f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

Resubmissions

03-07-2024 22:59

240703-2yn7wszhlp 10

03-07-2024 16:13

03-07-2024 16:11

10-05-2024 16:25

24-08-2023 11:16

Analysis

max time kernel
1794s
max time network
1698s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Archive.zip__ccacaxs2tbz2t6ob3e.exe
Size

430KB
MD5

a3cab1a43ff58b41f61f8ea32319386b
SHA1

94689e1a9e1503f1082b23e6d5984d4587f3b9ec
SHA256

005d3b2b78fa134092a43e53112e5c8518f14cf66e57e6a3cc723219120baba6
SHA512

8f084a866c608833c3bf95b528927d9c05e8d4afcd8a52c3434d45c8ba8220c25d2f09e00aade708bbbc83b4edea60baf826750c529e8e9e05b1242c56d0198d
SSDEEP

6144:vU9Q9tD5WuDQa4t3BMgLkzvCOnYxcEaSAOPou8BWinO8DR:8Q9tD5WyQlBBVAnYxRhr8DR

Score

8^/10

discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET645B.tmp	RunDLL32.Exe
File created	C:\Windows\system32\DRIVERS\SET645B.tmp	RunDLL32.Exe
File opened for modification	C:\Windows\system32\DRIVERS\bddci.sys	RunDLL32.Exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	WebCompanionInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	WebCompanion.exe

Executes dropped EXE 8 IoCs

pid	Process
3396	615A.tmp.exe
5040	WCInstaller.exe
3884	WebCompanionInstaller.exe
4504	DCIService.exe
4680	WebCompanion.exe
3728	Lavasoft.WCAssistant.WinService.exe
1432	WebCompanion.exe
4284	Lavasoft.Search.exe

Loads dropped DLL 64 IoCs

pid	Process
3884	WebCompanionInstaller.exe
3884	WebCompanionInstaller.exe
3884	WebCompanionInstaller.exe
3884	WebCompanionInstaller.exe
3884	WebCompanionInstaller.exe
3884	WebCompanionInstaller.exe
3884	WebCompanionInstaller.exe
3884	WebCompanionInstaller.exe
4504	DCIService.exe
4504	DCIService.exe
4504	DCIService.exe
4504	DCIService.exe
4504	DCIService.exe
4504	DCIService.exe
4504	DCIService.exe
4504	DCIService.exe
4504	DCIService.exe
4504	DCIService.exe
4504	DCIService.exe
4504	DCIService.exe
4504	DCIService.exe
4504	DCIService.exe
4504	DCIService.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RunDLL32.Exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Web Companion = "C:\\Program Files (x86)\\Lavasoft\\Web Companion\\Application\\WebCompanion.exe --minimize "	WebCompanion.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	WebCompanion.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	WebCompanion.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	iplogger.org
20	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	ip-api.com

