Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:	Setup.exe
Analysis ID:	1465336
MD5:	a081cff1d93f1bcc478835dcb98e7c47
SHA1:	00e6cb7c41860aeb346958192c68eb86b4015fb2
SHA256:	c0db81c7d38819926df96d6fb3adda34fb8783acede83d5f9bc0b681f2287845
Infos:

Detection

Score:	54
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	34
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Modifies Internet Explorer zone settings

Modifies Internet Explorer zonemap settings

Overwrites Mozilla Firefox settings

Tries to harvest and steal browser information (history, passwords, etc)

Uses netsh to modify the Windows network and firewall settings

Yara detected Generic Downloader

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates or modifies windows services

Drops PE files

EXE planting / hijacking vulnerabilities found

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Is looking for software installed on the system

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: IE Change Domain Zone

Stores files to the Windows start menu directory

Uses 32bit PE files

Classification

Process Tree

System is w7x64

Setup.exe (PID: 848 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: A081CFF1D93F1BCC478835DCB98E7C47)

WebCompanion-Installer.exe (PID: 2412 cmdline: .\WebCompanion-Installer.exe --savename=Setup.exe --partner=IN240402 --nonadmin --direct --tych --campaign=20541619131 --version=13.900.0.1080 MD5: A27F9713DB1688D03D2082BFA1827803)

cmd.exe (PID: 1724 cmdline: "C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone MD5: AD7B9C14083B52BC532FBA5948342B98)

netsh.exe (PID: 2496 cmdline: netsh http add urlacl url=http://+:9007/ user=Everyone MD5: 784A50A6A09C25F011C3143DDD68E729)

WebCompanion.exe (PID: 2596 cmdline: "C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe" --install --geo= MD5: D5180525E08932A69DD1903AB30313EF)

WebCompanion.exe (PID: 1304 cmdline: "C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe" --minimize MD5: D5180525E08932A69DD1903AB30313EF)

WebCompanion.exe (PID: 204 cmdline: "C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe" --minimize MD5: D5180525E08932A69DD1903AB30313EF)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\FeatureInstaller.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion-Installer.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe --minimize , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe, ProcessId: 2596, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Web Companion

Sigma detected: IE Change Domain Zone

Source: Registry Key set

Author: frack113: Data: Details: 2, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe, ProcessId: 2412, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\localhost\*

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 3, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe, ProcessId: 2412, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2301

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Setup.exe

ReversingLabs: Detection: 29%

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	EXE: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	EXE: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\FeatureMainComponent.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	EXE: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\7za.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	EXE: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\VPNServiceHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	EXE: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion-Installer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	EXE: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\FeatureInstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	EXE: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe	Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	EXE: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	EXE: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\FeatureMainComponent.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	EXE: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\7za.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	EXE: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\VPNServiceHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	EXE: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion-Installer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	EXE: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\FeatureInstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	EXE: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe	Jump to behavior

Uses 32bit PE files

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Creates a software uninstall entry

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{a056d2c3-adf7-4778-84b5-d927fc6847f2}

Jump to behavior

Creates install or setup log file

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe

File created: C:\Users\user\AppData\Local\Temp\WcInstaller.log

Jump to behavior

PE / OLE file has a valid certificate

Source: Setup.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.16.148.130:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.26.149:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.149.130:443 -> 192.168.2.22:49191 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.149.130:443 -> 192.168.2.22:49219 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.26.149:443 -> 192.168.2.22:49220 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.148.130:443 -> 192.168.2.22:49227 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.26.149:443 -> 192.168.2.22:49228 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.148.130:443 -> 192.168.2.22:49232 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.27.149:443 -> 192.168.2.22:49235 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.26.149:443 -> 192.168.2.22:49246 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.148.130:443 -> 192.168.2.22:49251 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.27.149:443 -> 192.168.2.22:49254 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\Lavasoft.SysInfo\obj\Debug\Lavasoft.SysInfo.pdb source: WebCompanion.exe, 00000008.00000002.746264076.0000000005252000.00000020.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\Lavasoft.Utils.SqlLite\obj\x86\Debug\Lavasoft.Utils.SqlLite.pdb source: WebCompanion.exe, 00000008.00000002.742184545.0000000000752000.00000020.00000001.01000000.00000013.sdmp, Lavasoft.Utils.SqlLite.dll.2.dr
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\FeatureMainComponent\obj\Debug\FeatureComponent.pdb source: WebCompanion.exe, 00000008.00000002.742359242.0000000000CF2000.00000020.00000001.01000000.00000016.sdmp, FeatureComponent.dll.2.dr
Source:	Binary string: C:\Users\michael.bilinsky\Downloads\managedesent-88b673\EsentInterop\obj\Debug\Esent.Interop.pdb source: Esent.Interop.dll.2.dr
Source:	Binary string: p\C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application/WebCompanion-Installer.pdb source: WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\dev\sqlite\dotnet\obj\2008\Release\System.Data.SQLite.pdb source: WebCompanion.exe, 00000009.00000002.742241549.0000000000CEC000.00000020.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\Lavasoft.CSharp.Utilities\obj\x86\Debug\Lavasoft.CSharp.Utilities.pdb source: Lavasoft.CSharp.Utilities.dll.2.dr
Source:	Binary string: p\C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion-Installer.pdb source: WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Projects\WebCompanion\Common\SearchProtect.WinService\obj\Debug\Lavasoft.WCAssistant.WinService.pdb source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002915000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: eApplication/WebCompanion-Installer.pdbPK source: WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.zip.2.dr
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\Lavasoft.Utils\obj\x86\Debug\Lavasoft.Utils.pdb source: WebCompanion.exe, 00000008.00000002.742035065.00000000005B2000.00000020.00000001.01000000.00000011.sdmp, Lavasoft.Utils.dll.2.dr
Source:	Binary string: c:\Windows\Temp\drone-ME4saUyIgSY9rSgY\drone\src\WebCompanion\Lavasoft.AppCore\obj\Release\Lavasoft.AppCore.pdbp source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp
Source:	Binary string: WebCompanion-Installer.pdb source: WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\Lavasoft.Events\obj\x86\Debug\Lavasoft.Events.pdb source: WebCompanion.exe, 00000008.00000002.742206694.0000000000B22000.00000020.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\SearchProtect.WcfService\obj\Debug\Lavasoft.WCAssistant.WcfService.pdbL source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002915000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb source: WebCompanion.exe, 00000008.00000002.747353038.00000000063A2000.00000020.00000001.01000000.0000001C.sdmp, Ionic.Zip.dll.2.dr
Source:	Binary string: Application/WebCompanion-Installer.pdb source: WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.zip.2.dr
Source:	Binary string: CreateLavasoft.Utils.Features.PartnerInfoppCore.pdbpdbore.pdbo source: WebCompanion.exe, 00000009.00000002.749471346.00000000052DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb$# source: WebCompanion.exe, 00000008.00000002.747353038.00000000063A2000.00000020.00000001.01000000.0000001C.sdmp, Ionic.Zip.dll.2.dr
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\Lavasoft.Utils.SqlLite\obj\x86\Debug\Lavasoft.Utils.SqlLite.pdbl< source: WebCompanion.exe, 00000008.00000002.742184545.0000000000752000.00000020.00000001.01000000.00000013.sdmp, Lavasoft.Utils.SqlLite.dll.2.dr
Source:	Binary string: CreateLavasoft.Utils.Features.PartnerInfoppCore.pdbpdbore.pdb source: WebCompanion.exe, 00000008.00000002.746342130.00000000055F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\dev\sqlite\dotnet\obj\2008\Release\System.Data.SQLite.pdbX. source: WebCompanion.exe, 00000009.00000002.742241549.0000000000CEC000.00000020.00000001.01000000.00000014.sdmp
Source:	Binary string: p&Application/WebCompanion-Installer.pdb@\ source: WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\SearchProtect.WcfService\obj\Debug\Lavasoft.WCAssistant.WcfService.pdb source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002915000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\Lavasoft.Events\obj\x86\Debug\Lavasoft.Events.pdbX source: WebCompanion.exe, 00000008.00000002.742206694.0000000000B22000.00000020.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\SearchProtect.Service.Logger\obj\Debug\Lavasoft.WCAssistant.Service.Logger.pdbh- source: WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000281A000.00000004.00000800.00020000.00000000.sdmp, Lavasoft.WCAssistant.Service.Logger.dll.2.dr
Source:	Binary string: c:\dev\sqlite\dotnet\bin\2008\Win32\ReleaseNativeOnlyStatic\SQLite.Interop.pdb`: source: WebCompanion.exe, 00000008.00000002.749822920.0000000069A58000.00000002.00000001.01000000.00000015.sdmp, SQLite.Interop.dll0.2.dr
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\Lavasoft.Utils\obj\x86\Debug\Lavasoft.Utils.pdb$ source: WebCompanion.exe, 00000008.00000002.742035065.00000000005B2000.00000020.00000001.01000000.00000011.sdmp, Lavasoft.Utils.dll.2.dr
Source:	Binary string: &Application/WebCompanion-Installer.pdb source: WebCompanion.zip.2.dr
Source:	Binary string: c:\Temp\Release\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.745547016.0000000005589000.00000020.00000001.01000000.00000008.sdmp, WebCompanion.exe, 00000008.00000002.745271283.0000000004C72000.00000020.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\SourceCode\TFS\MozCompressor\Debug\MozCompressor.pdb source: WebCompanion.exe, 00000008.00000002.745149373.0000000004BF5000.00000002.00000001.01000000.00000018.sdmp, MozCompressor.dll.2.dr
Source:	Binary string: C:\Windows\TEMP\drone-ME4saUyIgSY9rSgY\drone\src\Common\VPNService\obj\x86\Debug\VPNServiceWCF.pdb source: VPNServiceWCF.dll.2.dr
Source:	Binary string: vcruntime140d.i386.pdb+++ source: WebCompanion.exe, 00000008.00000002.749384362.0000000062361000.00000020.00000001.01000000.00000019.sdmp, vcruntime140d.dll.2.dr
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\SearchProtect.Service.Logger\obj\Debug\Lavasoft.WCAssistant.Service.Logger.pdb source: WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000281A000.00000004.00000800.00020000.00000000.sdmp, Lavasoft.WCAssistant.Service.Logger.dll.2.dr
Source:	Binary string: ucrtbased.pdb source: WebCompanion.exe, 00000008.00000002.748533348.00000000621C1000.00000020.00000001.01000000.0000001A.sdmp
Source:	Binary string: vcruntime140d.i386.pdb source: WebCompanion.exe, 00000008.00000002.749384362.0000000062361000.00000020.00000001.01000000.00000019.sdmp, vcruntime140d.dll.2.dr
Source:	Binary string: Application/WebCompanion-Installer.pdbPK source: WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.zip.2.dr
Source:	Binary string: c:\Windows\Temp\drone-ME4saUyIgSY9rSgY\drone\src\WebCompanion\Lavasoft.AppCore\obj\Release\Lavasoft.AppCore.pdb source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp
Source:	Binary string: c:\Windows\Temp\drone-ME4saUyIgSY9rSgY\drone\src\WebCompanion\Installer\WebCompanionInstaller\obj\Release\WebCompanion-Installer.pdb source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp
Source:	Binary string: webcompanion-installer.pdb source: WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005899000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\wpfanimatedgif\WpfAnimatedGif\obj\Release\net35\WpfAnimatedGif.pdb source: WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000262D000.00000004.00000800.00020000.00000000.sdmp, WpfAnimatedGif.dll.2.dr
Source:	Binary string: C:\projects\wpfanimatedgif\WpfAnimatedGif\obj\Release\net35\WpfAnimatedGif.pdbSHA256 source: WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000262D000.00000004.00000800.00020000.00000000.sdmp, WpfAnimatedGif.dll.2.dr
Source:	Binary string: c:\dev\sqlite\dotnet\bin\2008\Win32\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: WebCompanion.exe, 00000008.00000002.749822920.0000000069A58000.00000002.00000001.01000000.00000015.sdmp, SQLite.Interop.dll0.2.dr

Spreading

Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File opened: C:\Users\user\AppData\Roaming\Lavasoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File opened: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File opened: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match	File source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\FeatureInstaller.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion-Installer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe, type: DROPPED

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /api/feature/WC HTTP/1.1Content-Type: application/jsonHost: featureflags.lavasoft.comContent-Length: 194Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=Start&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 470Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=Start&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 421
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 531
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 669
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 538
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 505
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 538
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 511
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 550
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 489
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 550
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 481
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 543
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 483
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 543
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 498
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 543
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 514
Source: global traffic	HTTP traffic detected: POST /api/Update/WC HTTP/1.1Content-Type: application/jsonHost: featureflags.lavasoft.comContent-Length: 194
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 540
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 508
Source: global traffic	HTTP traffic detected: GET /13.900.0.1080/WebCompanion-13.900.0.1080-prod.zip HTTP/1.1Host: wcdownloadercdn.lavasoft.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 541
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 544
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 536
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 514
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 545
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 510
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 544
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 508
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 544
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 520
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 546
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 514
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 544
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 484
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 541
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 508
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 546
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 509
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 542
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 492
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 544
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 503
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 544
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 502
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 540
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 502
Source: global traffic	HTTP traffic detected: POST /api/feature/WC HTTP/1.1Content-Type: application/jsonHost: featureflags.lavasoft.comContent-Length: 466Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=FeatureFlagRequest&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 4686Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=Launch&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 423
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=FirstRun&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 326
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=FirstRun&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 326
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=NanoBrowser&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 1801
Source: global traffic	HTTP traffic detected: POST /api/feature/WC HTTP/1.1Content-Type: application/jsonHost: featureflags.lavasoft.comContent-Length: 479Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=FeatureFlagRequest&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 7931Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api/Update/WC HTTP/1.1Content-Type: application/jsonHost: featureflags.lavasoft.comContent-Length: 479
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=FeatureFlagRequest&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 1020
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ToggleButton&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 577
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ValidateMicrotargeting&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 715
Source: global traffic	HTTP traffic detected: POST /api/feature/WC HTTP/1.1Content-Type: application/jsonHost: featureflags.lavasoft.comContent-Length: 479Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=FeatureActionInfo&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 548
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=FeatureFlagRequest&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 7931Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=FeatureActionInfo&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 963
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=FeatureActionInfo&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 565
Source: global traffic	HTTP traffic detected: POST /api/Update/WC HTTP/1.1Content-Type: application/jsonHost: featureflags.lavasoft.comContent-Length: 479
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=FeatureActionInfo&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 551
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=FeatureFlagRequest&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 1020
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=FeatureActionInfo&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 542
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=FeatureActionInfo&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 1369
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=FeatureActionInfo&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 1355
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=FeatureActionInfo&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 545
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=UIOpen&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 342
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 540Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 623
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 540
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 497
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 540
Source: global traffic	HTTP traffic detected: POST /api/feature/WC HTTP/1.1Content-Type: application/jsonHost: featureflags.lavasoft.comContent-Length: 485Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 621
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 540
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=FeatureFlagRequest&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 4705Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 490
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=Launch&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 428
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=CompleteInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 443
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=CompleteInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 399
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 550
Source: global traffic	HTTP traffic detected: POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 515
Source: global traffic	HTTP traffic detected: POST /api/Update/WC HTTP/1.1Content-Type: application/jsonHost: featureflags.lavasoft.comContent-Length: 479
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?Type=FeatureFlagRequest&ProductID=wc&EventVersion=1 HTTP/1.1Content-Type: application/jsonHost: flwadw.comContent-Length: 1020
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: geo.lavasoft.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: geo.lavasoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: geo.lavasoft.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Partner.svc/GetPartnerInfo?partner=IN240402 HTTP/1.1Host: wc-partners.lavasoft.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Partner.svc/GetPartnerInfo?partner=IN240402_wb HTTP/1.1Host: wc-partners.lavasoft.com
Source: global traffic	HTTP traffic detected: GET /Partner.svc/GetPartnerInfo?partner=IN240402_ab HTTP/1.1Host: wc-partners.lavasoft.com
Source: global traffic	HTTP traffic detected: GET /Partner.svc/GetPartnerInfo?partner=IN240402_ac HTTP/1.1Host: wc-partners.lavasoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: geo.lavasoft.com
Source: global traffic	HTTP traffic detected: GET /version_logs?json=true&version=13.900.0.1080 HTTP/1.1Host: webcompanion.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 64.18.87.81 64.18.87.81
Source: Joe Sandbox View	IP Address: 104.18.27.149 104.18.27.149

