e61823d1ca6fd8955a5617119f5405cdd6b14cad3656dfc7

SHA512
6b2c7ce0fe32faffb68510bf8ae1b61af79b2d8a2d1b633ceba3a8e6a668a4f5179bb836c550ecac495b0fc413df5fe706cd6f42e93eb082a6c68e770339a77c

Download Submit
\Users\Admin\AppData\Local\Temp\6B51.tmp.exe

Filesize
149KB

MD5
060404f288040959694844afbd102966

SHA1
e0525e9ef6713fd7f269a669335ce3ddaab4b6a1

SHA256
40517e822f3442a2f389a50e905f40a6a2c4930077c865e3ea7b1929405f760a

SHA512
ddf8c53e1e1888084fa5422f297cc3ba9d97f7576c36f6b633ce67ca789127f7e259e9fb374fcbced66f883dadde0717d81ecce9776770bf07d8cf3b94b1a43f

Download Submit
\Users\Admin\AppData\Local\Temp\7zS02721D79\WebCompanionInstaller.exe

Filesize
456KB

MD5
994672c2aa0d63930a0d8614bafeac09

SHA1
94dc5848fd00f05589707fece3f60b8840aed26a

SHA256
c5a088842a698f1938c22f6314a141251282e32f263d99a6854c2d58fdee9272

SHA512
47a0d7bf14b46cddc90cc1dab0add345e40621fcd11d97786b3947a04bf9acf1cd4cc304562a51c1f83b7b8422302bdf7f8dd23dd949ee6847850f5e911d6e4e

Download Submit
\Users\Admin\AppData\Local\Temp\Temp\WCInstaller.exe

Filesize
552KB

MD5
bc4c25ffc19286961d5cc54dd79a6d2d

SHA1
d1ca4a578a51946d38b0ceaf63a3a75c4b8fff5a

SHA256
409960971e9e9e31121d10d5033f27ec07ac228e52c32873292f2ee8567a8eaa

SHA512
0c4fc53d6d5fe5fa478f436616022a3c509d70a2d99714badfb945d88c6da9e005961b2d3409a124abdf5b5858001a0e385c58169c822f3b0d4cbd70327044a1

Download Submit
memory/1548-4735-0x0000000000FA0000-0x000000000100E000-memory.dmp

Filesize
440KB

Download
memory/1548-4810-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/2120-5007-0x00000000661C0000-0x00000000661E2000-memory.dmp

Filesize
136KB

Download
memory/2120-4309-0x000000006CF00000-0x000000006CF12000-memory.dmp

Filesize
72KB

Download
memory/2120-4308-0x00000000093F0000-0x0000000009402000-memory.dmp

Filesize
72KB

Download
memory/2344-2041-0x0000000007800000-0x0000000007812000-memory.dmp

Filesize
72KB

Download
memory/2344-2403-0x00000000661C0000-0x00000000661E2000-memory.dmp

Filesize
136KB

Download
memory/2344-2042-0x000000006CA40000-0x000000006CA52000-memory.dmp

Filesize
72KB

Download
memory/2344-2827-0x00000000661C0000-0x00000000661E2000-memory.dmp

Filesize
136KB

Download
memory/2480-2343-0x0000000000700000-0x0000000000750000-memory.dmp

Filesize
320KB

Download
memory/2480-2246-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/2480-2448-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download