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\026A86A161D256DBB33076EDF20C0E5E_86AB612B21DEDF3B8CD155ED2E4114FF	Lavasoft.WCAssistant.WinService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\026A86A161D256DBB33076EDF20C0E5E_86AB612B21DEDF3B8CD155ED2E4114FF	Lavasoft.WCAssistant.WinService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AF360AACB1570042DEFBC833317997D0_684EE07DA693FF51901FCCD35B88A7C0	Lavasoft.WCAssistant.WinService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AF360AACB1570042DEFBC833317997D0_684EE07DA693FF51901FCCD35B88A7C0	Lavasoft.WCAssistant.WinService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D	Lavasoft.WCAssistant.WinService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D	Lavasoft.WCAssistant.WinService.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci_install_boot.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\concrt140.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-time-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-errorhandling-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-synch-l1-2-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-conio-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-handle-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-stdio-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-locale-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-processenvironment-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Repositories.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bddci_reinstall_boot.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-sysinfo-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-environment-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-processthreads-l1-1-1.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\ftp.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\ssl.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\zh-CHS\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-localization-l1-2-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-memory-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-runtime-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-profile-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bridge_start.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\OnlineThreatsSimple.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\it-IT\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-console-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\msvcp140_1.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-filesystem-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-multibyte-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\de-DE\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-rtlsupport-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-runtime-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-debug-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\x86\SQLite.Interop.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\ucrtbase.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci_reinstall_boot.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ad-Aware Web Companion.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-datetime-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-handle-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\rpc.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\es-ES\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-interlocked-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-memory-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\msvcp140_codecvt_ids.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-localization-l1-2-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-process-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionIcon_Pro.ico	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Extension\@wcextensionff.xpi	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\pt-BR\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\acs17.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\pop3.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-rtlsupport-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\BCUSDK.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Settings.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-heap-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bddci.sys	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe.config	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionIcon.ico	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-processenvironment-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\vcruntime140.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci_uninstall.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\smtp.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-string-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.exe.config	WebCompanionInstaller.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	WebCompanionInstaller.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	WebCompanionInstaller.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	Lavasoft.Search.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	WebCompanion.exe
File created	C:\Windows\assembly\Desktop.ini	WebCompanion.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	WebCompanion.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	WebCompanion.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	Lavasoft.Search.exe
File opened for modification	C:\Windows\assembly	WebCompanion.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4088	sc.exe
1560	sc.exe
4320	sc.exe
2936	sc.exe
1348	sc.exe
224	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Lavasoft.WCAssistant.WinService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Lavasoft.WCAssistant.WinService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Lavasoft.WCAssistant.WinService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	Lavasoft.WCAssistant.WinService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Lavasoft.WCAssistant.WinService.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	WebCompanionInstaller.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanionInstaller.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3884	WebCompanionInstaller.exe
3884	WebCompanionInstaller.exe
3884	WebCompanionInstaller.exe
3728	Lavasoft.WCAssistant.WinService.exe
3728	Lavasoft.WCAssistant.WinService.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
4680	WebCompanion.exe
1432	WebCompanion.exe
4284	Lavasoft.Search.exe
4284	Lavasoft.Search.exe
4284	Lavasoft.Search.exe
4284	Lavasoft.Search.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	3884	WebCompanionInstaller.exe
Token: SeDebugPrivilege	4680	WebCompanion.exe
Token: SeDebugPrivilege	3728	Lavasoft.WCAssistant.WinService.exe
Token: SeAssignPrimaryTokenPrivilege	3728	Lavasoft.WCAssistant.WinService.exe
Token: SeIncreaseQuotaPrivilege	3728	Lavasoft.WCAssistant.WinService.exe
Token: SeSecurityPrivilege	3728	Lavasoft.WCAssistant.WinService.exe
Token: SeTakeOwnershipPrivilege	3728	Lavasoft.WCAssistant.WinService.exe
Token: SeLoadDriverPrivilege	3728	Lavasoft.WCAssistant.WinService.exe
Token: SeSystemtimePrivilege	3728	Lavasoft.WCAssistant.WinService.exe
Token: SeBackupPrivilege	3728	Lavasoft.WCAssistant.WinService.exe
Token: SeRestorePrivilege	3728	Lavasoft.WCAssistant.WinService.exe
Token: SeShutdownPrivilege	3728	Lavasoft.WCAssistant.WinService.exe
Token: SeSystemEnvironmentPrivilege	3728	Lavasoft.WCAssistant.WinService.exe
Token: SeUndockPrivilege	3728	Lavasoft.WCAssistant.WinService.exe
Token: SeManageVolumePrivilege	3728	Lavasoft.WCAssistant.WinService.exe
Token: SeDebugPrivilege	1432	WebCompanion.exe
Token: SeDebugPrivilege	4284	Lavasoft.Search.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1432	WebCompanion.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1432	WebCompanion.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 3396	2136	Archive.zip__ccacaxs2tbz2t6ob3e.exe	88
PID 2136 wrote to memory of 3396	2136	Archive.zip__ccacaxs2tbz2t6ob3e.exe	88
PID 2136 wrote to memory of 3396	2136	Archive.zip__ccacaxs2tbz2t6ob3e.exe	88
PID 2136 wrote to memory of 5040	2136	Archive.zip__ccacaxs2tbz2t6ob3e.exe	106
PID 2136 wrote to memory of 5040	2136	Archive.zip__ccacaxs2tbz2t6ob3e.exe	106
PID 2136 wrote to memory of 5040	2136	Archive.zip__ccacaxs2tbz2t6ob3e.exe	106
PID 5040 wrote to memory of 3884	5040	WCInstaller.exe	107
PID 5040 wrote to memory of 3884	5040	WCInstaller.exe	107
PID 5040 wrote to memory of 3884	5040	WCInstaller.exe	107
PID 3884 wrote to memory of 2936	3884	WebCompanionInstaller.exe	109
PID 3884 wrote to memory of 2936	3884	WebCompanionInstaller.exe	109
PID 3884 wrote to memory of 2936	3884	WebCompanionInstaller.exe	109
PID 3884 wrote to memory of 1348	3884	WebCompanionInstaller.exe	111
PID 3884 wrote to memory of 1348	3884	WebCompanionInstaller.exe	111
PID 3884 wrote to memory of 1348	3884	WebCompanionInstaller.exe	111
PID 3884 wrote to memory of 224	3884	WebCompanionInstaller.exe	113
PID 3884 wrote to memory of 224	3884	WebCompanionInstaller.exe	113
PID 3884 wrote to memory of 224	3884	WebCompanionInstaller.exe	113
PID 3884 wrote to memory of 1736	3884	WebCompanionInstaller.exe	115
PID 3884 wrote to memory of 1736	3884	WebCompanionInstaller.exe	115
PID 1736 wrote to memory of 4304	1736	RunDLL32.Exe	116
PID 1736 wrote to memory of 4304	1736	RunDLL32.Exe	116
PID 4304 wrote to memory of 396	4304	runonce.exe	117
PID 4304 wrote to memory of 396	4304	runonce.exe	117
PID 3884 wrote to memory of 3376	3884	WebCompanionInstaller.exe	119
PID 3884 wrote to memory of 3376	3884	WebCompanionInstaller.exe	119
PID 3884 wrote to memory of 4088	3884	WebCompanionInstaller.exe	120
PID 3884 wrote to memory of 4088	3884	WebCompanionInstaller.exe	120
PID 3884 wrote to memory of 4088	3884	WebCompanionInstaller.exe	120
PID 3376 wrote to memory of 4616	3376	net.exe	123
PID 3376 wrote to memory of 4616	3376	net.exe	123
PID 3884 wrote to memory of 1560	3884	WebCompanionInstaller.exe	124
PID 3884 wrote to memory of 1560	3884	WebCompanionInstaller.exe	124
PID 3884 wrote to memory of 1560	3884	WebCompanionInstaller.exe	124
PID 3884 wrote to memory of 1812	3884	WebCompanionInstaller.exe	126
PID 3884 wrote to memory of 1812	3884	WebCompanionInstaller.exe	126
PID 3884 wrote to memory of 1812	3884	WebCompanionInstaller.exe	126
PID 1812 wrote to memory of 4320	1812	cmd.exe	128
PID 1812 wrote to memory of 4320	1812	cmd.exe	128
PID 1812 wrote to memory of 4320	1812	cmd.exe	128
PID 3884 wrote to memory of 1056	3884	WebCompanionInstaller.exe	130
PID 3884 wrote to memory of 1056	3884	WebCompanionInstaller.exe	130
PID 3884 wrote to memory of 1056	3884	WebCompanionInstaller.exe	130
PID 1056 wrote to memory of 4976	1056	cmd.exe	132
PID 1056 wrote to memory of 4976	1056	cmd.exe	132
PID 1056 wrote to memory of 4976	1056	cmd.exe	132
PID 3884 wrote to memory of 4680	3884	WebCompanionInstaller.exe	133
PID 3884 wrote to memory of 4680	3884	WebCompanionInstaller.exe	133
PID 3884 wrote to memory of 4680	3884	WebCompanionInstaller.exe	133
PID 3728 wrote to memory of 392	3728	Lavasoft.WCAssistant.WinService.exe	137
PID 3728 wrote to memory of 392	3728	Lavasoft.WCAssistant.WinService.exe	137
PID 392 wrote to memory of 2528	392	cmd.exe	139
PID 392 wrote to memory of 2528	392	cmd.exe	139
PID 4680 wrote to memory of 2228	4680	WebCompanion.exe	140
PID 4680 wrote to memory of 2228	4680	WebCompanion.exe	140
PID 4680 wrote to memory of 2228	4680	WebCompanion.exe	140
PID 2228 wrote to memory of 1436	2228	csc.exe	142
PID 2228 wrote to memory of 1436	2228	csc.exe	142
PID 2228 wrote to memory of 1436	2228	csc.exe	142
PID 3884 wrote to memory of 1432	3884	WebCompanionInstaller.exe	143
PID 3884 wrote to memory of 1432	3884	WebCompanionInstaller.exe	143
PID 3884 wrote to memory of 1432	3884	WebCompanionInstaller.exe	143
PID 1432 wrote to memory of 2304	1432	WebCompanion.exe	144
PID 1432 wrote to memory of 2304	1432	WebCompanion.exe	144