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1

Source: global traffic	HTTP traffic detected: GET /13.900.0.1080/WebCompanion-13.900.0.1080-prod.zip HTTP/1.1Host: wcdownloadercdn.lavasoft.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: geo.lavasoft.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: geo.lavasoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: geo.lavasoft.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Partner.svc/GetPartnerInfo?partner=IN240402 HTTP/1.1Host: wc-partners.lavasoft.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Partner.svc/GetPartnerInfo?partner=IN240402_wb HTTP/1.1Host: wc-partners.lavasoft.com
Source: global traffic	HTTP traffic detected: GET /Partner.svc/GetPartnerInfo?partner=IN240402_ab HTTP/1.1Host: wc-partners.lavasoft.com
Source: global traffic	HTTP traffic detected: GET /Partner.svc/GetPartnerInfo?partner=IN240402_ac HTTP/1.1Host: wc-partners.lavasoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: geo.lavasoft.com
Source: global traffic	HTTP traffic detected: GET /version_logs?json=true&version=13.900.0.1080 HTTP/1.1Host: webcompanion.comConnection: Keep-Alive

Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002660000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.750980749.00000000063C2000.00000020.00000001.01000000.00000020.sdmp	String found in binary or memory: <td align="right" width="24"><a target="_blank" href="https://www.facebook.com/lavasoft.adaware"><img src="http://webcompanion.com/images/email/fb-icon.png" width="16" height="16" alt="fb" style="display:block;border:0;" /></a></td> equals www.facebook.com (Facebook)
Source: WebCompanion.exe, 00000009.00000002.742425946.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.comD0 equals www.youtube.com (Youtube)
Source: WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005828000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.747621560.00000000065D1000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.749471346.00000000052DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: geo.lavasoft.com
Source: global traffic	DNS traffic detected: DNS query: featureflags.lavasoft.com
Source: global traffic	DNS traffic detected: DNS query: flwadw.com
Source: global traffic	DNS traffic detected: DNS query: wcdownloadercdn.lavasoft.com
Source: global traffic	DNS traffic detected: DNS query: wc-partners.lavasoft.com
Source: global traffic	DNS traffic detected: DNS query: webcompanion.com
Source: global traffic	DNS traffic detected: DNS query: partners.webcompanion.com
Source: global traffic	DNS traffic detected: DNS query: cdn.cookielaw.org
Source: global traffic	DNS traffic detected: DNS query: sg-bitmask.adaware.com
Source: global traffic	DNS traffic detected: DNS query: geolocation.onetrust.com
Source: global traffic	DNS traffic detected: DNS query: cdn.inspectlet.com

Source: unknown

HTTP traffic detected: POST /api/feature/WC HTTP/1.1Content-Type: application/jsonHost: featureflags.lavasoft.comContent-Length: 194Connection: Keep-Alive