C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe
"C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\615A.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\615A.tmp.exe
  2⤵
  - Executes dropped EXE
  PID:3396
- C:\Users\Admin\AppData\Local\Temp\Temp\WCInstaller.exe
  C:\Users\Admin\AppData\Local\Temp\Temp\WCInstaller.exe --silent --partner=AE190201 --homepage=11 --search=7 --campaign=292
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Users\Admin\AppData\Local\Temp\7zS0B3B1F1A\WebCompanionInstaller.exe
    .\WebCompanionInstaller.exe --partner=AE190201 --campaign=292 --version=8.9.0.992 --silent --partner=AE190201 --homepage=11 --search=7 --campaign=292
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" Create "WCAssistantService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= auto
      4⤵
      Launches sc.exe
      PID:2936
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" failure WCAssistantService reset= 30 actions= restart/60000
      4⤵
      Launches sc.exe
      PID:1348
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" description "WCAssistantService" "Ad-Aware Web Companion Internet security service"
      4⤵
      Launches sc.exe
      PID:224
  - - C:\Windows\system32\RunDLL32.Exe
      "C:\Windows\sysnative\RunDLL32.Exe" syssetup,SetupInfObjectInstallAction BootInstall 128 C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci.inf
      4⤵
      Drops file in Drivers directory
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1736
    - - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:4304
      - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:396
  - - C:\Windows\system32\net.exe
      "C:\Windows\sysnative\net.exe" start bddci
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3376
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start bddci
        5⤵
        
        PID:4616
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" Create "DCIService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe" DisplayName= "DCIService" start= auto
      4⤵
      Launches sc.exe
      PID:4088
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" description "DCIService" "Webprotection Bridge service"
      4⤵
      Launches sc.exe
      PID:1560
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bridge_start.cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Windows\SysWOW64\sc.exe
        
        sc start DCIService
        5⤵
        Launches sc.exe
        
        PID:4320
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh http add urlacl url=http://+:9007/ user=Everyone
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4976
  - - C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
      "C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --install --geo=
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops desktop.ini file(s)
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4680
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dl87jmsy.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2228
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDE1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDDE0.tmp"
        6⤵
        
        PID:1436
  - - C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
      "C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --afterinstall
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fxebem4f.cmdline"
        5⤵
        
        PID:2304
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4B5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF4B4.tmp"
        6⤵
        
        PID:2212
    - - C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Search.exe
        
        "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Search.exe" --searchConfigPath="C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\SearchMetadata.txt" --eventConfigPath="C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\EventMetadata.txt"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284

C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4504

C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\system32\netsh.exe
    netsh http add urlacl url=http://+:9007/ user=Everyone
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2528

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
1⤵
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Lavasoft\WEBCOM~1\Service\x64\bddci.sys

Filesize
781KB

MD5
2a241af18d9f0466aff6cd77c1561f9b

SHA1
2c6bfc8e583ed026fdf9ec01265d99e22d39305a

SHA256
528804013487cdb1da617e512d1de68060602887bcc8a7822bdb1346a2995ffd

SHA512
6779667bb57c87fdbf4dee57682e7851b5ad5bea39deb09fcb596ae48eb571317749ff59e825f91bd57527dab7477deac5b24bdbd86471844fad36876c08dd28

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe

Filesize
8.8MB

MD5
2c178ebc4ac7466f63236e00d9e77b54

SHA1
6a5152b6c1fa9d5856c0ab2deed4c9912d05d9a6

SHA256
55b1802b3cae0d58ef5d88b3b9a61f6635d8d568dab2bee7f2aed392a91ab0f1

SHA512
ffc647865e75bb5b54b9bad5d218121c38ab8c7abc8b8770a18956a9443766c45820f19c4dc56008792f27951176449c637ca37998310efec44a644509bf4237

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe.config

Filesize
18KB

MD5
feed0f743db90fbc95e33f081b50acb0

SHA1
a2cc752167b06ed562c6ec00a4f994d8a59ad7f4

SHA256
a1f55fb8a5e389b7727a683b2265c678d903a4f9cb08272afbd922f41f18d7d2

SHA512
5d627768db6ce3d1a100a6a72e40ca477687e9785efa9f78c23d375889ca8c748e432f5c25323d22f600768490da25e7803e804b5b62d2f89696a5c1db972241

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll

Filesize
316KB

MD5
1a1d345ebcb496b35ae1b181c68279a6

SHA1
d093b3eb5dbbed216e5e520cb711826529b0f80a

SHA256
5b154b0e14e94c3d2d338e997e9cec60e67b99c0ba70e0a52fd5c09af6935c24

SHA512
d9c7a4ad4dd9b4acf2b5ebed6e6207a2ec0c216d6eb29bc791746306f1f5a7aa1bbb43e74fbe886eaa1c6137c1e28b91d8a02cff636e85ec8e92d2f0c66f8229

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe

Filesize
3.3MB

MD5
3827ca1c0ec114a29bb576bef431f070

SHA1
1189dd380f160046de9f5f2f1d74459958f31a4b

SHA256
dd45886108aa85350feaa6d9fcc6c922b0874dfa18bbfe23111cc8edcb37fcb1

SHA512
480b6a1fc02fdec7fc2316f01b239bce98a6d8152770d329ddc4bfb37e2e00a7987a702900523ccc0380caabbee38a404683dbb20fe9c9b9456083559afb8218

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci.inf

Filesize
4KB

MD5
e8b58a307f96dc9ce1eb2729f86e13b0

SHA1
5cee60f070930dc971e4d35d48e30364f623aad2

SHA256
2c9a7118ef74c3b168663c8ec6f3a7b27653896e193129ed0bc5e9aa55a0afbb

SHA512
7cd9fe7bcc8c8ec1466acc1adc7ab8c9ab6bdaf7c7c27dcc6c0cb43bab741f2519a88647ce43f74d7e9caf4ae39ae172dc639ed1b2027b9e8f15f35353613d91

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci_core.dll

Filesize
1.5MB

MD5
13efc649989e224c8346c52ae3cc9a93

SHA1
bf907fee6fce0745601219f3faa89bc2c08434b0

SHA256
f994e407e9f78d521f335f25b7a4217fdcc4a5e6dc050fdf90d7870fda1e0ef7

SHA512
7c6f65858e3803ab9abe075c2e257e322594b875bd6001be5a6c6bde0ab271844ccd7f869394666a2ce9b535abb46e0332697d2c19836f886241881a60697ce0

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddcihttp.dll

Filesize
2.6MB

MD5
53f6774df73cc44d29f354aecbdef948

SHA1
894158c553f39f8000c858c84ad772714e215d75

SHA256
d1130318e699b81f1918f468a8b49c9be7b8b4293c1078da4a17dac6ad999ec6

SHA512
5151804071c371fe2458c2fc67441441b01602a529582bed48b0e0226e051f933981dce1f84e3ac0f2ebe608b463fe1e9c226d058edd3bf6c5b35be9e8a9e234

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bittorrent.dll

Filesize
106KB

MD5
74d7799c00c804296c0f1b99324b513f

SHA1
527380e0e44c9fd8ca5f73d103e8e9f56eb13142

SHA256
66c0b9d01afab9db8f87164c747dc6bdd05ffae25092ab4627a8a47857118ab0

SHA512
3140d32d4199cc246fddb292400ec31bcc098e18349d9991828fc1462f7cd6aa3a0666037e569511b37b1cb6baf34c94be2fdc70a9685125a72fdd44e427cdac

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bridge_start.cmd

Filesize
49B

MD5
95e8c6cd0a911f1ab4969c06b8cf77a2

SHA1
be1b1f8abd0420f59ecab7bcf8120cdc2ce34195

SHA256
de795f6d8591577054813bee79e7c5b4ee13360039d29aa73971c6b985d26ebd

SHA512
e5eefaf761be7bf3cea207e22e98398093fa0a9d3b459af7df22bfbf07755816737a7b8b261acf01aec8b10b5d8f0d90132a4ecdd83c242b2cde883039fac1ff

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\ftp.dll

Filesize
121KB

MD5
b7c081f03a50c391f5b22a0ee16b8a1e

SHA1
2fa63728dddb2e25f69adf0e02cbd75d053a9965

SHA256
42ccb6c597d0952042c3d3fdc0027634c3e9d118706a286277a32a7f6af6bd30

SHA512
8590e537d7df9523f934cd4bb18c7515d89e74fc8b3e8e35ce70b368c9a99659bf59dedb020fb470cf8577248f607ed271d52107015cdffc8a0a9f7e8ac2880b

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\http.dll

Filesize
189KB

MD5
c0d7a16ba0340ffaeadedb5fd82f6984

SHA1
63ac374a7322e4ecb9b8fed7e67ffcf01b71fc75

SHA256
e07a6f752e45e3240c95cbb890b22a154b1cca571c17fb57f11ef0b86108a7bb

SHA512
3e50f009b7a43d2fb58f28f0eaab4555d9fc68ed72af970f6a6bd875dab30b5ad32300e95ac570ddf0d925499e709457ea8757033580493f4bbae14a20d06c42

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\lsa.dll

Filesize
106KB

MD5
f89b978400b6c035f975efc6ab7303a8

SHA1
173f9f2bc814b19870c7b98057c948b0292340f9

SHA256
ca621b67c0aa1fe669c99abc0ee1a52807321f5be4092bad7c49d4291c194b7c

SHA512
d0fc9d302ee3b8be6c65ccb2a2d387a1a914ed9a453ce0cad6734f2c9d59a0ea8694e39b81382ee7b6f6c61b96db81f7ad1c227727b65a5a61c0471a35c39e33

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\msvcp140.dll

Filesize
576KB

MD5
e74caf5d94aa08d046a44ed6ed84a3c5

SHA1
ed9f696fa0902a7c16b257da9b22fb605b72b12e

SHA256
3dedef76c87db736c005d06a8e0d084204b836af361a6bd2ee4651d9c45675e8

SHA512
d3128587bc8d62e4d53f8b5f95eb687bc117a6d5678c08dc6b59b72ea9178a7fd6ae8faa9094d21977c406739d6c38a440134c1c1f6f9a44809e80d162723254

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\pop3.dll

Filesize
108KB

MD5
4617113b1fa666e743f899d3781483d8

SHA1
0a1dadb7051c5a5ed9d108f78f83ac2b21419a84

SHA256
30af0cec58983ef5ccf2b30f074faad6ac348cd5fc88461c0b06977839a2c651

SHA512
92d0cd9e51de702a04bc2948e2966219b16c1bef93dadddccf801c58c2da1dd22ac5b9651583868957098959beeca2cfdd7465edece1120e364935ff65184675

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\rpc.dll

Filesize
107KB

MD5
fd8770a4368acd38c18ccb0298dcf587

SHA1
867772d872b84988bd7e9ea2271e470dd443874e

SHA256
e039a7e9bdecaf697bd73a47da557e5582fbffacc53f9a185790299156c85584

SHA512
e1123fa8cf304d082324cfaa5534ea34103226242cef1d6e1640bd2b343d19ae3bcec2302c3a6167c57f8196415190d86050fb55e2e6ba0d90aef189d5ca18c7

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\sav.dll

Filesize
726KB

MD5
47b40a1348a6eda7087a6241858ef9e1

SHA1
ca8ce0ba789baafc75b593fd8a98d4cf8afa4956

SHA256
cd83b1612c2823488ea267e88fe91a2aedf6b278bafdd39ff673bed3add39d6b

SHA512
dd43a1a08e0dd9386c0c4aa47c2e1a71a6ccd07dec1d70129c43845c5c32ec038efb617bec35320a467bbac77bad6abefd176c747b2a9113190d3e98d1b50130