Source: WebCompanion.exe, 00000009.00000002.751140953.000000000698A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ad-blocker-update-service.lav
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002614000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.763606524.000000000D959000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe.config.2.dr	String found in binary or memory: http://ad-blocker-update-service.lavasoft.com/update.asmx
Source: Setup.exe, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion-Installer.resources.dll0.2.dr, Ionic.Zip.dll.2.dr, WebCompanion.resources.dll0.2.dr, SQLite.Interop.dll0.2.dr, vcruntime140d.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, MozCompressor.dll.2.dr, liblz4.dll.2.dr, Esent.Interop.dll.2.dr, WebCompanion-Installer.resources.dll3.2.dr, Lavasoft.Utils.SqlLite.dll.2.dr, Lavasoft.Utils.dll.2.dr, FeatureComponent.dll.2.dr, WebCompanion-Installer.resources.dll1.2.dr, Lavasoft.WCAssistant.Service.Logger.dll.2.dr, VPNServiceWCF.dll.2.dr, WpfAnimatedGif.dll.2.dr, WebCompanion-Installer.resources.dll4.2.dr	String found in binary or memory: http://aia.entrust.net/evcs2-chain.p7c01
Source: Setup.exe, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion-Installer.resources.dll0.2.dr, Ionic.Zip.dll.2.dr, WebCompanion.resources.dll0.2.dr, SQLite.Interop.dll0.2.dr, vcruntime140d.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, MozCompressor.dll.2.dr, liblz4.dll.2.dr, Esent.Interop.dll.2.dr, WebCompanion-Installer.resources.dll3.2.dr, Lavasoft.Utils.SqlLite.dll.2.dr, Lavasoft.Utils.dll.2.dr, FeatureComponent.dll.2.dr, WebCompanion-Installer.resources.dll1.2.dr, Lavasoft.WCAssistant.Service.Logger.dll.2.dr, VPNServiceWCF.dll.2.dr, WpfAnimatedGif.dll.2.dr, WebCompanion-Installer.resources.dll4.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Setup.exe, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion-Installer.resources.dll0.2.dr, Ionic.Zip.dll.2.dr, WebCompanion.resources.dll0.2.dr, SQLite.Interop.dll0.2.dr, vcruntime140d.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, MozCompressor.dll.2.dr, liblz4.dll.2.dr, Esent.Interop.dll.2.dr, WebCompanion-Installer.resources.dll3.2.dr, Lavasoft.Utils.SqlLite.dll.2.dr, Lavasoft.Utils.dll.2.dr, FeatureComponent.dll.2.dr, WebCompanion-Installer.resources.dll1.2.dr, Lavasoft.WCAssistant.Service.Logger.dll.2.dr, VPNServiceWCF.dll.2.dr, WpfAnimatedGif.dll.2.dr, WebCompanion-Installer.resources.dll4.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Setup.exe, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion-Installer.resources.dll0.2.dr, Ionic.Zip.dll.2.dr, WebCompanion.resources.dll0.2.dr, SQLite.Interop.dll0.2.dr, vcruntime140d.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, MozCompressor.dll.2.dr, liblz4.dll.2.dr, Esent.Interop.dll.2.dr, WebCompanion-Installer.resources.dll3.2.dr, Lavasoft.Utils.SqlLite.dll.2.dr, Lavasoft.Utils.dll.2.dr, FeatureComponent.dll.2.dr, WebCompanion-Installer.resources.dll1.2.dr, Lavasoft.WCAssistant.Service.Logger.dll.2.dr, VPNServiceWCF.dll.2.dr, WpfAnimatedGif.dll.2.dr, WebCompanion-Installer.resources.dll4.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: WebCompanion.exe, 00000009.00000002.742425946.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crxD0
Source: WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005828000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.747621560.00000000065D1000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.749471346.000000000539C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005828000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.747621560.00000000065D1000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.749471346.00000000052DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005828000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.747621560.00000000065D1000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.749471346.00000000052DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: Setup.exe, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion-Installer.resources.dll0.2.dr, Ionic.Zip.dll.2.dr, WebCompanion.resources.dll0.2.dr, SQLite.Interop.dll0.2.dr, vcruntime140d.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, MozCompressor.dll.2.dr, liblz4.dll.2.dr, Esent.Interop.dll.2.dr, WebCompanion-Installer.resources.dll3.2.dr, Lavasoft.Utils.SqlLite.dll.2.dr, Lavasoft.Utils.dll.2.dr, FeatureComponent.dll.2.dr, WebCompanion-Installer.resources.dll1.2.dr, Lavasoft.WCAssistant.Service.Logger.dll.2.dr, VPNServiceWCF.dll.2.dr, WpfAnimatedGif.dll.2.dr, WebCompanion-Installer.resources.dll4.2.dr	String found in binary or memory: http://crl.entrust.net/csbr1.crl0
Source: Setup.exe, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion-Installer.resources.dll0.2.dr, Ionic.Zip.dll.2.dr, WebCompanion.resources.dll0.2.dr, SQLite.Interop.dll0.2.dr, vcruntime140d.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, MozCompressor.dll.2.dr, liblz4.dll.2.dr, Esent.Interop.dll.2.dr, WebCompanion-Installer.resources.dll3.2.dr, Lavasoft.Utils.SqlLite.dll.2.dr, Lavasoft.Utils.dll.2.dr, FeatureComponent.dll.2.dr, WebCompanion-Installer.resources.dll1.2.dr, Lavasoft.WCAssistant.Service.Logger.dll.2.dr, VPNServiceWCF.dll.2.dr, WpfAnimatedGif.dll.2.dr, WebCompanion-Installer.resources.dll4.2.dr	String found in binary or memory: http://crl.entrust.net/evcs2.crl0
Source: Setup.exe, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion-Installer.resources.dll0.2.dr, Ionic.Zip.dll.2.dr, WebCompanion.resources.dll0.2.dr, SQLite.Interop.dll0.2.dr, vcruntime140d.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, MozCompressor.dll.2.dr, liblz4.dll.2.dr, Esent.Interop.dll.2.dr, WebCompanion-Installer.resources.dll3.2.dr, Lavasoft.Utils.SqlLite.dll.2.dr, Lavasoft.Utils.dll.2.dr, FeatureComponent.dll.2.dr, WebCompanion-Installer.resources.dll1.2.dr, Lavasoft.WCAssistant.Service.Logger.dll.2.dr, VPNServiceWCF.dll.2.dr, WpfAnimatedGif.dll.2.dr, WebCompanion-Installer.resources.dll4.2.dr	String found in binary or memory: http://crl.entrust.net/g2ca.crl0
Source: WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005828000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.747621560.00000000065D1000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.749471346.00000000052DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005828000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.747621560.00000000065D1000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.749471346.000000000539C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005828000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.747621560.00000000065D1000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.749471346.00000000052DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005828000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.747621560.00000000065D1000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.749471346.00000000052DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002679000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002660000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/
Source: Setup.exe, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion-Installer.resources.dll0.2.dr, Ionic.Zip.dll.2.dr, WebCompanion.resources.dll0.2.dr, SQLite.Interop.dll0.2.dr, vcruntime140d.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, MozCompressor.dll.2.dr, liblz4.dll.2.dr, Esent.Interop.dll.2.dr, WebCompanion-Installer.resources.dll3.2.dr, Lavasoft.Utils.SqlLite.dll.2.dr, Lavasoft.Utils.dll.2.dr, FeatureComponent.dll.2.dr, WebCompanion-Installer.resources.dll1.2.dr, Lavasoft.WCAssistant.Service.Logger.dll.2.dr, VPNServiceWCF.dll.2.dr, WpfAnimatedGif.dll.2.dr, WebCompanion-Installer.resources.dll4.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Setup.exe, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion-Installer.resources.dll0.2.dr, Ionic.Zip.dll.2.dr, WebCompanion.resources.dll0.2.dr, SQLite.Interop.dll0.2.dr, vcruntime140d.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, MozCompressor.dll.2.dr, liblz4.dll.2.dr, Esent.Interop.dll.2.dr, WebCompanion-Installer.resources.dll3.2.dr, Lavasoft.Utils.SqlLite.dll.2.dr, Lavasoft.Utils.dll.2.dr, FeatureComponent.dll.2.dr, WebCompanion-Installer.resources.dll1.2.dr, Lavasoft.WCAssistant.Service.Logger.dll.2.dr, VPNServiceWCF.dll.2.dr, WpfAnimatedGif.dll.2.dr, WebCompanion-Installer.resources.dll4.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Setup.exe, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion-Installer.resources.dll0.2.dr, Ionic.Zip.dll.2.dr, WebCompanion.resources.dll0.2.dr, SQLite.Interop.dll0.2.dr, vcruntime140d.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, MozCompressor.dll.2.dr, liblz4.dll.2.dr, Esent.Interop.dll.2.dr, WebCompanion-Installer.resources.dll3.2.dr, Lavasoft.Utils.SqlLite.dll.2.dr, Lavasoft.Utils.dll.2.dr, FeatureComponent.dll.2.dr, WebCompanion-Installer.resources.dll1.2.dr, Lavasoft.WCAssistant.Service.Logger.dll.2.dr, VPNServiceWCF.dll.2.dr, WpfAnimatedGif.dll.2.dr, WebCompanion-Installer.resources.dll4.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002679000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002660000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/d$
Source: WebCompanion.exe, 00000009.00000002.742425946.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.google.com/D0
Source: WebCompanion.exe, 00000009.00000002.742425946.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com/D0
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002679000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002706000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000271F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002647000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026BA000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026D3000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026ED000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002660000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002787000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.750980749.00000000063C2000.00000020.00000001.01000000.00000020.sdmp, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion.resources.dll0.2.dr, WebCompanion.resources.dll7.2.dr, WebCompanion.exe.2.dr	String found in binary or memory: http://em.lavasoft.com/subscribe/profile?f=21&id=
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002614000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.763606524.000000000D959000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe.config.2.dr	String found in binary or memory: http://feedback-service.lavasoft.com/feedback.asmx
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002181000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000282C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://geo.lavasoft.com
Source: WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000282C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://geo.lavasoft.com/
Source: WebCompanion.exe, 00000008.00000002.745271283.0000000004C72000.00000020.00000001.01000000.00000017.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://localhost:9008Fhttp://localhost:9008/webcompanion/4http://rt.webcompanion.com
Source: WebCompanion.exe, 00000009.00000002.741867833.0000000000292000.00000020.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
Source: WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005828000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.747621560.00000000065D1000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.749471346.00000000052DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005828000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.747621560.00000000065D1000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.749471346.00000000052DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005828000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.747621560.00000000065D1000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.749471346.00000000052DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005828000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.747621560.00000000065D1000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.749471346.00000000052DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005828000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.747621560.00000000065D1000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.749471346.00000000052DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: Setup.exe, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion-Installer.resources.dll0.2.dr, Ionic.Zip.dll.2.dr, WebCompanion.resources.dll0.2.dr, SQLite.Interop.dll0.2.dr, vcruntime140d.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, MozCompressor.dll.2.dr, liblz4.dll.2.dr, Esent.Interop.dll.2.dr, WebCompanion-Installer.resources.dll3.2.dr, Lavasoft.Utils.SqlLite.dll.2.dr, Lavasoft.Utils.dll.2.dr, FeatureComponent.dll.2.dr, WebCompanion-Installer.resources.dll1.2.dr, Lavasoft.WCAssistant.Service.Logger.dll.2.dr, VPNServiceWCF.dll.2.dr, WpfAnimatedGif.dll.2.dr, WebCompanion-Installer.resources.dll4.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Setup.exe, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion-Installer.resources.dll0.2.dr, Ionic.Zip.dll.2.dr, WebCompanion.resources.dll0.2.dr, SQLite.Interop.dll0.2.dr, vcruntime140d.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, MozCompressor.dll.2.dr, liblz4.dll.2.dr, Esent.Interop.dll.2.dr, WebCompanion-Installer.resources.dll3.2.dr, Lavasoft.Utils.SqlLite.dll.2.dr, Lavasoft.Utils.dll.2.dr, FeatureComponent.dll.2.dr, WebCompanion-Installer.resources.dll1.2.dr, Lavasoft.WCAssistant.Service.Logger.dll.2.dr, VPNServiceWCF.dll.2.dr, WpfAnimatedGif.dll.2.dr, WebCompanion-Installer.resources.dll4.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Setup.exe, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion-Installer.resources.dll0.2.dr, Ionic.Zip.dll.2.dr, WebCompanion.resources.dll0.2.dr, SQLite.Interop.dll0.2.dr, vcruntime140d.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, MozCompressor.dll.2.dr, liblz4.dll.2.dr, Esent.Interop.dll.2.dr, WebCompanion-Installer.resources.dll3.2.dr, Lavasoft.Utils.SqlLite.dll.2.dr, Lavasoft.Utils.dll.2.dr, FeatureComponent.dll.2.dr, WebCompanion-Installer.resources.dll1.2.dr, Lavasoft.WCAssistant.Service.Logger.dll.2.dr, VPNServiceWCF.dll.2.dr, WpfAnimatedGif.dll.2.dr, WebCompanion-Installer.resources.dll4.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Setup.exe, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion-Installer.resources.dll0.2.dr, Ionic.Zip.dll.2.dr, WebCompanion.resources.dll0.2.dr, SQLite.Interop.dll0.2.dr, vcruntime140d.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, MozCompressor.dll.2.dr, liblz4.dll.2.dr, Esent.Interop.dll.2.dr, WebCompanion-Installer.resources.dll3.2.dr, Lavasoft.Utils.SqlLite.dll.2.dr, Lavasoft.Utils.dll.2.dr, FeatureComponent.dll.2.dr, WebCompanion-Installer.resources.dll1.2.dr, Lavasoft.WCAssistant.Service.Logger.dll.2.dr, VPNServiceWCF.dll.2.dr, WpfAnimatedGif.dll.2.dr, WebCompanion-Installer.resources.dll4.2.dr	String found in binary or memory: http://ocsp.entrust.net00
Source: Setup.exe, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion-Installer.resources.dll0.2.dr, Ionic.Zip.dll.2.dr, WebCompanion.resources.dll0.2.dr, SQLite.Interop.dll0.2.dr, vcruntime140d.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, MozCompressor.dll.2.dr, liblz4.dll.2.dr, Esent.Interop.dll.2.dr, WebCompanion-Installer.resources.dll3.2.dr, Lavasoft.Utils.SqlLite.dll.2.dr, Lavasoft.Utils.dll.2.dr, FeatureComponent.dll.2.dr, WebCompanion-Installer.resources.dll1.2.dr, Lavasoft.WCAssistant.Service.Logger.dll.2.dr, VPNServiceWCF.dll.2.dr, WpfAnimatedGif.dll.2.dr, WebCompanion-Installer.resources.dll4.2.dr	String found in binary or memory: http://ocsp.entrust.net01
Source: Setup.exe, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion-Installer.resources.dll0.2.dr, Ionic.Zip.dll.2.dr, WebCompanion.resources.dll0.2.dr, SQLite.Interop.dll0.2.dr, vcruntime140d.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, MozCompressor.dll.2.dr, liblz4.dll.2.dr, Esent.Interop.dll.2.dr, WebCompanion-Installer.resources.dll3.2.dr, Lavasoft.Utils.SqlLite.dll.2.dr, Lavasoft.Utils.dll.2.dr, FeatureComponent.dll.2.dr, WebCompanion-Installer.resources.dll1.2.dr, Lavasoft.WCAssistant.Service.Logger.dll.2.dr, VPNServiceWCF.dll.2.dr, WpfAnimatedGif.dll.2.dr, WebCompanion-Installer.resources.dll4.2.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005828000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.747621560.00000000065D1000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.749471346.00000000052DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005828000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.747621560.00000000065D1000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.749471346.00000000052DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: http://pp.webcompanion.com/notifications/download/rt/ActiveFeatures.zip
Source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: http://pp.webcompanion.com/notifications/download/rt/Silverlight_x64.exe
Source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: http://pp.webcompanion.com/notifications/download/rt/aabrowser.zip
Source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: http://pp.webcompanion.com/notifications/download/rt/chbrowser.exe
Source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: http://rt.webcompanion.com/notifications/download/rt/ActiveFeatures.zip
Source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: http://rt.webcompanion.com/notifications/download/rt/FeatureActions.zip
Source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: http://rt.webcompanion.com/notifications/download/rt/IEBhoHelper.exe
Source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: http://rt.webcompanion.com/notifications/download/rt/IEBhoHelperTest.exe
Source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: http://rt.webcompanion.com/notifications/download/rt/IESPHelper.exe
Source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: http://rt.webcompanion.com/notifications/download/rt/Silverlight_x64.exe
Source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: http://rt.webcompanion.com/notifications/download/rt/aabrowser.zip
Source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: http://rt.webcompanion.com/notifications/download/rt/adblocker.zip
Source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: http://rt.webcompanion.com/notifications/download/rt/chbrowser.exe
Source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: http://rt.webcompanion.com/notifications/download/rt/extension.txtuhttps://staging-feedback-service.
Source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: http://rt.webcompanion.com/notifications/download/rt/postrun/preprod/v1/FeatureActions.zip
Source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: http://rt.webcompanion.com/notifications/download/rt/postrun/prod/v1/FeatureActions.zipkhttp://pp.we
Source: WebCompanion.exe, 00000008.00000002.742035065.00000000005B2000.00000020.00000001.01000000.00000011.sdmp, Lavasoft.Utils.dll.2.dr	String found in binary or memory: http://rt.webcompanion.com/notifications/download/rt/postrun/v1/searchengine_v1.zip
Source: WebCompanion.exe, 00000008.00000002.742035065.00000000005B2000.00000020.00000001.01000000.00000011.sdmp, Lavasoft.Utils.dll.2.dr	String found in binary or memory: http://rt.webcompanion.com/notifications/download/rt/searchenginetemplate.xmlQhttps://appdownload.la
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://rt.webcompanion.com/notifications/download/rt/typolist.txt.http://www.lavasoft.com6http://www
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://rt.webcompanion.com/notifications/download/rt/typolist.txt5Creating
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/SearchProtect.WcfService(
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/SearchProtect.WcfServicef
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/VPNService.WCF.Model
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/VPNService.WCF.Model_
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002111000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002111000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002111000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002111000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002111000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002111000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002181000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000282C000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.00000000027C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000021C8000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://staging-cloudflow.lavasoft.net/v1/event-stat-wc
Source: WebCompanion.exe, 00000009.00000002.742241549.0000000000CEC000.00000020.00000001.01000000.00000014.sdmp	String found in binary or memory: http://system.data.sqlite.org/
Source: WebCompanion.exe, 00000008.00000002.742307382.0000000000C14000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://system.data.sqlite.org/X
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002111000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://tempuri.org/$
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002111000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/:WebHttpBinding4
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/A
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/AddT
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://tempuri.org/GetComponentsInfoByProductT
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp, WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/GetComponentsInfoT
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp, WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/GetComponentsVersionInfoT
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://tempuri.org/GetProductInfoT
Source: WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/ILocalyHostedService/GetNotify
Source: WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/ILocalyHostedService/GetNotifyResponse
Source: WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/ILocalyHostedService/GetParameters
Source: WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/ILocalyHostedService/GetParametersResponse
Source: WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/ILocalyHostedService/Rewards
Source: WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/ILocalyHostedService/RewardsResponse
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/ILocalyHostedServiceInstaller/ChangeScreen
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/ILocalyHostedServiceInstaller/ChangeScreenResponse
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/ILocalyHostedServiceInstaller/GetDropDownValues
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/ILocalyHostedServiceInstaller/GetDropDownValuesResponse
Source: WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/ConnectDisconnectVPN
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/ConnectDisconnectVPNResponse
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/ConnectDisconnectVPNT
Source: WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/GetConnectionInfo
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/GetConnectionInfoResponse
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/GetConnectionInfoT
Source: WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/GetLocations
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/GetLocationsResponse
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/GetLocationsT
Source: WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/IsVPNConnected
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/IsVPNConnectedResponse
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/IsVPNConnectedT
Source: WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/LoadConfig
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/LoadConfigResponse
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/LoadConfigT
Source: WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/TurnOffVPN
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/TurnOffVPNResponse
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IVPNServiceWCF/TurnOffVPNT
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/CopyFilesResponse
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/CopyFilesT
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/CreatUninstallInfoResponse
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/CreatUninstallInfoT
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/GetCurrentHomePageIEResponse
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/GetCurrentHomePageIET
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/GetCurrentSearchIEResponse
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/GetCurrentSearchIET
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/ProcessRemoteFeatureResponse
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/ProcessRemoteFeatureT
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/RunProcessResponse
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/RunProcessT
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/RunasAdminResponse
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/RunasAdminT
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/SetAutoRestoreSessionIEResponse
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/SetAutoRestoreSessionIET
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/SetHomePageIEResponse
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/SetHomePageIET
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/SetNewTabIEResponse
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/SetNewTabIET
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/SetSearchEngineIEResponse
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/SetSearchEngineIET
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/SilentUninstallResponse
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/SilentUninstallT
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/UpdateUninstallInfoResponse=
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/IWCAssistantService/UpdateUninstallInfoT
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/SendEmailT
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/SendFeedbackT
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/SendWCFeedbackT
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://tempuri.org/SignZipInstallerByProductT
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp, WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/SignZipInstallerT
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp, WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/T
Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://tempuri.org/WcSendAutoResponseEmailT
Source: WebCompanion.exe, 00000008.00000002.742500209.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wc-partners.lavasoft.com
Source: WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: http://wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo
Source: WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN240402
Source: WebCompanion.exe, 00000008.00000002.742500209.0000000002D59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN240402_ab
Source: WebCompanion.exe, 00000008.00000002.742500209.0000000002D59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN240402_ac
Source: WebCompanion.exe, 00000008.00000002.742500209.0000000002D59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN240402_wb
Source: WebCompanion.exe, 00000008.00000002.742500209.0000000002D59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wc-partners.lavasoft.com/Partner.svc/GetPartnerInfoLR
Source: WebCompanion.exe, 00000009.00000002.751140953.000000000698A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wc-update-service.lavasoft.com/co
Source: Setup.exe, 00000000.00000003.347402334.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002614000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002494000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.763606524.000000000D959000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe.config.0.dr, WebCompanion-Installer.exe.config.2.dr, WebCompanion.exe.config.2.dr	String found in binary or memory: http://wc-update-service.lavasoft.com/components.asmx
Source: Setup.exe, 00000000.00000003.347402334.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002614000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002494000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.763606524.000000000D959000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe.config.0.dr, WebCompanion-Installer.exe.config.2.dr, WebCompanion.exe.config.2.dr	String found in binary or memory: http://wc-update-service.lavasoft.com/update.asmx
Source: WebCompanion-Installer.exe, 00000002.00000002.741957823.0000000000500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wcdownloadercdn.lavasoft.com/13.0.0.1
Source: Setup.exe, 00000000.00000003.347402334.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000023E9000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002494000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe.config.0.dr, WebCompanion-Installer.exe.config.2.dr	String found in binary or memory: http://wcdownloadercdn.lavasoft.com/13.0.0.1080/WebCompanion-13.0.0.1080-prod.zip
Source: Setup.exe, 00000000.00000003.347402334.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000023E9000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002494000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe.config.0.dr, WebCompanion-Installer.exe.config.2.dr	String found in binary or memory: http://wcdownloadercdn.lavasoft.com/13.0.0.1080/webinstaller-13.0.0.1080-prod.zip
Source: WebCompanion.exe, 00000008.00000002.742500209.000000000298B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://webcompanion.com
Source: WebCompanion.exe, 00000008.00000002.742500209.000000000282C000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.000000000282C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://webcompanion.com/check
Source: WebCompanion.exe, 00000008.00000002.742500209.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Frequently Asked Questions.url.8.dr	String found in binary or memory: http://webcompanion.com/faq
Source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: http://webcompanion.com/google_chrome_incompatibility
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002679000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002706000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000271F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002647000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026BA000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026D3000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026ED000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002660000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002787000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.750980749.00000000063C2000.00000020.00000001.01000000.00000020.sdmp, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion.resources.dll0.2.dr, WebCompanion.resources.dll7.2.dr, WebCompanion.exe.2.dr	String found in binary or memory: http://webcompanion.com/help
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002660000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.750980749.00000000063C2000.00000020.00000001.01000000.00000020.sdmp, WebCompanion.resources.dll0.2.dr, WebCompanion.exe.2.dr	String found in binary or memory: http://webcompanion.com/images/email/hdr_main.png
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002660000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.750980749.00000000063C2000.00000020.00000001.01000000.00000020.sdmp, WebCompanion.resources.dll0.2.dr, WebCompanion.exe.2.dr	String found in binary or memory: http://webcompanion.com/images/email/tw-icon.png
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002660000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.750980749.00000000063C2000.00000020.00000001.01000000.00000020.sdmp, WebCompanion.resources.dll0.2.dr, WebCompanion.exe.2.dr	String found in binary or memory: http://webcompanion.com/images/email/wc-title-header.png
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002660000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.750980749.00000000063C2000.00000020.00000001.01000000.00000020.sdmp, WebCompanion.resources.dll0.2.dr, WebCompanion.exe.2.dr	String found in binary or memory: http://webcompanion.com/mail-report-reply
Source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: http://webcompanion.com/notifications/includes/wl.phpthttp://webcompanion.com/version_logs?json=true
Source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: http://webcompanion.com/unsafe
Source: WebCompanion.exe, 00000008.00000002.742500209.000000000298B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://webcompanion.com/version_logs?json=true&version=
Source: WebCompanion.exe, 00000008.00000002.742500209.000000000298B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://webcompanion.com/version_logs?json=true&version=13.900.0.1080
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000262D000.00000004.00000800.00020000.00000000.sdmp, WpfAnimatedGif.dll.2.dr	String found in binary or memory: http://wpfanimatedgif.codeplex.com
Source: WebCompanion.exe, 00000009.00000002.741867833.0000000000292000.00000020.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.apache.org/).
Source: WebCompanion.exe, 00000009.00000002.741867833.0000000000292000.00000020.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: WebCompanion.exe, 00000009.00000002.741867833.0000000000292000.00000020.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Ionic.Zip.dll.2.dr	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: WebCompanion.exe.2.dr	String found in binary or memory: http://www.codeproject.com/Articles/28093/Using-RoutedCommands-with-a-ViewModel-in-WPF
Source: WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005828000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.747621560.00000000065D1000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.749471346.00000000052DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005828000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.747621560.00000000065D1000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.749471346.00000000052DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: Setup.exe, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion-Installer.resources.dll0.2.dr, Ionic.Zip.dll.2.dr, WebCompanion.resources.dll0.2.dr, SQLite.Interop.dll0.2.dr, vcruntime140d.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, MozCompressor.dll.2.dr, liblz4.dll.2.dr, Esent.Interop.dll.2.dr, WebCompanion-Installer.resources.dll3.2.dr, Lavasoft.Utils.SqlLite.dll.2.dr, Lavasoft.Utils.dll.2.dr, FeatureComponent.dll.2.dr, WebCompanion-Installer.resources.dll1.2.dr, Lavasoft.WCAssistant.Service.Logger.dll.2.dr, VPNServiceWCF.dll.2.dr, WpfAnimatedGif.dll.2.dr, WebCompanion-Installer.resources.dll4.2.dr	String found in binary or memory: http://www.entrust.net/rpa0
Source: Setup.exe, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion-Installer.resources.dll0.2.dr, Ionic.Zip.dll.2.dr, WebCompanion.resources.dll0.2.dr, SQLite.Interop.dll0.2.dr, vcruntime140d.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, MozCompressor.dll.2.dr, liblz4.dll.2.dr, Esent.Interop.dll.2.dr, WebCompanion-Installer.resources.dll3.2.dr, Lavasoft.Utils.SqlLite.dll.2.dr, Lavasoft.Utils.dll.2.dr, FeatureComponent.dll.2.dr, WebCompanion-Installer.resources.dll1.2.dr, Lavasoft.WCAssistant.Service.Logger.dll.2.dr, VPNServiceWCF.dll.2.dr, WpfAnimatedGif.dll.2.dr, WebCompanion-Installer.resources.dll4.2.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: WebCompanion.exe.2.dr	String found in binary or memory: http://www.gophish.com
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002679000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002706000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000271F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000023E9000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002647000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026BA000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026D3000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026ED000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000027A2000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002660000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002787000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.750980749.00000000063C2000.00000020.00000001.01000000.00000020.sdmp, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion.resources.dll0.2.dr, WebCompanion.resources.dll7.2.dr	String found in binary or memory: http://www.lavasoft.com
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002679000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002706000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000271F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002647000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026BA000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026D3000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026ED000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002660000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002787000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.750980749.00000000063C2000.00000020.00000001.01000000.00000020.sdmp, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion.resources.dll0.2.dr, WebCompanion.resources.dll7.2.dr, WebCompanion.exe.2.dr	String found in binary or memory: http://www.lavasoft.com/mylavasoft/contact
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002679000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002706000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000271F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002647000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026BA000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026D3000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026ED000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002660000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002787000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.750980749.00000000063C2000.00000020.00000001.01000000.00000020.sdmp, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion.resources.dll0.2.dr, WebCompanion.resources.dll7.2.dr, WebCompanion.exe.2.dr	String found in binary or memory: http://www.lavasoft.com/privacy_policy/
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002679000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002706000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000271F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002647000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026BA000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026D3000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026ED000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002660000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002787000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.750980749.00000000063C2000.00000020.00000001.01000000.00000020.sdmp, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion.resources.dll0.2.dr, WebCompanion.resources.dll7.2.dr, WebCompanion.exe.2.dr	String found in binary or memory: http://www.lavasoftsupport.com/index.php?/forum/191-web-companion/
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000272B000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.749913986.0000000069A7A000.00000002.00000001.01000000.00000015.sdmp, SQLite.Interop.dll0.2.dr	String found in binary or memory: http://www.sqlite.org/copyright.html4
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.webcompanion.com
Source: WebCompanion.exe, 00000009.00000002.742425946.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.comD0
Source: WebCompanion.exe, 00000008.00000002.742500209.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000021C4000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000217B000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002181000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000217E000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000287B000.00000004.00000800.00020000.00000000.sdmp, WcInstaller.log.2.dr	String found in binary or memory: https://acs.lavasoft.com/api/v2/url/blacklist
Source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: https://acs.lavasoft.com/api/v2/url/blacklist1http://geo.lavasoft.com/ihttps://acscdn.lavasoft.com/u
Source: WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acs.lavasoft.com/api/v2/url/permanentwh
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000021C4000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000217B000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002181000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000217E000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000287B000.00000004.00000800.00020000.00000000.sdmp, WcInstaller.log.2.dr	String found in binary or memory: https://acs.lavasoft.com/api/v2/url/permanentwhitelist
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://acs.lavasoft.comZhttps://acs.lavasoft.com/api/v2/url/blacklistlhttps://acs.lavasoft.com/api/
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://acscdn.lavasoft.com/urlnotificationlist.json
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://acscdn.lavasoft.comhhttps://acscdn.lavasoft.com/urlnotificationlist.json0https://webcompanio
Source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: https://addons.mozilla.org/en-US/firefox/
Source: WebCompanion.exe, 00000009.00000002.742425946.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreD0
Source: WebCompanion.exe, 00000009.00000002.742425946.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: WebCompanion.exe, 00000009.00000002.742425946.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxD0
Source: WebCompanion.exe, 00000008.00000002.742500209.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: WebCompanion.exe, 00000009.00000002.742425946.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: WebCompanion.exe, 00000009.00000002.742425946.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/D0
Source: WebCompanion.exe, 00000009.00000002.742425946.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: WebCompanion.exe, 00000009.00000002.742425946.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?usp=chrome_appD0
Source: WebCompanion.exe, 00000009.00000002.742425946.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/D0
Source: WebCompanion.exe, 00000009.00000002.742425946.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/settingsD0
Source: WebCompanion.exe, 00000008.00000002.742500209.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/
Source: WebCompanion.exe, 00000008.00000002.742035065.00000000005B2000.00000020.00000001.01000000.00000011.sdmp, Lavasoft.Utils.dll.2.dr	String found in binary or memory: https://easylist-downloads.adblockplus.org/easylist.txtzhttps://easylist-downloads.adblockplus.org/e
Source: WebCompanion.exe, 00000008.00000002.742035065.00000000005B2000.00000020.00000001.01000000.00000011.sdmp, Lavasoft.Utils.dll.2.dr	String found in binary or memory: https://easylist-downloads.adblockplus.org/easylistgermany.txt
Source: WebCompanion.exe, 00000008.00000002.742359242.0000000000CF2000.00000020.00000001.01000000.00000016.sdmp, FeatureComponent.dll.2.dr	String found in binary or memory: https://eventstaging.lavasoft.com/v1/event-stat
Source: WebCompanion.exe, 00000008.00000002.742206694.0000000000B22000.00000020.00000001.01000000.00000012.sdmp	String found in binary or memory: https://eventstaging.lavasoft.com/v1/event-statFhttps://flwadw.com/v1/event-stat-wclhttp://staging-c
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002181000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.0000000002848000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.000000000282C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://featureflags.lavasoft.com
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000023E9000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://featureflags.lavasoft.com/api/Update/WC
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://featureflags.lavasoft.com/api/Update/WCyhttps://sandbox-featureflags-api.lavasoft.net/api/fe
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002181000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp, WebCompanion.exe, 00000008.00000002.742500209.0000000002848000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://featureflags.lavasoft.com/api/feature/WC
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://featureflags.lavasoft.com/api/feature/WC$https://flwadw.comFhttps://flwadw.com/v1/event-stat
Source: WebCompanion.exe, 00000009.00000002.742425946.000000000282C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://featureflags.lavasoft.com/api/feature/WC4
Source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: https://feedbackapi.adaware.com/api/feedback;http://webcompanion.com/check
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://flow.lavasoft.com/v1/event-stat/v1/event-stat
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002435000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002421000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000021C8000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.0000000002D2F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://flwadw.com
Source: FeatureComponent.dll.2.dr	String found in binary or memory: https://flwadw.com/v1/event-stat
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000021C8000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp, WebCompanion.exe, 00000008.00000002.742206694.0000000000B22000.00000020.00000001.01000000.00000012.sdmp	String found in binary or memory: https://flwadw.com/v1/event-stat-wc
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000023E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://flwadw.com/v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002435000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000281A000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000027DA000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000027A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://flwadw.com/v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1LR
Source: WebCompanion.exe, 00000008.00000002.742500209.000000000298B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://flwadw.com/v1/event-stat-wcH
Source: WebCompanion.exe, 00000009.00000002.763606524.000000000D8F1000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://flwadw.com/v1/event-stat?Type=FeatureActionInfo&ProductID=wc&EventVersion=1
Source: WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://flwadw.com/v1/event-stat?Type=FeatureFlagRequest&ProductID=wc&EventVersion=1
Source: WebCompanion.exe, 00000008.00000002.742500209.0000000002D2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://flwadw.com/v1/event-stat?Type=NanoBrowser&ProductID=wc&EventVersion=1LR
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000023E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://flwadw.com/v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002435000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000281A000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002421000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000027DA000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000027A2000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002794000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://flwadw.com/v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1LR
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000021C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://flwadw.com/v1/event-stat?Type=Start&ProductID=wc&EventVersion=1
Source: WebCompanion.exe, 00000009.00000002.763606524.000000000D8F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://flwadw.com/v1/event-stat?Type=UIOpen&ProductID=wc&EventVersion=1
Source: WebCompanion.exe, 00000009.00000002.763606524.000000000D959000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://flwadw.com/v1/event-stat?Type=UIOpen&ProductID=wc&EventVersion=1LR
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://flwadw.com/v1/event-statJhttp://staging-cloudflow.lavasoft.netlhttp://staging-cloudflow.lava
Source: WebCompanion.exe, 00000008.00000002.742035065.00000000005B2000.00000020.00000001.01000000.00000011.sdmp, Lavasoft.Utils.dll.2.dr	String found in binary or memory: https://indonesianadblockrules.googlecode.com/hg/subscriptions/abpindo.txtxhttps://easylist-download
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://partner-tracking.lavasoft.com/api/Tracking/Decrypt
Source: WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: https://partners.webcompanion.com/api/Partners/get-partner-by-id
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000021C4000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000217B000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002181000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000023E9000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000217E000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002494000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000287B000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe.config.0.dr, WebCompanion-Installer.exe.config.2.dr, WcInstaller.log.2.dr	String found in binary or memory: https://rt.webcompanion.com/notifications/download/rt/dci/latest/Webprotection.zip
Source: WebCompanion.exe, 00000008.00000002.742035065.00000000005B2000.00000020.00000001.01000000.00000011.sdmp, Lavasoft.Utils.dll.2.dr	String found in binary or memory: https://ruadlist.googlecode.com/hg/advblock.txt(AdBlockAcceptableAds
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000023E9000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://sandbox-featureflags-api.lavasoft.net/api/Update/WC
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sandbox-featureflags-api.lavasoft.net/api/feature/WC
Source: WebCompanion.exe, 00000008.00000002.742500209.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/ff
Source: WebCompanion.exe, 00000008.00000002.742500209.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/yhs/search
Source: WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005828000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.747621560.00000000065D1000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.749471346.00000000052DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: https://sg-bitmask.adaware.com/bitmask/allmaskvalues
Source: WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	String found in binary or memory: https://staging-bitmask.lavasoft.net/bitmask/allmaskvalues
Source: Setup.exe, 00000000.00000003.347402334.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002494000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe.config.0.dr, WebCompanion-Installer.exe.config.2.dr	String found in binary or memory: https://staging-webcompanion.lavasoft.net/dci/4.0.0.14/Webprotection.zip
Source: WebCompanion.exe, 00000008.00000002.742500209.000000000298B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: WebCompanion.exe, 00000009.00000002.741867833.0000000000292000.00000020.00000001.01000000.0000000F.sdmp, WebCompanion.exe, 00000009.00000002.741887657.00000000002DC000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://svn.apache.org/repos/asf/logging/log4net/tags/1.2.13RC3
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002660000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.750980749.00000000063C2000.00000020.00000001.01000000.00000020.sdmp, WebCompanion.resources.dll0.2.dr, WebCompanion.exe.2.dr	String found in binary or memory: https://twitter.com/lavasoft
Source: WebCompanion.exe, 00000008.00000002.747621560.00000000065AF000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/search
Source: Setup.exe, 00000000.00000003.347402334.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002494000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe.config.0.dr, WebCompanion-Installer.exe.config.2.dr	String found in binary or memory: https://wcdownloader-qa.lavasoft.com/13.0.0.1080/WebCompanion-13.0.0.1080-internal.zip
Source: Setup.exe, 00000000.00000003.347402334.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002494000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe.config.0.dr, WebCompanion-Installer.exe.config.2.dr	String found in binary or memory: https://wcdownloader-qa.lavasoft.com/13.0.0.1080/WebCompanionInstaller-13.0.0.1080-internal.exe
Source: Setup.exe, 00000000.00000003.347402334.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002494000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe.config.0.dr, WebCompanion-Installer.exe.config.2.dr	String found in binary or memory: https://wcdownloader-qa.lavasoft.com/13.0.0.1080/webinstaller-13.0.0.1080-internal.zip
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000023E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wcdownloadercdn.lavasoft.com
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000217B000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002181000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000023E9000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000217E000.00000004.00000800.00020000.00000000.sdmp, WcInstaller.log.2.dr	String found in binary or memory: https://wcdownloadercdn.lavasoft.com/13.0.0.1080/WCInstaller_NonAdmin.exe
Source: Setup.exe, 00000000.00000003.347402334.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000023E9000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002494000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe.config.0.dr, WebCompanion-Installer.exe.config.2.dr	String found in binary or memory: https://wcdownloadercdn.lavasoft.com/13.0.0.1080/WebCompanionInstaller-13.0.0.1080-prod.exe
Source: WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000217B000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002181000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000023E9000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000217E000.00000004.00000800.00020000.00000000.sdmp, WcInstaller.log.2.dr	String found in binary or memory: https://wcdownloadercdn.lavasoft.com/13.900.0.1080/WebCompanion-13.900.0.1080-prod.zip
Source: WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://webcompanion.com/en/DJ
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://webcompanion.com/en/help.php
Source: WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://webcompanion.com/en/install.php?partner=
Source: WcInstaller.log.2.dr	String found in binary or memory: https://webcompanion.com/images/favicon.ico
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://webcompanion.com/uninstall.php?utm_source=wc&utm_medium=
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://webcompanion.com/unsafe.php?utm_source=WCHhttps://webcompanion.com/en/help.php.https://www.a
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://webcompanion.com/unsafe.php?utm_source=WCghttp://pp.webcompanion.com/unsafe.php?utm_source=W
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.adaware.com/privacy-policy
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.adaware.com/terms-of-use
Source: WebCompanion.exe, 00000008.00000002.742500209.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: WebCompanion.exe, 00000008.00000002.742500209.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: WebCompanion.exe, 00000008.00000002.742500209.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: WebCompanion.exe, 00000008.00000002.742500209.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000298B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com:443