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\smb.dll

Filesize
192KB

MD5
b4a0352a49d7661e64693765707a0a1a

SHA1
888f7e14cc08ef0ff4f6557bc8ec3a4ac36d18f3

SHA256
4295bbc2ce2ccb68b17df07b2364ef90b3bb802fc2f44c710b13c1477f424caa

SHA512
8647121a5cfc25fb7ff46308cebe3c261927bac40d2fafe89c01945346993e31ff6b0369e2a686f9f4a16cc61b74c887ed670f30a1a21252e04cd1ba781bb712

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\smtp.dll

Filesize
121KB

MD5
2b8265dfa5b53b61e875f7a83dde8680

SHA1
fa3c87c02750700ac0d20d21b88a90b8122be8e1

SHA256
748bac0cddaa20c4967f6f495db6b58f88fb675790c2039e211e42468afbe2eb

SHA512
9011bc9b204db910f7a06f89928986f03df234df39309b183b3fe226677eb0c435f0b8c3efaad9689a5fa44bee034ec99b7af2c6fc3a2056bc0a4c0d4d9d5de2

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\ssl.dll

Filesize
178KB

MD5
9592f5912b31b62193656497e67a2d9b

SHA1
b8a92656880a7016edcba43b1e206d83fe3847e0

SHA256
5978dd53996bc3856d01010e4ddc41215dc9d7fe046961feabec419972ce94bd

SHA512
ffab48be1db5cc30f61d88b3bc02e2ea30c8dcd44bfe9bed786bb7cd699dac8c456c1d390925c9a9ff2994a54cf98eee0e76984eba318792ec9838db1954b98d

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\vcruntime140.dll

Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\vcruntime140_1.dll

Filesize
43KB

MD5
21ae0d0cfe9ab13f266ad7cd683296be

SHA1
f13878738f2932c56e07aa3c6325e4e19d64ae9f

SHA256
7b8f70dd3bdae110e61823d1ca6fd8955a5617119f5405cdd6b14cad3656dfc7

SHA512
6b2c7ce0fe32faffb68510bf8ae1b61af79b2d8a2d1b633ceba3a8e6a668a4f5179bb836c550ecac495b0fc413df5fe706cd6f42e93eb082a6c68e770339a77c

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Logs\Webcompanion\webcompanion.log

Filesize
4KB

MD5
e8e7ca9149f849cd92ae8d06f56632ac

SHA1
1805f2dc77f19d890dc58e0acc864f2dc9e67691

SHA256
3afb372df31d88ed8b0acb3b0b8be28403ce3e5c965fba8f5eb21bad075c1894

SHA512
a798c7aa955b5c71ef84a42fd1ec1c8ad8bb2cdc7b1d2480dcf9b1bd6954a211adc6819d6240b8a92bf20ff98937cbe887af38faac3917b32d375dd4cfe6032f

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Options\ActiveFeatures.zip

Filesize
17KB

MD5
80e1acb2c9fd443f4298bce8af7ccc25

SHA1
0caed9af7e3e11395246eb697b35532c6d752013

SHA256
8fdb29858290d88f953e7eabbbbf6ef7362a54fc50108e9b148cdadc35ed3ac3

SHA512
cb89672e2f7b5a596a9d1eb9df1a405c763e24a65d2c5def0ecf9671c5f22b207a48aa44c7e06179b93ecb564df4ed0f5edd26873e47985d99939bcbe034502d

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Options\ServicePartnerInfo.txt

Filesize
186B

MD5
3a84b19d25312c32acdb7e8a309d6ae7

SHA1
4055f1efcaf4b1dda8c00ee4b56ec76d2c392e06

SHA256
9542929d61ed464e5f315efdc0cd471d4070c925b15eafe646c1e14577d4b989

SHA512
80a1b4f1efcf7e230baa519204667c71cb55288904c69b17c38450ad9e5fe779d1c0f5dc3d68c81a23446fe0686d0bcbeba88f1d491314ec12e23eb935cb8861

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\026A86A161D256DBB33076EDF20C0E5E_86AB612B21DEDF3B8CD155ED2E4114FF

Filesize
812B

MD5
c930736f83fb0cd4c01787bb61d2a04b

SHA1
d27c3ff1a3aa66e33fec1ce6fa4f67f58946637c

SHA256
643eda261db1c399eb61f8b90246037604ab319118ee648d06be862be2677859

SHA512
12c640e68d15bf49924454fa147876d41500aabbbc4ab02f975b8f521c637ad2212c07263d9048f7d38bae3468865a485015f09921293a424aa9902208fa7abf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D

Filesize
1KB

MD5
ee23d51d6c5d53d827eb79f4bf8032c3

SHA1
a631c3d30797eb3145b468a452eab2bc1336249d

SHA256
3f1be40de3b2194e90d11c585147a1da3e730bb76fa36e4ea3e1783c231eb426

SHA512
76b98fe0bc2bc360fd8e4aa00393194f251bd3dc538cd86a550ecde0d43ecc8444bc32733f8b4143fa1015b5e4ba54256decab2a68f306816d3a0f22f72de965

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AF360AACB1570042DEFBC833317997D0_684EE07DA693FF51901FCCD35B88A7C0

Filesize
806B

MD5
dc2daf7d2070aff0373fd30cdb89c910

SHA1
4a0bfff63b322c4d1e3f6a7245281bb613772ac7

SHA256
3d38c256e312f9d5628e15822e927753aab0b3e99e369d933c4edfaf47c074fd

SHA512
9240b5f9b5b95fb09576d7c481e37ed13f6d64c1279b9a639c3b2eadac701245fbf2a512e7ee20ab7519e936b61b4d823c28ad0cbf9a7a00a18416009bde8e82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\026A86A161D256DBB33076EDF20C0E5E_86AB612B21DEDF3B8CD155ED2E4114FF

Filesize
540B

MD5
45e77d0fd02621fad1e0e122f737a9b4

SHA1
8264ddb79eafe5dcba83abd3b83a299b98ff2ba8

SHA256
6e3c26a6a5fb876b2f27a9654f594f8a029b5d9f8c26f130bb6e44d124df0373

SHA512
d045be2ce6953161fce7a73bb8115366e79c9a7e1c01faacfb8ec3e02b89fca0131b420f957382bbae5d95ceca00c99f25466c067dbc6f4ef5366be49fc7932f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D

Filesize
528B

MD5
0cbf38c57faa3c18ff05a59fbf3eee85

SHA1
d10319e322a74df67e05962ebc51354c86e69ed4

SHA256
b1507b1ffd28a5c9b0dea1aad7aa34f56ba8e3a5b194f825f4390ffc44ca995c

SHA512
5ed9fcac0033b894b528063cacc9d17e3fa9890eb3ae760fa8fc700b84be759b956fa437b35d656f50d2f0a0b0bbddb38fb2d4e562e82cdc8cdeb8b7cbcddace

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AF360AACB1570042DEFBC833317997D0_684EE07DA693FF51901FCCD35B88A7C0

Filesize
540B

MD5
868f554da75335d81ab0a23ea177782a

SHA1
6f0eae4dcef04ce3da1347f6655cefcec77de681

SHA256
f34b1995485e4b4ad2873e479eb6563b725a72bb35d4e817d871dd198c5b63f9

SHA512
a5df72fa69dbf325eeaf35f756ed863146b0c468752d0b28b668f2754f68a36f5532c02da0337e53343b2ec14e3898b0129c3ef7549ad0a92fab86d5d30e041d

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\Search\Logs\search.log

Filesize
4KB

MD5
ccf088c702dd60488e586db236d64c36

SHA1
7cfd7d3cea257e897306cb5a523feb61d4571e89

SHA256
06d5e9da40f5ea0d07bf89c6e3e18efe0a803953600d1076bff4670d6102ea84

SHA512
83a79b7526727e2980f00fc25cf07c60de4d7df9b02e71edc99127523884acd94db67f1149aee2f51b06975b4cadf5cc2d3262273a55d55912f93bdbf26c4af4

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\4ozw1dmc.newcfg

Filesize
4KB

MD5
4e64b1264254b12e2c2617579d03095f

SHA1
2160148fc64085a2276a45e511b4cdceaaa0bc7b

SHA256
37773898593fead05fe40e6964ea73472f333ed3fd0ea6e343e52bedba893d41

SHA512
78f981986afd97df2e65c8d796d66cc0ba08d8b75ff98ede5501d8cafd377e7e11b963c75010af45b9a196355712ac8d3612a26578c6bc037d4839d04377be64

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\aixko9ar.newcfg

Filesize
2KB

MD5
6c15347458c318ed60377c88eb2db718

SHA1
c1a02db2eadb19e4ff489818037f56626b599a88

SHA256
ae3e90cf9a2b00d7510cc83fb4f1d8a4810af13eefe7556240e749e5a849f5da

SHA512
df679c8d98da443c756caad864f8499e92591a3a6503f2cb6c97b20c63c9e228692736de12fff1100f5d26fb1076c89897fa235a55926b5c5c402e2a3eadff84

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\c9bwzfb3.newcfg

Filesize
2KB

MD5
f0872e1ce6ba3ab5fc6738a8119bdde6

SHA1
0b47ac39f7aa40318eeb94295b6674d0e4871649

SHA256
c44fbf5c231c32b63719d924863faaec8154d192d9dc18a4731d78e629c3b069

SHA512
8ef5a5a3fcbcdcdd41fc91572ce5e6c71d13e5e2819fa9a267d017244bfdc17647dfad6732d1018b499050c4eeb820d324a8583678a2faa851bd6660554916b4

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\crcxk-wq.newcfg

Filesize
2KB

MD5
33e68e1b64cb1ea9a476cc6bbe9626d8

SHA1
add499993f5155cb6541b6256b6a0d188a1ed528

SHA256
93e462f0aba85cb832ec0df612cd4403133d722b0c2b2cbdbedec3b98b07be96

SHA512
9505c058550a8483a463a10b8cedf2688b68505e0311f06b78a4f72c5d9eaac7f5c09e3220705cbcb124be8402af6b45228daea8d36137834b1c0aa9e2e562d8

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\digk47pj.newcfg

Filesize
4KB

MD5
5b2b3aa131cd5411222474783589a9d8

SHA1
ec602a97f3f9f75255b279f42d9349061e382a75

SHA256
f2fe4a4cab7b836f8308d852babb88eddaf2ae1714d844c2da268f590fd91bfe

SHA512
364d2a30175ad36bcdf63b2965e481932b6b6d319a10efece04fd979003b5eabf6fd25ed32a6d2d7c708c0e340a4ccff2b2ffec720445a9e393f37710eeaae34

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\okxoa1cd.newcfg

Filesize
4KB

MD5
8ce1a7bc52ff85650776fbc1639aafe3

SHA1
8e18d4bb1676f63eca421184429f1d6122ca5141

SHA256
4c41ffd85781cdd5a23e314813b47804e17108f5d630ecd6ae1e0dca149a3f7e

SHA512
fa7404e8638aac282fa613e0cf99e32523eab9e5ee1ac3d870d03d2dcac96f361e4851955b0ed47a320ee6dd1285c22b95557bee4937679e4d0eec4e7374ad59

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\s_qsoyra.newcfg

Filesize
3KB

MD5
a8e2d137726b4b5c06ec79af479a1a7a

SHA1
2fdf660b0e813a207934f9bfdaad4c0ebc5bcbcc

SHA256
8262304018ff90edf102893353eca97e3ea00ab21e3c9bfee570e75fd1aab161

SHA512
401e733c80ef297ad3a8ac5348e41577ba9e58c4fb3647ca9c08c2d09072e7a7786afbeb3dfeb40779f31d3687a435fdf421b807783612973d4240cb38a26f04

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\shop2mbh.newcfg

Filesize
4KB

MD5
ae54abf4755f8a58c42cd573f53a388e

SHA1
1c890d42562e90e01e66a7b116b0af13f90fc1ef

SHA256
3860bc523a1d9d880696d2d18cca7f0eb239bcfba40c583c2e2879a483bd75e8

SHA512
269623447b45b33cb21200062c4b94c35e8cabed2ba37147611c94af35f57ea2fcef3b6ef850ecb3a72aca8eabb7f691a677987a6db51fdd5c5e7dc0e9dfb38a

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\sjwjmyp3.newcfg

Filesize
4KB

MD5
f4fdac836dce561fbf7b2a4a4ef4e4c4

SHA1
1a2ae6748c3e5c5962f25238591aa602d9d7fff4

SHA256
9ae271650dee149bde836ebcb3f0ee29f26f6ec4ff5610c3eb812461b31a6836

SHA512
bf9ab4eb082b83071d51dadf68b2b2a2da56b6796228ceebf38e90de4ef1b35185516d834a7b7ebe551069747864350058d6a3d025aa7594ad632f1080bc1f0b