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49227
Source: unknown	Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49226
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49224
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49223
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49222
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49187
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49220
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49186
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 49204 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49227 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49256 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49219
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49217
Source: unknown	Network traffic detected: HTTP traffic on port 49233 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49216
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49215
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49214
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49213
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49212
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49211
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49210
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 49262 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49224 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49276 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49213 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49238 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49209
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49208
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49207
Source: unknown	Network traffic detected: HTTP traffic on port 49230 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49251 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49206
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49205
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49204
Source: unknown	Network traffic detected: HTTP traffic on port 49219 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49203
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49202
Source: unknown	Network traffic detected: HTTP traffic on port 49187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49201
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49200
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49286
Source: unknown	Network traffic detected: HTTP traffic on port 49286 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49231 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49239 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49273 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49216 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49250 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49276
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49273
Source: unknown	Network traffic detected: HTTP traffic on port 49247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49222 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49205 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49196 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49236 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49253 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49264
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49262
Source: unknown	Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49200 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49237 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49214 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49220 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49256
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49255
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49254
Source: unknown	Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49253
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49252
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49251
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49250
Source: unknown	Network traffic detected: HTTP traffic on port 49249 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49203 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49228 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49241 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49255 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49198 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49234 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49249
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49248
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49247
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49246
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49245
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49244
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49243
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49242
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49241
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49240
Source: unknown	Network traffic detected: HTTP traffic on port 49248 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49209 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49254 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49212 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49235 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49239
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49238
Source: unknown	Network traffic detected: HTTP traffic on port 49243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49237
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49236
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49235
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49234
Source: unknown	Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49233
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49199
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49232
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49198
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49231
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49197
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49230
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49196
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49195
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49194
Source: unknown	Network traffic detected: HTTP traffic on port 49201 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49193
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49191
Source: unknown	Network traffic detected: HTTP traffic on port 49226 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown	Network traffic detected: HTTP traffic on port 49229 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49229
Source: unknown	Network traffic detected: HTTP traffic on port 49215 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49228
Source: unknown	Network traffic detected: HTTP traffic on port 49232 -> 443

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.16.148.130:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.26.149:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.149.130:443 -> 192.168.2.22:49191 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.149.130:443 -> 192.168.2.22:49219 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.26.149:443 -> 192.168.2.22:49220 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.148.130:443 -> 192.168.2.22:49227 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.26.149:443 -> 192.168.2.22:49228 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.148.130:443 -> 192.168.2.22:49232 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.27.149:443 -> 192.168.2.22:49235 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.26.149:443 -> 192.168.2.22:49246 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.148.130:443 -> 192.168.2.22:49251 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.27.149:443 -> 192.168.2.22:49254 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\Setup.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Memory allocated: 770B0000 page execute and read and write

Sample file is different than original file name gathered from version info

Source: Setup.exe, 00000000.00000002.741840276.000000000096D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInstaller.exeR vs Setup.exe
Source: Setup.exe, 00000000.00000000.347117320.0000000000427000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameInstaller.exeR vs Setup.exe
Source: Setup.exe, 00000000.00000003.347718441.0000000000A50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebCompanion-Installer.resources.dllL vs Setup.exe
Source: Setup.exe, 00000000.00000003.347718441.0000000000A50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameICSharpCode.SharpZipLib.dll8 vs Setup.exe
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebCompanion-Installer.resources.dllL vs Setup.exe
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll4 vs Setup.exe
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: get_OriginalFilename vs Setup.exe
Source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebCompanion.exe> vs Setup.exe
Source: Setup.exe, 00000000.00000002.741770183.0000000000611000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebCompanion.exe> vs Setup.exe
Source: Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: get_OriginalFilename vs Setup.exe
Source: Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebCompanion.exe> vs Setup.exe
Source: Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebCompanion-Installer.resources.dllL vs Setup.exe
Source: Setup.exe	Binary or memory string: OriginalFilenameInstaller.exeR vs Setup.exe

Uses 32bit PE files

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: ICSharpCode.SharpZipLib.dll.0.dr, InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.0.dr, DeflaterOutputStream.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.0.dr, ZipAESTransform.cs	Cryptographic APIs: 'TransformBlock'

Source: classification engine

Classification label: mal54.phis.troj.spyw.evad.winEXE@11/150@26/6

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe

File created: C:\Users\user\AppData\Roaming\Lavasoft

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Mutant created: \Sessions\1\BaseNamedObjects\AdAwareWebCompanionuser

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\7zS053FCFED

Jump to behavior

Source: Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: WebCompanion.exe, 00000008.00000002.749822920.0000000069A58000.00000002.00000001.01000000.00000015.sdmp, SQLite.Interop.dll0.2.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: WebCompanion.exe, 00000008.00000002.749822920.0000000069A58000.00000002.00000001.01000000.00000015.sdmp, SQLite.Interop.dll0.2.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: WebCompanion.exe, 00000008.00000002.749822920.0000000069A58000.00000002.00000001.01000000.00000015.sdmp, SQLite.Interop.dll0.2.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: WebCompanion.exe, 00000008.00000002.749822920.0000000069A58000.00000002.00000001.01000000.00000015.sdmp, SQLite.Interop.dll0.2.dr	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: WebCompanion.exe, 00000008.00000002.749822920.0000000069A58000.00000002.00000001.01000000.00000015.sdmp, SQLite.Interop.dll0.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: WebCompanion.exe, 00000008.00000002.749822920.0000000069A58000.00000002.00000001.01000000.00000015.sdmp, SQLite.Interop.dll0.2.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: WebCompanion.exe, 00000008.00000002.749822920.0000000069A58000.00000002.00000001.01000000.00000015.sdmp, SQLite.Interop.dll0.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: WebCompanion.exe, 00000008.00000002.742500209.0000000002BB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT Value FROM DataCollector where key='SearchNotificationDismissedAge'statistic.db;Version=3;igt-
Source: WebCompanion.exe, 00000008.00000002.742500209.0000000002B9B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT Value FROM DataCollector where key='FirefoxSearchRemoveDays'ptions\statistic.db;Version=3;igt-
Source: WebCompanion.exe, 00000008.00000002.749822920.0000000069A58000.00000002.00000001.01000000.00000015.sdmp, SQLite.Interop.dll0.2.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: WebCompanion.exe, 00000008.00000002.749822920.0000000069A58000.00000002.00000001.01000000.00000015.sdmp, SQLite.Interop.dll0.2.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: WebCompanion.exe, 00000008.00000002.742500209.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT Value FROM DataCollector where key='FirefoxSearchUsedDays'\Options\statistic.db;Version=3;igt-
Source: WebCompanion.exe, 00000008.00000002.742500209.000000000298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT Value FROM DataCollector where key='InstallAge'b Companion\Options\statistic.db;Version=3;gn":"20541619131","wcyid":"WCYID10249","clidhp":21733
Source: WebCompanion.exe, 00000008.00000002.749822920.0000000069A58000.00000002.00000001.01000000.00000015.sdmp, SQLite.Interop.dll0.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: WebCompanion.exe, 00000008.00000002.749822920.0000000069A58000.00000002.00000001.01000000.00000015.sdmp, SQLite.Interop.dll0.2.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: WebCompanion.exe, 00000008.00000002.749822920.0000000069A58000.00000002.00000001.01000000.00000015.sdmp, SQLite.Interop.dll0.2.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: WebCompanion.exe, 00000008.00000002.742500209.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM bwl_stats ORDER BY date DESC LIMIT 1t\Web Companion\Options\statistic.db;Version=3;Read Only=True;t-
Source: WebCompanion.exe, 00000008.00000002.742500209.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT Value FROM DataCollector where key='ChromeSearchUsedDays'n\Options\statistic.db;Version=3;igt-
Source: WebCompanion.exe, 00000008.00000002.742500209.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT Value FROM DataCollector where key='ChromeSearchRemoveDays'Options\statistic.db;Version=3;igt-

Source: Setup.exe

ReversingLabs: Detection: 29%

Source: Setup.exe

String found in binary or memory: RunProgram="WebCompanion-Installer.exe --savename=Setup.exe --partner=IN240402 --nonadmin --direct --tych --campaign=20541619131 --version=13.900.0.1080"

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\Desktop\Setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe .\WebCompanion-Installer.exe --savename=Setup.exe --partner=IN240402 --nonadmin --direct --tych --campaign=20541619131 --version=13.900.0.1080
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh http add urlacl url=http://+:9007/ user=Everyone
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe "C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe" --install --geo=
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe "C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe" --minimize
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe "C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe" --minimize
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe .\WebCompanion-Installer.exe --savename=Setup.exe --partner=IN240402 --nonadmin --direct --tych --campaign=20541619131 --version=13.900.0.1080	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe "C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe" --install --geo=	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh http add urlacl url=http://+:9007/ user=Everyone	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: wbemcomn2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: d3d8thk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: shcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: credui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: odbc32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpqec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: qutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ws2help.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nci.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: napmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pcollab.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: wbemcomn2.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: vcruntime140d.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: ucrtbased.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: liblz4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: rpcrtremote.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: bcrypt.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: wbemcomn2.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: ntdsapi.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: vcruntime140d.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: ucrtbased.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: liblz4.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: credssp.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: pcwum.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: httpapi.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: d3d9.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: d3d8thk.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: shcore.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: mscms.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: windowscodecsext.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: icm32.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: atl.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: msdtcprx.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: mtxclu.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: clusapi.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: cryptdll.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: resutils.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: ktmw32.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: browcli.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: utildll.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: logoncli.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: rpcrtremote.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: bcrypt.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: wbemcomn2.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: ntdsapi.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: vcruntime140d.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: ucrtbased.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: liblz4.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: credssp.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: pcwum.dll
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Section loaded: httpapi.dll

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Creates a software uninstall entry

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{a056d2c3-adf7-4778-84b5-d927fc6847f2}

Jump to behavior

PE / OLE file has a valid certificate

Source: Setup.exe

Static PE information: certificate valid

Binary contains paths to debug symbols

Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\Lavasoft.SysInfo\obj\Debug\Lavasoft.SysInfo.pdb source: WebCompanion.exe, 00000008.00000002.746264076.0000000005252000.00000020.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\Lavasoft.Utils.SqlLite\obj\x86\Debug\Lavasoft.Utils.SqlLite.pdb source: WebCompanion.exe, 00000008.00000002.742184545.0000000000752000.00000020.00000001.01000000.00000013.sdmp, Lavasoft.Utils.SqlLite.dll.2.dr
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\FeatureMainComponent\obj\Debug\FeatureComponent.pdb source: WebCompanion.exe, 00000008.00000002.742359242.0000000000CF2000.00000020.00000001.01000000.00000016.sdmp, FeatureComponent.dll.2.dr
Source:	Binary string: C:\Users\michael.bilinsky\Downloads\managedesent-88b673\EsentInterop\obj\Debug\Esent.Interop.pdb source: Esent.Interop.dll.2.dr
Source:	Binary string: p\C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application/WebCompanion-Installer.pdb source: WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\dev\sqlite\dotnet\obj\2008\Release\System.Data.SQLite.pdb source: WebCompanion.exe, 00000009.00000002.742241549.0000000000CEC000.00000020.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\Lavasoft.CSharp.Utilities\obj\x86\Debug\Lavasoft.CSharp.Utilities.pdb source: Lavasoft.CSharp.Utilities.dll.2.dr
Source:	Binary string: p\C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion-Installer.pdb source: WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Projects\WebCompanion\Common\SearchProtect.WinService\obj\Debug\Lavasoft.WCAssistant.WinService.pdb source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002915000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: eApplication/WebCompanion-Installer.pdbPK source: WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.zip.2.dr
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\Lavasoft.Utils\obj\x86\Debug\Lavasoft.Utils.pdb source: WebCompanion.exe, 00000008.00000002.742035065.00000000005B2000.00000020.00000001.01000000.00000011.sdmp, Lavasoft.Utils.dll.2.dr
Source:	Binary string: c:\Windows\Temp\drone-ME4saUyIgSY9rSgY\drone\src\WebCompanion\Lavasoft.AppCore\obj\Release\Lavasoft.AppCore.pdbp source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp
Source:	Binary string: WebCompanion-Installer.pdb source: WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\Lavasoft.Events\obj\x86\Debug\Lavasoft.Events.pdb source: WebCompanion.exe, 00000008.00000002.742206694.0000000000B22000.00000020.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\SearchProtect.WcfService\obj\Debug\Lavasoft.WCAssistant.WcfService.pdbL source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002915000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb source: WebCompanion.exe, 00000008.00000002.747353038.00000000063A2000.00000020.00000001.01000000.0000001C.sdmp, Ionic.Zip.dll.2.dr
Source:	Binary string: Application/WebCompanion-Installer.pdb source: WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.zip.2.dr
Source:	Binary string: CreateLavasoft.Utils.Features.PartnerInfoppCore.pdbpdbore.pdbo source: WebCompanion.exe, 00000009.00000002.749471346.00000000052DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb$# source: WebCompanion.exe, 00000008.00000002.747353038.00000000063A2000.00000020.00000001.01000000.0000001C.sdmp, Ionic.Zip.dll.2.dr
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\Lavasoft.Utils.SqlLite\obj\x86\Debug\Lavasoft.Utils.SqlLite.pdbl< source: WebCompanion.exe, 00000008.00000002.742184545.0000000000752000.00000020.00000001.01000000.00000013.sdmp, Lavasoft.Utils.SqlLite.dll.2.dr
Source:	Binary string: CreateLavasoft.Utils.Features.PartnerInfoppCore.pdbpdbore.pdb source: WebCompanion.exe, 00000008.00000002.746342130.00000000055F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\dev\sqlite\dotnet\obj\2008\Release\System.Data.SQLite.pdbX. source: WebCompanion.exe, 00000009.00000002.742241549.0000000000CEC000.00000020.00000001.01000000.00000014.sdmp
Source:	Binary string: p&Application/WebCompanion-Installer.pdb@\ source: WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\SearchProtect.WcfService\obj\Debug\Lavasoft.WCAssistant.WcfService.pdb source: WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002915000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\Lavasoft.Events\obj\x86\Debug\Lavasoft.Events.pdbX source: WebCompanion.exe, 00000008.00000002.742206694.0000000000B22000.00000020.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\SearchProtect.Service.Logger\obj\Debug\Lavasoft.WCAssistant.Service.Logger.pdbh- source: WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000281A000.00000004.00000800.00020000.00000000.sdmp, Lavasoft.WCAssistant.Service.Logger.dll.2.dr
Source:	Binary string: c:\dev\sqlite\dotnet\bin\2008\Win32\ReleaseNativeOnlyStatic\SQLite.Interop.pdb`: source: WebCompanion.exe, 00000008.00000002.749822920.0000000069A58000.00000002.00000001.01000000.00000015.sdmp, SQLite.Interop.dll0.2.dr
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\Lavasoft.Utils\obj\x86\Debug\Lavasoft.Utils.pdb$ source: WebCompanion.exe, 00000008.00000002.742035065.00000000005B2000.00000020.00000001.01000000.00000011.sdmp, Lavasoft.Utils.dll.2.dr
Source:	Binary string: &Application/WebCompanion-Installer.pdb source: WebCompanion.zip.2.dr
Source:	Binary string: c:\Temp\Release\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.745547016.0000000005589000.00000020.00000001.01000000.00000008.sdmp, WebCompanion.exe, 00000008.00000002.745271283.0000000004C72000.00000020.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\SourceCode\TFS\MozCompressor\Debug\MozCompressor.pdb source: WebCompanion.exe, 00000008.00000002.745149373.0000000004BF5000.00000002.00000001.01000000.00000018.sdmp, MozCompressor.dll.2.dr
Source:	Binary string: C:\Windows\TEMP\drone-ME4saUyIgSY9rSgY\drone\src\Common\VPNService\obj\x86\Debug\VPNServiceWCF.pdb source: VPNServiceWCF.dll.2.dr
Source:	Binary string: vcruntime140d.i386.pdb+++ source: WebCompanion.exe, 00000008.00000002.749384362.0000000062361000.00000020.00000001.01000000.00000019.sdmp, vcruntime140d.dll.2.dr
Source:	Binary string: D:\Projects\Adaware\webcompanion\Common\SearchProtect.Service.Logger\obj\Debug\Lavasoft.WCAssistant.Service.Logger.pdb source: WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000281A000.00000004.00000800.00020000.00000000.sdmp, Lavasoft.WCAssistant.Service.Logger.dll.2.dr
Source:	Binary string: ucrtbased.pdb source: WebCompanion.exe, 00000008.00000002.748533348.00000000621C1000.00000020.00000001.01000000.0000001A.sdmp
Source:	Binary string: vcruntime140d.i386.pdb source: WebCompanion.exe, 00000008.00000002.749384362.0000000062361000.00000020.00000001.01000000.00000019.sdmp, vcruntime140d.dll.2.dr
Source:	Binary string: Application/WebCompanion-Installer.pdbPK source: WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.zip.2.dr
Source:	Binary string: c:\Windows\Temp\drone-ME4saUyIgSY9rSgY\drone\src\WebCompanion\Lavasoft.AppCore\obj\Release\Lavasoft.AppCore.pdb source: WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp
Source:	Binary string: c:\Windows\Temp\drone-ME4saUyIgSY9rSgY\drone\src\WebCompanion\Installer\WebCompanionInstaller\obj\Release\WebCompanion-Installer.pdb source: Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp
Source:	Binary string: webcompanion-installer.pdb source: WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005899000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\wpfanimatedgif\WpfAnimatedGif\obj\Release\net35\WpfAnimatedGif.pdb source: WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000262D000.00000004.00000800.00020000.00000000.sdmp, WpfAnimatedGif.dll.2.dr
Source:	Binary string: C:\projects\wpfanimatedgif\WpfAnimatedGif\obj\Release\net35\WpfAnimatedGif.pdbSHA256 source: WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000262D000.00000004.00000800.00020000.00000000.sdmp, WpfAnimatedGif.dll.2.dr
Source:	Binary string: c:\dev\sqlite\dotnet\bin\2008\Win32\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: WebCompanion.exe, 00000008.00000002.749822920.0000000069A58000.00000002.00000001.01000000.00000015.sdmp, SQLite.Interop.dll0.2.dr