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\user.config

Filesize
338B

MD5
0a35fbae99f45bc0dccdb777ecfd0436

SHA1
65e295fde91f90d55b107680e060895654fe66e4

SHA256
19af84c48a15820c94367390d58588ddad8164b0ac4056c258a766c726329550

SHA512
db3a0973a373c039603c750f0f196cbf65553cddb83739f1942402eaacbe178a775be87c4b034feb706830ae69d20158c3e3ecad8d5d3febc45146b487c3c42c

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\user.config

Filesize
1KB

MD5
e4308a22084be6f951aa99648cdbe1c2

SHA1
dbef8d6b73e101397816c3ade09d4f156987a53b

SHA256
f96bacba602816427d078505dea2b0423bd391313950e8b60258471d7372b446

SHA512
8d1aa1380a5623d247fea0d8e0178cc1dbb61141c7dc45c095930a420a904efbf7f80f3febb5411cb8a152ee12e5e667f6466cf33de58dcdf89e0199fd959867

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\user.config

Filesize
3KB

MD5
827106b7d7ad422640e82068b60e4aff

SHA1
afe46334743260aa2f570efae161b1b1cefc3430

SHA256
1e4d247a9809d10bd751bdf470332ad4c7dd39d7a236df1a793f066295cd2fc6

SHA512
f64dad918387aef552fd2e386f38c5de30a0165f7d891cb9ac91f51c8febbb459405928820ebfb2698f73920db078e683ce6528c8e82963191fd7c1f8d03f19f

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\wask9jj8.newcfg

Filesize
2KB

MD5
0f52567ff36ee6655a32219f21b54887

SHA1
4fb341e09eaf176bc4e2d97f37a9de5d0c30872e

SHA256
89deccb3a952f09d39de0a9644cf37fd83afdb4ab97b52d9e0a9935f8a6ed152

SHA512
c44616767f441448cb32e40c3ae9c0f7836a726989424fa9d37c0f40af8779d8bb0f035b6763e7280063c3baa500dac59a3edf002195960cb85f53c2c9aa8c48

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\ybrij_3h.newcfg

Filesize
2KB

MD5
d6c1b6a9a7ab50210d072d26f95dd620

SHA1
74f555ea90e0fa763a5009ffade0746352785411

SHA256
497e4f6f7473367230a882e094b8754cf403eb4cc6cd02babe9b6d24ea93dc55

SHA512
b98dd04d165370c4f520eb6bcf3782feeca158a66236de4df26c5f7dc6131a06306dded9d9925bdb29597808cdab130ac0e70d711667f6a4f6acb7ffa913fdca

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.992\yzs-38gz.newcfg

Filesize
2KB

MD5
96adaec59f57471887c44becadac0aae

SHA1
f55c3fd9b55bb8525587edd7b2f17a96bffae0f6

SHA256
3d066abde0d9cc5891b3b24f0e4f6117d759837a0bc3fb34bce89501c0549f1b

SHA512
734db5a7d4eb544aef1748285e15bdcda3d4690b0725a81ed8e304f3bb05d14916cfca98b32283c97c9c9698156cf80ff042394b25a80a5024220039e6f4fd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\615A.tmp.exe

Filesize
149KB

MD5
060404f288040959694844afbd102966

SHA1
e0525e9ef6713fd7f269a669335ce3ddaab4b6a1

SHA256
40517e822f3442a2f389a50e905f40a6a2c4930077c865e3ea7b1929405f760a

SHA512
ddf8c53e1e1888084fa5422f297cc3ba9d97f7576c36f6b633ce67ca789127f7e259e9fb374fcbced66f883dadde0717d81ecce9776770bf07d8cf3b94b1a43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B1F1A\ICSharpCode.SharpZipLib.dll

Filesize
208KB

MD5
b4ecb8001f71894c1a17860476981441

SHA1
72d28f2aa50082a152cb6b3e25895855188fe9b8

SHA256
e6133baa62122e214ab9c114e9fff73bf25956518907a88577a85c8fb88c561f

SHA512
930e1b8181048790fffc1a5bd7f9dde91eeb757f1f8f35e01373f9414794963a53c03239b4ccc60b5c38049aba9e4db0ef5c166e278751c15c136a331ae495b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B1F1A\Newtonsoft.Json.dll

Filesize
428KB

MD5
eb259a0e2377f4c0bfb8712b773456fe

SHA1
d9123b055df58e33aa2ab2f242b30fc6a37f1cad

SHA256
4f9d1e187920dadd4e7693897f8240621e498ffd1709915c3b8394aaa1a34b43

SHA512
1f6e7c2233307a90dda68eaaa4ac08848b0499b464d3a307390a4b95ec1751d00b923572f92588b55f049ae6f4282d4126d2425e5caf8a95c8260f7600dc574a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B1F1A\WebCompanionInstaller.exe

Filesize
456KB

MD5
994672c2aa0d63930a0d8614bafeac09

SHA1
94dc5848fd00f05589707fece3f60b8840aed26a

SHA256
c5a088842a698f1938c22f6314a141251282e32f263d99a6854c2d58fdee9272

SHA512
47a0d7bf14b46cddc90cc1dab0add345e40621fcd11d97786b3947a04bf9acf1cd4cc304562a51c1f83b7b8422302bdf7f8dd23dd949ee6847850f5e911d6e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B1F1A\WebCompanionInstaller.exe.config

Filesize
2KB

MD5
8faad08d58b1207cff53b7dc1a35af91

SHA1
e74f806a6cfea16c2e5c6c90ff6a66111b61cea8

SHA256
091d2aae6d9f4a9b403e45ebc578e0cf27a08d16e9b8784e614c8710080f2cca

SHA512
dc0cfe69c6a3f715875f1badbf44eb90aeb97ebb5fc7b9f3dd4b4f4561de4c403b086709730f4f11de0815828f212591bf63b0fc591e8445ba7a320c574ea2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\WCInstaller.exe

Filesize
552KB

MD5
bc4c25ffc19286961d5cc54dd79a6d2d

SHA1
d1ca4a578a51946d38b0ceaf63a3a75c4b8fff5a

SHA256
409960971e9e9e31121d10d5033f27ec07ac228e52c32873292f2ee8567a8eaa

SHA512
0c4fc53d6d5fe5fa478f436616022a3c509d70a2d99714badfb945d88c6da9e005961b2d3409a124abdf5b5858001a0e385c58169c822f3b0d4cbd70327044a1