Data Obfuscation

PE file contains an invalid checksum

Source: Setup.exe	Static PE information: real checksum: 0x8f918 should be: 0x88572
Source: WebCompanion-Installer.resources.dll8.0.dr	Static PE information: real checksum: 0x0 should be: 0xa6a7
Source: WebCompanion-Installer.resources.dll5.0.dr	Static PE information: real checksum: 0x0 should be: 0xc6c2
Source: WebCompanion-Installer.resources.dll1.0.dr	Static PE information: real checksum: 0x0 should be: 0x3e3f
Source: WebCompanion-Installer.resources.dll7.0.dr	Static PE information: real checksum: 0x0 should be: 0xcb69
Source: WebCompanion-Installer.resources.dll2.0.dr	Static PE information: real checksum: 0x0 should be: 0x4885
Source: WebCompanion-Installer.resources.dll4.0.dr	Static PE information: real checksum: 0x0 should be: 0x5659
Source: WebCompanion-Installer.resources.dll6.0.dr	Static PE information: real checksum: 0x0 should be: 0xd8a3
Source: WebCompanion-Installer.resources.dll0.0.dr	Static PE information: real checksum: 0x0 should be: 0xe72f
Source: WebCompanion-Installer.resources.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x2ab0
Source: WebCompanion-Installer.resources.dll3.0.dr	Static PE information: real checksum: 0x0 should be: 0x842b

PE file contains sections with non-standard names

Source: Setup.exe	Static PE information: section name: .sxdata
Source: acs17.dll.2.dr	Static PE information: section name: .textbss
Source: acs17.dll.2.dr	Static PE information: section name: .msvcjmc
Source: acs17.dll.2.dr	Static PE information: section name: .00cfg

Source: DotNetZip.dll.2.dr

Static PE information: section name: .text entropy: 6.825871161326248

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\7zS053FCFED\es-ES\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\en-US\WebCompanion.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\7zS053FCFED\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\x86\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\7zS053FCFED\fr-CA\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\it-IT\WebCompanion.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\pt-BR\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\VPNServiceHost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion-Installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\tr-TR\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\7zS053FCFED\tr-TR\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Ionic.Zip.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\7zS053FCFED\en-US\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\BCUSDK.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\7zS053FCFED\zh-CHS\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WcfService.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\zh-Hans\WebCompanion.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\FeatureMainComponent.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\zh-CHS\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\fr-CA\WebCompanion.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\vcruntime140d.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\es-ES\WebCompanion.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\FeatureComponent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Interop.WUApiLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\it-IT\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.CSharp.Utilities.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\ru-RU\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Microsoft.mshtml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\de-DE\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\ja-JP\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\acs17.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\VPNServiceWCF.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\en-US\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.Utils.SqlLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\7zS053FCFED\pt-BR\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\ja-JP\WebCompanion.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\FeatureInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\ru-RU\WebCompanion.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\BCUEngineS.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.Service.Logger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WpfAnimatedGif.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\es-ES\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\tr-TR\WebCompanion.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\pt-BR\WebCompanion.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\NCalc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\fr-CA\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Interop.SHDocVw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\7za.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.Events.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\MozCompressor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\7zS053FCFED\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\LZ4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\ucrtbased.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\7zS053FCFED\ja-JP\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\7zS053FCFED\it-IT\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Interop.IWshRuntimeLibrary.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\liblz4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Interop.Shell32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\log4net.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\7zS053FCFED\ru-RU\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\DotNetZip.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Esent.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	File created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\de-DE\WebCompanion.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\7zS053FCFED\de-DE\WebCompanion-Installer.resources.dll	Jump to dropped file

Creates install or setup log file

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe

File created: C:\Users\user\AppData\Local\Temp\WcInstaller.log

Jump to behavior

Boot Survival

Creates or modifies windows services

Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSDTC Bridge 4.0.0.0\Linkage

Modifies existing windows services

Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET Memory Cache 4.0\Linkage

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lavasoft	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lavasoft\WebCompanion	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lavasoft\WebCompanion\Frequently Asked Questions.url	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lavasoft\WebCompanion\Web Companion.lnk	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Web Companion			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Web Companion			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Memory allocated: 2D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Memory allocated: 2110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Memory allocated: 770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Memory allocated: 200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Memory allocated: 27C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Memory allocated: 3B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Memory allocated: 1C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Memory allocated: 27C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Memory allocated: 400000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Memory allocated: 2C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Memory allocated: 27C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Memory allocated: 990000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 300000

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Window / User API: threadDelayed 1348
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Window / User API: threadDelayed 667

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS053FCFED\es-ES\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\en-US\WebCompanion.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS053FCFED\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\x86\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS053FCFED\fr-CA\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\it-IT\WebCompanion.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\pt-BR\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\tr-TR\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\VPNServiceHost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion-Installer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS053FCFED\tr-TR\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Ionic.Zip.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\BCUSDK.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS053FCFED\en-US\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS053FCFED\zh-CHS\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WcfService.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\zh-Hans\WebCompanion.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\FeatureMainComponent.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\zh-CHS\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\fr-CA\WebCompanion.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\es-ES\WebCompanion.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\FeatureComponent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Interop.WUApiLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\it-IT\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.CSharp.Utilities.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\ru-RU\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Microsoft.mshtml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\de-DE\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\ja-JP\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\acs17.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\VPNServiceWCF.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\en-US\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.Utils.SqlLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS053FCFED\pt-BR\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\ja-JP\WebCompanion.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\FeatureInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\ru-RU\WebCompanion.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.Service.Logger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\BCUEngineS.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\es-ES\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\tr-TR\WebCompanion.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WpfAnimatedGif.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\pt-BR\WebCompanion.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\NCalc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\fr-CA\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Interop.SHDocVw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\7za.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.Events.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\MozCompressor.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\LZ4.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS053FCFED\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS053FCFED\ja-JP\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Interop.IWshRuntimeLibrary.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS053FCFED\it-IT\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\log4net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\DotNetZip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS053FCFED\ru-RU\WebCompanion-Installer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\de-DE\WebCompanion.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Esent.Interop.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS053FCFED\de-DE\WebCompanion-Installer.resources.dll	Jump to dropped file

Is looking for software installed on the system

Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe

Registry key enumerated: More than 403 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe TID: 1940	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe TID: 1128	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe TID: 1128	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 1200	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe TID: 200	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe TID: 2344	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe TID: 960	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe TID: 2236	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe TID: 2344	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe TID: 1756	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe TID: 2544	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe TID: 1252	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe TID: 2544	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe TID: 1756	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe TID: 2424	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe TID: 1444	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe TID: 268	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe TID: 1520	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe TID: 2840	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe TID: 1444	Thread sleep time: -300000s >= -30000s

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Thread delayed: delay time: 300000

Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File opened: C:\Users\user\AppData\Roaming\Lavasoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File opened: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File opened: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\	Jump to behavior

Source: WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe.2.dr	Binary or memory string: #=zJcSAKVf2Oq7SX1AJhgfS4PSYmp4K
Source: WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	Binary or memory string: vmware

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe .\WebCompanion-Installer.exe --savename=Setup.exe --partner=IN240402 --nonadmin --direct --tych --campaign=20541619131 --version=13.900.0.1080	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Process created: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe "C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe" --install --geo=	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh http add urlacl url=http://+:9007/ user=Everyone	Jump to behavior

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS053FCFED\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS053FCFED\en-US\WebCompanion-Installer.resources.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS053FCFED\ICSharpCode.SharpZipLib.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\log4net.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.Events.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.Utils.SqlLite.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\System.Data.SQLite.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\156647e90ed1919cfafce12417c2892c\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\FeatureComponent.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\MozCompressor.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Ionic.Zip.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.Events.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.Utils.SqlLite.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\System.Data.SQLite.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\156647e90ed1919cfafce12417c2892c\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\FeatureComponent.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\MozCompressor.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Ionic.Zip.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\en-US\WebCompanion.resources.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanionIcon.ico VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\NCalc.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.Events.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.Utils.SqlLite.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\System.Data.SQLite.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\156647e90ed1919cfafce12417c2892c\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\FeatureComponent.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\MozCompressor.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Ionic.Zip.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies Internet Explorer zone settings

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe

Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 2301

Jump to behavior

Modifies Internet Explorer zonemap settings

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\localhost *			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com http			Jump to behavior

Overwrites Mozilla Firefox settings

Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\prefs.js
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\prefs.js

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh http add urlacl url=http://+:9007/ user=Everyone

Adds / modifies Windows certificates

Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4 Blob

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\prefs.js
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\search.json.mozlz4
Source: C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	311 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	1 Deobfuscate/Decode Files or Information	LSASS Memory	33 System Information Discovery	Remote Desktop Protocol	3 Browser Session Hijacking	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	21 Windows Service	21 Windows Service	1 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	11 Registry Run Keys / Startup Folder	11 Process Injection	1 Software Packing	NTDS	21 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	11 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Search Order Hijacking	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Setup.exe	29%	ReversingLabs	Win32.PUA.Generic

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\7zS053FCFED\ICSharpCode.SharpZipLib.dll	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zS053FCFED\Newtonsoft.Json.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zS053FCFED\WebCompanion-Installer.exe	8%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zS053FCFED\de-DE\WebCompanion-Installer.resources.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zS053FCFED\en-US\WebCompanion-Installer.resources.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zS053FCFED\es-ES\WebCompanion-Installer.resources.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zS053FCFED\fr-CA\WebCompanion-Installer.resources.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zS053FCFED\it-IT\WebCompanion-Installer.resources.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zS053FCFED\ja-JP\WebCompanion-Installer.resources.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zS053FCFED\pt-BR\WebCompanion-Installer.resources.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zS053FCFED\ru-RU\WebCompanion-Installer.resources.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zS053FCFED\tr-TR\WebCompanion-Installer.resources.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zS053FCFED\zh-CHS\WebCompanion-Installer.resources.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\7za.exe	3%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\BCUEngineS.dll	3%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\BCUSDK.dll	3%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\DotNetZip.dll	3%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Esent.Interop.dll	3%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\FeatureComponent.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\FeatureInstaller.exe	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\FeatureMainComponent.exe	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Interop.IWshRuntimeLibrary.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Interop.SHDocVw.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Interop.Shell32.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Interop.WUApiLib.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Ionic.Zip.dll	3%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\LZ4.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.CSharp.Utilities.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.Events.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.Utils.SqlLite.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.Service.Logger.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WcfService.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe	5%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Microsoft.mshtml.dll	3%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\MozCompressor.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\NCalc.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\Newtonsoft.Json.dll	3%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\System.Data.SQLite.dll	3%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\VPNServiceHost.exe	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\VPNServiceWCF.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion-Installer.exe	12%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe	3%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WpfAnimatedGif.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\acs17.dll	3%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\de-DE\WebCompanion-Installer.resources.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\de-DE\WebCompanion.resources.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\en-US\WebCompanion-Installer.resources.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\en-US\WebCompanion.resources.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\es-ES\WebCompanion-Installer.resources.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\es-ES\WebCompanion.resources.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\fr-CA\WebCompanion-Installer.resources.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\fr-CA\WebCompanion.resources.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\it-IT\WebCompanion-Installer.resources.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\it-IT\WebCompanion.resources.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\ja-JP\WebCompanion-Installer.resources.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\ja-JP\WebCompanion.resources.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\liblz4.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\log4net.dll	3%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\pt-BR\WebCompanion-Installer.resources.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\pt-BR\WebCompanion.resources.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\ru-RU\WebCompanion-Installer.resources.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\ru-RU\WebCompanion.resources.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\tr-TR\WebCompanion-Installer.resources.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\tr-TR\WebCompanion.resources.dll	4%	ReversingLabs

Source	Detection	Scanner	Label
http://tempuri.org/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://flwadw.com/v1/event-stat?Type=UIOpen&ProductID=wc&EventVersion=1LR	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/CreatUninstallInfoT	0%	Avira URL Cloud	safe
https://staging-bitmask.lavasoft.net/bitmask/allmaskvalues	0%	Avira URL Cloud	safe
https://flwadw.com/v1/event-stat?Type=CompleteInstall&ProductID=wc&EventVersion=1	0%	Avira URL Cloud	safe
http://wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN240402_ac	0%	Avira URL Cloud	safe
http://wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN240402_ab	0%	Avira URL Cloud	safe
https://partners.webcompanion.com/api/Partners/get-partner-by-id	0%	Avira URL Cloud	safe
https://flwadw.com/v1/event-stat	0%	Avira URL Cloud	safe
http://www.codeproject.com/Articles/28093/Using-RoutedCommands-with-a-ViewModel-in-WPF	0%	Avira URL Cloud	safe
https://featureflags.lavasoft.com/api/Update/WCyhttps://sandbox-featureflags-api.lavasoft.net/api/fe	0%	Avira URL Cloud	safe
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	Avira URL Cloud	safe
https://wcdownloader-qa.lavasoft.com/13.0.0.1080/WebCompanion-13.0.0.1080-internal.zip	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/ProcessRemoteFeatureT	0%	Avira URL Cloud	safe
http://tempuri.org/IVPNServiceWCF/IsVPNConnectedResponse	0%	Avira URL Cloud	safe
http://tempuri.org/IVPNServiceWCF/GetConnectionInfo	0%	Avira URL Cloud	safe
http://drive.google.com/D0	0%	Avira URL Cloud	safe
http://tempuri.org/IVPNServiceWCF/ConnectDisconnectVPNResponse	0%	Avira URL Cloud	safe
http://www.youtube.comD0	0%	Avira URL Cloud	safe
https://search.yahoo.com/yhs/search	0%	Avira URL Cloud	safe
https://docs.google.com/	0%	Avira URL Cloud	safe
https://ruadlist.googlecode.com/hg/advblock.txt(AdBlockAcceptableAds	0%	Avira URL Cloud	safe
https://completion.amazon.com/search/complete?q=	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/SilentUninstallT	0%	Avira URL Cloud	safe
http://rt.webcompanion.com/notifications/download/rt/IEBhoHelperTest.exe	0%	Avira URL Cloud	safe
http://tempuri.org/SendWCFeedbackT	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	0%	Avira URL Cloud	safe
https://www.amazon.com/exec/obidos/external-search/	0%	Avira URL Cloud	safe
https://flwadw.com/v1/event-stat?Type=FeatureActionInfo&ProductID=wc&EventVersion=1	0%	Avira URL Cloud	safe
http://rt.webcompanion.com/notifications/download/rt/typolist.txt.http://www.lavasoft.com6http://www	0%	Avira URL Cloud	safe
http://aia.entrust.net/evcs2-chain.p7c01	0%	Avira URL Cloud	safe
http://wpfanimatedgif.codeplex.com	0%	Avira URL Cloud	safe
http://rt.webcompanion.com/notifications/download/rt/searchenginetemplate.xmlQhttps://appdownload.la	0%	Avira URL Cloud	safe
http://www.lavasoft.com/mylavasoft/contact	0%	Avira URL Cloud	safe
http://www.gophish.com	0%	Avira URL Cloud	safe
http://rt.webcompanion.com/notifications/download/rt/Silverlight_x64.exe	0%	Avira URL Cloud	safe
https://addons.mozilla.org/en-US/firefox/	0%	Avira URL Cloud	safe
http://tempuri.org/ILocalyHostedService/Rewards	0%	Avira URL Cloud	safe
http://www.entrust.net/rpa03	0%	Avira URL Cloud	safe
https://featureflags.lavasoft.com	0%	Avira URL Cloud	safe
https://wcdownloadercdn.lavasoft.com/13.900.0.1080/WebCompanion-13.900.0.1080-prod.zip	0%	Avira URL Cloud	safe
https://acs.lavasoft.com/api/v2/url/permanentwh	0%	Avira URL Cloud	safe
http://tempuri.org/IVPNServiceWCF/LoadConfig	0%	Avira URL Cloud	safe
https://webcompanion.com/uninstall.php?utm_source=wc&utm_medium=	0%	Avira URL Cloud	safe
https://twitter.com/search	0%	Avira URL Cloud	safe
https://search.yahoo.com/sugg/ff	0%	Avira URL Cloud	safe
http://geo.lavasoft.com/	0%	Avira URL Cloud	safe
http://wc-partners.lavasoft.com	0%	Avira URL Cloud	safe
https://feedbackapi.adaware.com/api/feedback;http://webcompanion.com/check	0%	Avira URL Cloud	safe
https://wcdownloadercdn.lavasoft.com/13.0.0.1080/WCInstaller_NonAdmin.exe	0%	Avira URL Cloud	safe
https://drive.google.com/?usp=chrome_appD0	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/SetHomePageIET	0%	Avira URL Cloud	safe
http://tempuri.org/ILocalyHostedService/RewardsResponse	0%	Avira URL Cloud	safe
http://webcompanion.com/version_logs?json=true&version=	0%	Avira URL Cloud	safe
http://tempuri.org/ILocalyHostedService/GetParameters	0%	Avira URL Cloud	safe
https://webcompanion.com/unsafe.php?utm_source=WCHhttps://webcompanion.com/en/help.php.https://www.a	0%	Avira URL Cloud	safe
https://flwadw.com/v1/event-stat?Type=ToggleButton&ProductID=wc&EventVersion=1	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/SetNewTabIET	0%	Avira URL Cloud	safe
http://rt.webcompanion.com/notifications/download/rt/postrun/preprod/v1/FeatureActions.zip	0%	Avira URL Cloud	safe
https://flwadw.com/v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1LR	0%	Avira URL Cloud	safe
https://webcompanion.com/unsafe.php?utm_source=WCghttp://pp.webcompanion.com/unsafe.php?utm_source=W	0%	Avira URL Cloud	safe
http://tempuri.org/IVPNServiceWCF/ConnectDisconnectVPN	0%	Avira URL Cloud	safe
http://wcdownloadercdn.lavasoft.com/13.0.0.1	0%	Avira URL Cloud	safe
http://tempuri.org/WcSendAutoResponseEmailT	0%	Avira URL Cloud	safe
http://webcompanion.com/version_logs?json=true&version=13.900.0.1080	0%	Avira URL Cloud	safe
http://wc-update-service.lavasoft.com/components.asmx	0%	Avira URL Cloud	safe
http://pp.webcompanion.com/notifications/download/rt/aabrowser.zip	0%	Avira URL Cloud	safe
http://crl.entrust.net/g2ca.crl0	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	0%	Avira URL Cloud	safe
http://tempuri.org/A	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/VPNService.WCF.Model	0%	Avira URL Cloud	safe
http://tempuri.org/IVPNServiceWCF/TurnOffVPN	0%	Avira URL Cloud	safe
https://eventstaging.lavasoft.com/v1/event-stat	0%	Avira URL Cloud	safe
http://tempuri.org/IVPNServiceWCF/GetLocationsT	0%	Avira URL Cloud	safe
https://svn.apache.org/repos/asf/logging/log4net/tags/1.2.13RC3	0%	Avira URL Cloud	safe
https://wcdownloadercdn.lavasoft.com	0%	Avira URL Cloud	safe
https://www.adaware.com/privacy-policy	0%	Avira URL Cloud	safe
https://eventstaging.lavasoft.com/v1/event-statFhttps://flwadw.com/v1/event-stat-wclhttp://staging-c	0%	Avira URL Cloud	safe
https://acs.lavasoft.com/api/v2/url/permanentwhitelist	0%	Avira URL Cloud	safe
http://tempuri.org/SendEmailT	0%	Avira URL Cloud	safe
http://www.apache.org/).	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	0%	Avira URL Cloud	safe
http://webcompanion.com/google_chrome_incompatibility	0%	Avira URL Cloud	safe
http://tempuri.org/ILocalyHostedServiceInstaller/ChangeScreenResponse	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/CopyFilesT	0%	Avira URL Cloud	safe
http://tempuri.org/IWCAssistantService/SetSearchEngineIET	0%	Avira URL Cloud	safe
http://wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN240402_wb	0%	Avira URL Cloud	safe
https://www.google.com:443	0%	Avira URL Cloud	safe
https://flwadw.com/v1/event-stat?Type=FirstRun&ProductID=wc&EventVersion=1	0%	Avira URL Cloud	safe
http://webcompanion.com/images/email/tw-icon.png	0%	Avira URL Cloud	safe
http://tempuri.org/IVPNServiceWCF/IsVPNConnected	0%	Avira URL Cloud	safe
http://system.data.sqlite.org/X	0%	Avira URL Cloud	safe
https://sg-bitmask.adaware.com/bitmask/allmaskvalues	0%	Avira URL Cloud	safe
http://rt.webcompanion.com/notifications/download/rt/typolist.txt5Creating	0%	Avira URL Cloud	safe
https://staging-webcompanion.lavasoft.net/dci/4.0.0.14/Webprotection.zip	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
geo.lavasoft.com	104.16.149.130	true	false	unknown
partners.webcompanion.com	104.19.208.152	true	false	unknown
cdn.inspectlet.com	104.22.56.245	true	false	unknown
wcdownloadercdn.lavasoft.com	104.16.149.130	true	false	unknown
featureflags.lavasoft.com	104.16.148.130	true	false	unknown
flwadw.com	104.18.26.149	true	false	unknown
sg-bitmask.adaware.com	104.16.213.94	true	false	unknown
webcompanion.com	104.19.159.224	true	true	unknown
cdn.cookielaw.org	104.19.178.52	true	false	unknown
geolocation.onetrust.com	104.18.32.137	true	false	unknown
wc-partners.lavasoft.com	64.18.87.81	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://flwadw.com/v1/event-stat?Type=CompleteInstall&ProductID=wc&EventVersion=1	false	Avira URL Cloud: safe	unknown
https://flwadw.com/v1/event-stat?Type=FeatureActionInfo&ProductID=wc&EventVersion=1	false	Avira URL Cloud: safe	unknown
https://wcdownloadercdn.lavasoft.com/13.900.0.1080/WebCompanion-13.900.0.1080-prod.zip	false	Avira URL Cloud: safe	unknown
http://geo.lavasoft.com/	false	Avira URL Cloud: safe	unknown
https://flwadw.com/v1/event-stat?Type=ToggleButton&ProductID=wc&EventVersion=1	false	Avira URL Cloud: safe	unknown
http://webcompanion.com/version_logs?json=true&version=13.900.0.1080	false	Avira URL Cloud: safe	unknown
https://flwadw.com/v1/event-stat?Type=FirstRun&ProductID=wc&EventVersion=1	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://flwadw.com/v1/event-stat?Type=UIOpen&ProductID=wc&EventVersion=1LR	WebCompanion.exe, 00000009.00000002.763606524.000000000D959000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://featureflags.lavasoft.com/api/Update/WCyhttps://sandbox-featureflags-api.lavasoft.net/api/fe	Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN240402_ac	WebCompanion.exe, 00000008.00000002.742500209.0000000002D59000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN240402_ab	WebCompanion.exe, 00000008.00000002.742500209.0000000002D59000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IWCAssistantService/CreatUninstallInfoT	WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	false	Avira URL Cloud: safe	unknown
https://staging-bitmask.lavasoft.net/bitmask/allmaskvalues	WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://flwadw.com/v1/event-stat	FeatureComponent.dll.2.dr	false	Avira URL Cloud: safe	unknown
http://www.codeproject.com/Articles/28093/Using-RoutedCommands-with-a-ViewModel-in-WPF	WebCompanion.exe.2.dr	false	Avira URL Cloud: safe	unknown
https://partners.webcompanion.com/api/Partners/get-partner-by-id	WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog	WebCompanion.exe, 00000009.00000002.741867833.0000000000292000.00000020.00000001.01000000.0000000F.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IVPNServiceWCF/IsVPNConnectedResponse	WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005828000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.747621560.00000000065D1000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.749471346.00000000052DD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://drive.google.com/D0	WebCompanion.exe, 00000009.00000002.742425946.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/	Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002111000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002921000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/IWCAssistantService/ProcessRemoteFeatureT	WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	false	Avira URL Cloud: safe	unknown
https://search.yahoo.com/yhs/search	WebCompanion.exe, 00000008.00000002.742500209.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wcdownloader-qa.lavasoft.com/13.0.0.1080/WebCompanion-13.0.0.1080-internal.zip	Setup.exe, 00000000.00000003.347402334.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002494000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe.config.0.dr, WebCompanion-Installer.exe.config.2.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IVPNServiceWCF/ConnectDisconnectVPNResponse	WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IVPNServiceWCF/GetConnectionInfo	WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.youtube.comD0	WebCompanion.exe, 00000009.00000002.742425946.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ruadlist.googlecode.com/hg/advblock.txt(AdBlockAcceptableAds	WebCompanion.exe, 00000008.00000002.742035065.00000000005B2000.00000020.00000001.01000000.00000011.sdmp, Lavasoft.Utils.dll.2.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IWCAssistantService/SilentUninstallT	WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.google.com/	WebCompanion.exe, 00000009.00000002.742425946.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://completion.amazon.com/search/complete?q=	WebCompanion.exe, 00000008.00000002.742500209.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://rt.webcompanion.com/notifications/download/rt/IEBhoHelperTest.exe	WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/SendWCFeedbackT	WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	WebCompanion.exe, 00000008.00000002.742500209.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://rt.webcompanion.com/notifications/download/rt/typolist.txt.http://www.lavasoft.com6http://www	Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://aia.entrust.net/evcs2-chain.p7c01	Setup.exe, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion-Installer.resources.dll0.2.dr, Ionic.Zip.dll.2.dr, WebCompanion.resources.dll0.2.dr, SQLite.Interop.dll0.2.dr, vcruntime140d.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, MozCompressor.dll.2.dr, liblz4.dll.2.dr, Esent.Interop.dll.2.dr, WebCompanion-Installer.resources.dll3.2.dr, Lavasoft.Utils.SqlLite.dll.2.dr, Lavasoft.Utils.dll.2.dr, FeatureComponent.dll.2.dr, WebCompanion-Installer.resources.dll1.2.dr, Lavasoft.WCAssistant.Service.Logger.dll.2.dr, VPNServiceWCF.dll.2.dr, WpfAnimatedGif.dll.2.dr, WebCompanion-Installer.resources.dll4.2.dr	false	Avira URL Cloud: safe	unknown
http://rt.webcompanion.com/notifications/download/rt/searchenginetemplate.xmlQhttps://appdownload.la	WebCompanion.exe, 00000008.00000002.742035065.00000000005B2000.00000020.00000001.01000000.00000011.sdmp, Lavasoft.Utils.dll.2.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002181000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000282C000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.00000000027C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://wpfanimatedgif.codeplex.com	WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000262D000.00000004.00000800.00020000.00000000.sdmp, WpfAnimatedGif.dll.2.dr	false	Avira URL Cloud: safe	unknown
http://www.gophish.com	WebCompanion.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://www.lavasoft.com/mylavasoft/contact	WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002679000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002706000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000271F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002647000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026BA000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026D3000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000026ED000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002660000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002787000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.750980749.00000000063C2000.00000020.00000001.01000000.00000020.sdmp, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion.resources.dll0.2.dr, WebCompanion.resources.dll7.2.dr, WebCompanion.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://rt.webcompanion.com/notifications/download/rt/Silverlight_x64.exe	WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/ILocalyHostedService/Rewards	WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002921000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://addons.mozilla.org/en-US/firefox/	WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://www.entrust.net/rpa03	Setup.exe, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion-Installer.resources.dll0.2.dr, Ionic.Zip.dll.2.dr, WebCompanion.resources.dll0.2.dr, SQLite.Interop.dll0.2.dr, vcruntime140d.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, MozCompressor.dll.2.dr, liblz4.dll.2.dr, Esent.Interop.dll.2.dr, WebCompanion-Installer.resources.dll3.2.dr, Lavasoft.Utils.SqlLite.dll.2.dr, Lavasoft.Utils.dll.2.dr, FeatureComponent.dll.2.dr, WebCompanion-Installer.resources.dll1.2.dr, Lavasoft.WCAssistant.Service.Logger.dll.2.dr, VPNServiceWCF.dll.2.dr, WpfAnimatedGif.dll.2.dr, WebCompanion-Installer.resources.dll4.2.dr	false	Avira URL Cloud: safe	unknown
https://featureflags.lavasoft.com	WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002181000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.0000000002848000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.000000000282C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IVPNServiceWCF/LoadConfig	WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://acs.lavasoft.com/api/v2/url/permanentwh	WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005810000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://search.yahoo.com/sugg/ff	WebCompanion.exe, 00000008.00000002.742500209.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://twitter.com/search	WebCompanion.exe, 00000008.00000002.747621560.00000000065AF000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://webcompanion.com/uninstall.php?utm_source=wc&utm_medium=	Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://wc-partners.lavasoft.com	WebCompanion.exe, 00000008.00000002.742500209.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://feedbackapi.adaware.com/api/feedback;http://webcompanion.com/check	WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://wcdownloadercdn.lavasoft.com/13.0.0.1080/WCInstaller_NonAdmin.exe	WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000217B000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002181000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000023E9000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000217E000.00000004.00000800.00020000.00000000.sdmp, WcInstaller.log.2.dr	false	Avira URL Cloud: safe	unknown
https://drive.google.com/?usp=chrome_appD0	WebCompanion.exe, 00000009.00000002.742425946.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IWCAssistantService/SetHomePageIET	WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/ILocalyHostedService/RewardsResponse	WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002921000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002111000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002921000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/ILocalyHostedService/GetParameters	WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.0000000002921000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://webcompanion.com/version_logs?json=true&version=	WebCompanion.exe, 00000008.00000002.742500209.000000000298B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://webcompanion.com/unsafe.php?utm_source=WCHhttps://webcompanion.com/en/help.php.https://www.a	Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IWCAssistantService/SetNewTabIET	WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	false	Avira URL Cloud: safe	unknown
http://rt.webcompanion.com/notifications/download/rt/postrun/preprod/v1/FeatureActions.zip	WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://flwadw.com/v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1LR	WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002435000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000281A000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002421000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000027DA000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000027A2000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002794000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://webcompanion.com/unsafe.php?utm_source=WCghttp://pp.webcompanion.com/unsafe.php?utm_source=W	Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IVPNServiceWCF/ConnectDisconnectVPN	WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/WcSendAutoResponseEmailT	WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	false	Avira URL Cloud: safe	unknown
http://wcdownloadercdn.lavasoft.com/13.0.0.1	WebCompanion-Installer.exe, 00000002.00000002.741957823.0000000000500000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://wc-update-service.lavasoft.com/components.asmx	Setup.exe, 00000000.00000003.347402334.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002614000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002494000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.763606524.000000000D959000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe.config.0.dr, WebCompanion-Installer.exe.config.2.dr, WebCompanion.exe.config.2.dr	false	Avira URL Cloud: safe	unknown
http://pp.webcompanion.com/notifications/download/rt/aabrowser.zip	WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	WebCompanion-Installer.exe, 00000002.00000002.745666551.0000000005828000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.747621560.00000000065D1000.00000004.00000020.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.749471346.00000000052DD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/g2ca.crl0	Setup.exe, WebCompanion.resources.dll3.2.dr, WebCompanion.resources.dll2.2.dr, WebCompanion-Installer.resources.dll0.2.dr, Ionic.Zip.dll.2.dr, WebCompanion.resources.dll0.2.dr, SQLite.Interop.dll0.2.dr, vcruntime140d.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, MozCompressor.dll.2.dr, liblz4.dll.2.dr, Esent.Interop.dll.2.dr, WebCompanion-Installer.resources.dll3.2.dr, Lavasoft.Utils.SqlLite.dll.2.dr, Lavasoft.Utils.dll.2.dr, FeatureComponent.dll.2.dr, WebCompanion-Installer.resources.dll1.2.dr, Lavasoft.WCAssistant.Service.Logger.dll.2.dr, VPNServiceWCF.dll.2.dr, WpfAnimatedGif.dll.2.dr, WebCompanion-Installer.resources.dll4.2.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/A	WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/VPNService.WCF.Model	WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IVPNServiceWCF/TurnOffVPN	WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eventstaging.lavasoft.com/v1/event-stat	WebCompanion.exe, 00000008.00000002.742359242.0000000000CF2000.00000020.00000001.01000000.00000016.sdmp, FeatureComponent.dll.2.dr	false	Avira URL Cloud: safe	unknown
https://svn.apache.org/repos/asf/logging/log4net/tags/1.2.13RC3	WebCompanion.exe, 00000009.00000002.741867833.0000000000292000.00000020.00000001.01000000.0000000F.sdmp, WebCompanion.exe, 00000009.00000002.741887657.00000000002DC000.00000002.00000001.01000000.0000000F.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IVPNServiceWCF/GetLocationsT	WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	false	Avira URL Cloud: safe	unknown
https://wcdownloadercdn.lavasoft.com	WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000023E9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://acs.lavasoft.com/api/v2/url/permanentwhitelist	WebCompanion-Installer.exe, 00000002.00000002.742310595.00000000021C4000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000217B000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002181000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000217E000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000287B000.00000004.00000800.00020000.00000000.sdmp, WcInstaller.log.2.dr	false	Avira URL Cloud: safe	unknown
https://www.adaware.com/privacy-policy	Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
https://eventstaging.lavasoft.com/v1/event-statFhttps://flwadw.com/v1/event-stat-wclhttp://staging-c	WebCompanion.exe, 00000008.00000002.742206694.0000000000B22000.00000020.00000001.01000000.00000012.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/SendEmailT	WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/).	WebCompanion.exe, 00000009.00000002.741867833.0000000000292000.00000020.00000001.01000000.0000000F.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/ILocalyHostedServiceInstaller/ChangeScreenResponse	WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002111000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IWCAssistantService/CopyFilesT	WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://webcompanion.com/google_chrome_incompatibility	WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN240402_wb	WebCompanion.exe, 00000008.00000002.742500209.0000000002D59000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IWCAssistantService/SetSearchEngineIET	WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com:443	WebCompanion.exe, 00000008.00000002.742500209.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000002.742500209.000000000298B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://webcompanion.com/images/email/tw-icon.png	WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002660000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000008.00000000.456336095.000000000133B000.00000020.00000001.01000000.0000000E.sdmp, WebCompanion.exe, 00000009.00000002.750980749.00000000063C2000.00000020.00000001.01000000.00000020.sdmp, WebCompanion.resources.dll0.2.dr, WebCompanion.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IVPNServiceWCF/IsVPNConnected	WebCompanion.exe, 00000009.00000002.742425946.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://system.data.sqlite.org/X	WebCompanion.exe, 00000008.00000002.742307382.0000000000C14000.00000002.00000001.01000000.00000014.sdmp	false	Avira URL Cloud: safe	unknown
https://sg-bitmask.adaware.com/bitmask/allmaskvalues	WebCompanion.exe, 00000008.00000002.742500209.000000000287F000.00000004.00000800.00020000.00000000.sdmp, WebCompanion.exe, 00000009.00000002.741896612.00000000002E2000.00000020.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://staging-webcompanion.lavasoft.net/dci/4.0.0.14/Webprotection.zip	Setup.exe, 00000000.00000003.347402334.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.000000000256A000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000002.742310595.0000000002494000.00000004.00000800.00020000.00000000.sdmp, WebCompanion-Installer.exe.config.0.dr, WebCompanion-Installer.exe.config.2.dr	false	Avira URL Cloud: safe	unknown
http://rt.webcompanion.com/notifications/download/rt/typolist.txt5Creating	Setup.exe, 00000000.00000003.347718441.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.347764084.0000000000260000.00000004.00001000.00020000.00000000.sdmp, WebCompanion-Installer.exe, 00000002.00000000.347791007.0000000000992000.00000020.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.19.159.224	webcompanion.com	United States	13335	CLOUDFLARENETUS	true
64.18.87.81	wc-partners.lavasoft.com	Canada	21548	MTOCA	false
104.18.27.149	unknown	United States	13335	CLOUDFLARENETUS	false
104.16.149.130	geo.lavasoft.com	United States	13335	CLOUDFLARENETUS	false
104.16.148.130	featureflags.lavasoft.com	United States	13335	CLOUDFLARENETUS	false
104.18.26.149	flwadw.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465336
Start date and time:	2024-07-01 15:21:23 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	4
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Setup.exe
Detection:	MAL
Classification:	mal54.phis.troj.spyw.evad.winEXE@11/150@26/6
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, WMIADAP.exe, conhost.exe, WmiApSrv.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 216.58.215.227, 172.217.168.14, 142.250.102.84, 216.58.215.234, 142.250.203.106, 34.104.35.123, 172.217.168.3, 142.250.203.104, 204.79.197.237, 13.107.21.237
Excluded domains from analysis (whitelisted): fonts.googleapis.com, bat-bing-com.dual-a-0034.a-msedge.net, accounts.google.com, ajax.googleapis.com, fonts.gstatic.com, clientservices.googleapis.com, clients2.google.com, redirector.gvt1.com, edgedl.me.gvt1.com, www.googletagmanager.com, bat.bing.com, dual-a-0034.a-msedge.net, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Setup.exe