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Search\ProfileInfo.txt

Filesize
78B

MD5
7cb869443c6a671a4a21588155150475

SHA1
fb8c43f47ed26b251354cab7be011974adc7b436

SHA256
50560e7b3e0481bdfa9809006c92aa190844867a51454ad81ea2a06b216aa7cf

SHA512
f167d08ef9699881bbcd067c135b8da27958e6fb4ffb0730e13480fa9e25a6630ea00ef7945f205322eb3f4a060e7cdd8ca1aed434258b932cb2d96b8584f094

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Search\searchenginetemplate.xml

Filesize
1KB

MD5
b3c45cbea8dd3685f189db517db7992b

SHA1
e950121e65a194d735925fd9f8b6619acd735082

SHA256
6b391592ade248e6dfbc9711cc78c3e91090999e131c620de3dedb3f83202f75

SHA512
a3e2a6903c7a3daaeace184b1e54dad1b3896a62c3d613dac2b9d68bec12d9ed4af852835d1bc1432fddeff3fac1eaf567b2d8d4ea57a0986e647cea30f75b74

Download Submit
C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Options\b_search.json

Filesize
882B

MD5
ae507c49cd5c982bcbdf9d5ac604edf6

SHA1
29f61ca09f1cc50c44b8fdff12d835a8ae991fae

SHA256
e25d71abac19c752318230bcb03abe6f94c06bb1d84a41bc79f92e7987e4b6a1

SHA512
0147818489acd0e0cc044cb8c0b537e61e7e4e8873f41f11d44f8bf764fd5382844f0f69660b39f559c7d0c5c4f31f4383b7daa267ce416180e7b0280902d97c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new

Filesize
466B

MD5
79754ec8ba75bc34225fad54ef4b4156

SHA1
e1af24dad9f76041215578830b59eca0568c4980

SHA256
da1c5ca1e69fea379a72ddb7b3bee35dac2e18012c6a8ea7366fcea1eb4d3cd9

SHA512
fe9efadde9b2b8a60a8fbc3a174688ec058b02cf091b91de2a2b961dae4bf30ef824ea19dde1994941f68316446368c3d965caf0c83205046415dfe6e5749c9f

Download Submit
memory/1432-883-0x00000000701C0000-0x00000000701D2000-memory.dmp

Filesize
72KB

Download
memory/1432-882-0x0000000011640000-0x0000000011652000-memory.dmp

Filesize
72KB

Download
memory/1432-1046-0x00000000661C0000-0x00000000661E2000-memory.dmp

Filesize
136KB

Download
memory/2096-824-0x000000001AA60000-0x000000001AE34000-memory.dmp

Filesize
3.8MB

Download
memory/2096-825-0x000000001B150000-0x000000001B286000-memory.dmp

Filesize
1.2MB

Download
memory/3728-529-0x0000000000CC0000-0x0000000000CE0000-memory.dmp

Filesize
128KB

Download
memory/3728-531-0x000000001A310000-0x000000001A360000-memory.dmp

Filesize
320KB

Download
memory/3728-553-0x000000001D030000-0x000000001D0AE000-memory.dmp

Filesize
504KB

Download
memory/3728-552-0x000000001CF40000-0x000000001CFB0000-memory.dmp

Filesize
448KB

Download
memory/3728-549-0x000000001CA30000-0x000000001CF3E000-memory.dmp

Filesize
5.1MB

Download
memory/3728-530-0x000000001A2B0000-0x000000001A2B8000-memory.dmp

Filesize
32KB

Download
memory/3728-554-0x000000001D140000-0x000000001D1CE000-memory.dmp

Filesize
568KB

Download
memory/3728-548-0x000000001C430000-0x000000001C520000-memory.dmp

Filesize
960KB

Download
memory/3728-547-0x000000001C3E0000-0x000000001C429000-memory.dmp

Filesize
292KB

Download
memory/3728-542-0x000000001BE60000-0x000000001BE7E000-memory.dmp

Filesize
120KB

Download
memory/3728-543-0x000000001BED0000-0x000000001BF32000-memory.dmp

Filesize
392KB

Download
memory/3728-538-0x000000001A9A0000-0x000000001A9B0000-memory.dmp

Filesize
64KB

Download
memory/3728-537-0x000000001B7A0000-0x000000001BD5A000-memory.dmp

Filesize
5.7MB

Download
memory/3884-698-0x0000000073400000-0x00000000739B1000-memory.dmp

Filesize
5.7MB

Download
memory/3884-349-0x0000000073402000-0x0000000073403000-memory.dmp

Filesize
4KB

Download
memory/3884-73-0x0000000073400000-0x00000000739B1000-memory.dmp

Filesize
5.7MB

Download
memory/3884-72-0x0000000073400000-0x00000000739B1000-memory.dmp

Filesize
5.7MB

Download
memory/3884-70-0x0000000073402000-0x0000000073403000-memory.dmp

Filesize
4KB

Download
memory/3884-350-0x0000000073400000-0x00000000739B1000-memory.dmp

Filesize
5.7MB

Download
memory/4284-1026-0x000000001C1B0000-0x000000001C4BE000-memory.dmp

Filesize
3.1MB

Download
memory/4284-1028-0x000000001C6E0000-0x000000001C6F0000-memory.dmp

Filesize
64KB

Download
memory/4284-1025-0x000000001C180000-0x000000001C1A6000-memory.dmp

Filesize
152KB

Download
memory/4284-1024-0x000000001BA60000-0x000000001BA72000-memory.dmp

Filesize
72KB

Download
memory/4284-1022-0x000000001BF00000-0x000000001BF6E000-memory.dmp

Filesize
440KB

Download
memory/4284-1020-0x000000001B900000-0x000000001B96C000-memory.dmp

Filesize
432KB

Download
memory/4680-510-0x0000000070DD0000-0x0000000070DE2000-memory.dmp

Filesize
72KB

Download
memory/4680-509-0x000000000DB20000-0x000000000DB32000-memory.dmp

Filesize
72KB

Download
memory/4680-684-0x00000000661C0000-0x00000000661E2000-memory.dmp

Filesize
136KB

Download