Simulations

Behavior and APIs

Time	Type	Description
06:23:14	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Web Companion C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe --minimize
06:23:22	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Web Companion C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe --minimize
09:23:20	API Interceptor	85691x Sleep call for process: WebCompanion-Installer.exe modified
09:24:20	API Interceptor	429x Sleep call for process: WebCompanion.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.19.159.224	Setup.exe	Get hash	malicious	Unknown	Browse	webcompanion.com/version_logs?json=true&version=12.901.4.1003
64.18.87.81	https://filezilla-project.org/download.php?type=client	Get hash	malicious	Unknown	Browse	wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=FZ210427_ac
	Setup.exe	Get hash	malicious	Unknown	Browse	wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN220101_ac
	Setup.exe	Get hash	malicious	Unknown	Browse	wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN220101_ac
	f_038023.exe	Get hash	malicious	Unknown	Browse	wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN220101_ac
	f_000aab.exe	Get hash	malicious	Unknown	Browse	wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN220101_ac
	f_000aab.exe	Get hash	malicious	Unknown	Browse	wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN220101_ac
	f_000aab.exe	Get hash	malicious	Unknown	Browse	wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN220101_ac
	f_000aab.exe	Get hash	malicious	Unknown	Browse	wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN220101_ac
	f_000aab.exe	Get hash	malicious	Unknown	Browse	wc-partners.lavasoft.com/Partner.svc/GetPartnerInfo?partner=IN220101_ac
104.18.27.149	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup (1).exe	Get hash	malicious	Unknown	Browse
	APInstaller (4).exe	Get hash	malicious	Unknown	Browse
	APInstaller.exe	Get hash	malicious	Unknown	Browse
	https://download.adaware.com/nano_download.php?partner=IN221105&nonadmin&tych&campaign=20540828322	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	WebCompanionInstaller-12.901.4.1003-prod.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geo.lavasoft.com	Setup.exe	Get hash	malicious	Unknown	Browse	104.16.148.130
	Setup.exe	Get hash	malicious	Unknown	Browse	104.16.149.130
	Setup.exe	Get hash	malicious	Unknown	Browse	104.16.148.130
	Setup (1).exe	Get hash	malicious	Unknown	Browse	104.16.148.130
	Setup (1).exe	Get hash	malicious	Unknown	Browse	104.16.148.130
	https://webcompanion.com/nano_download.php?savename=Setup.exe&partner=IN230901&nonadmin&direct&tych&campaign=18022583703	Get hash	malicious	Unknown	Browse	104.16.148.130
	https://download.adaware.com/nano_download.php?partner=IN221105&nonadmin&tych&campaign=20540828322	Get hash	malicious	Unknown	Browse	104.17.8.52
	https://download.adaware.com/nano_download.php?partner=IN221105&nonadmin&tych&campaign=20540828322	Get hash	malicious	Unknown	Browse	104.17.8.52
wcdownloadercdn.lavasoft.com	Setup.exe	Get hash	malicious	Unknown	Browse	104.16.148.130
	Setup.exe	Get hash	malicious	Unknown	Browse	104.16.149.130
	Setup.exe	Get hash	malicious	Unknown	Browse	104.16.148.130
	Setup (1).exe	Get hash	malicious	Unknown	Browse	104.16.149.130
	Setup (1).exe	Get hash	malicious	Unknown	Browse	104.16.149.130
	Setup.exe	Get hash	malicious	Unknown	Browse	104.17.9.52
	Setup.exe	Get hash	malicious	Unknown	Browse	104.17.8.52
	https://filezilla-project.org/download.php?type=client	Get hash	malicious	Unknown	Browse	104.17.8.52
cdn.inspectlet.com	https://houkht.za.com/	Get hash	malicious	Unknown	Browse	172.67.10.172
	Setup.exe	Get hash	malicious	Unknown	Browse	172.67.10.172
	http://webcompanion.com	Get hash	malicious	Unknown	Browse	104.22.56.245
	http://www.corporateworldwidetransportation.com/	Get hash	malicious	Unknown	Browse	104.22.56.245
	Setup.exe	Get hash	malicious	Unknown	Browse	104.22.57.245
	f_038023.exe	Get hash	malicious	Unknown	Browse	104.22.56.245
	f_000aab.exe	Get hash	malicious	Unknown	Browse	104.22.56.245
	f_000aab.exe	Get hash	malicious	Unknown	Browse	104.22.56.245
	Setup.exe	Get hash	malicious	Unknown	Browse	172.67.10.172
featureflags.lavasoft.com	Setup.exe	Get hash	malicious	Unknown	Browse	104.16.148.130
	Setup.exe	Get hash	malicious	Unknown	Browse	104.16.148.130
	Setup.exe	Get hash	malicious	Unknown	Browse	104.16.148.130
	Setup (1).exe	Get hash	malicious	Unknown	Browse	104.16.148.130
	Setup (1).exe	Get hash	malicious	Unknown	Browse	104.16.148.130
	https://webcompanion.com/nano_download.php?savename=Setup.exe&partner=IN230901&nonadmin&direct&tych&campaign=18022583703	Get hash	malicious	Unknown	Browse	104.16.149.130
	https://download.adaware.com/nano_download.php?partner=IN221105&nonadmin&tych&campaign=20540828322	Get hash	malicious	Unknown	Browse	104.17.9.52
	https://download.adaware.com/nano_download.php?partner=IN221105&nonadmin&tych&campaign=20540828322	Get hash	malicious	Unknown	Browse	104.17.9.52

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	doc -scan file.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://forms.office.com/e/tBp2XcGpEy	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	Drawing specification and June PO #07329.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	IMG_067_6331002.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	invoice-72717953897646054572255005658360083176291774189023-quiltercheviot.pdf	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	MV RIVA WIND - VESSEL's PARTICULARS.PDF.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	new shippment.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	payment order.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
MTOCA	Setup.exe	Get hash	malicious	Unknown	Browse	64.18.87.82
	SecuriteInfo.com.Program.Unwanted.4662.20461.1147.exe	Get hash	malicious	Unknown	Browse	64.18.87.4
	SecuriteInfo.com.Program.Unwanted.4662.20461.1147.exe	Get hash	malicious	Unknown	Browse	64.18.87.4
	ffff6f6.msi	Get hash	malicious	Unknown	Browse	64.18.87.10
	uXUrccWxXO.elf	Get hash	malicious	Unknown	Browse	67.22.231.120
	https://filezilla-project.org/download.php?type=client	Get hash	malicious	Unknown	Browse	64.18.87.81
	dagQSRLYsB.elf	Get hash	malicious	Unknown	Browse	206.55.88.228
	huhu.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	206.55.88.205
	PDFViewer_46615443.msi	Get hash	malicious	Unknown	Browse	64.18.87.10
CLOUDFLARENETUS	https://forms.office.com/e/tBp2XcGpEy	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	Drawing specification and June PO #07329.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	IMG_067_6331002.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	invoice-72717953897646054572255005658360083176291774189023-quiltercheviot.pdf	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	MV RIVA WIND - VESSEL's PARTICULARS.PDF.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	new shippment.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	payment order.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	S#U0130PAR#U0130#U015e-260624.exe	Get hash	malicious	Unknown	Browse	162.159.133.233
CLOUDFLARENETUS	doc -scan file.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://forms.office.com/e/tBp2XcGpEy	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	Drawing specification and June PO #07329.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	IMG_067_6331002.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	invoice-72717953897646054572255005658360083176291774189023-quiltercheviot.pdf	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	MV RIVA WIND - VESSEL's PARTICULARS.PDF.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	new shippment.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	payment order.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
36f7277af969a6947a61ae0b815907a1	paediatric neurologist medico legal 68003.js	Get hash	malicious	Unknown	Browse	104.18.27.149 104.16.149.130 104.16.148.130 104.18.26.149
	Alinco Pipe Supply FE Product Specification & Drawing DESIGN.xls	Get hash	malicious	Unknown	Browse	104.18.27.149 104.16.149.130 104.16.148.130 104.18.26.149
	Product Inquiry_#466788.xls	Get hash	malicious	FormBook	Browse	104.18.27.149 104.16.149.130 104.16.148.130 104.18.26.149
	Alinco Pipe Supply FE Product Specification & Drawing DESIGN.xls	Get hash	malicious	Unknown	Browse	104.18.27.149 104.16.149.130 104.16.148.130 104.18.26.149
	7YZlAbfKMg.rtf	Get hash	malicious	AgentTesla	Browse	104.18.27.149 104.16.149.130 104.16.148.130 104.18.26.149
	Product Inquiry466789.xls	Get hash	malicious	AgentTesla	Browse	104.18.27.149 104.16.149.130 104.16.148.130 104.18.26.149
	fs-windows-agent-3.4.0.msi	Get hash	malicious	Unknown	Browse	104.18.27.149 104.16.149.130 104.16.148.130 104.18.26.149
	PROFORMA INVOICE.xls	Get hash	malicious	Remcos	Browse	104.18.27.149 104.16.149.130 104.16.148.130 104.18.26.149
	RY94HT.docx	Get hash	malicious	Remcos	Browse	104.18.27.149 104.16.149.130 104.16.148.130 104.18.26.149

Process:	C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	42930
Entropy (8bit):	5.504613987639663
Encrypted:	false
SSDEEP:	768:VAZRg759YLgtfzqAIfRr+nIfRC+gJ/VUh67TPBccOJ2+dMM2mibe1MxxHbIVPi3i:jzvIfRSnIfR/gJ/VUh67TPBcco2+dMM/
MD5:	CB4B82AA1C05F03BB1DA2B1B5F6D72D5
SHA1:	9E29D89075D1EA3EAE9015CB94D96E3A5243D369
SHA-256:	256BDA9CF794F3BF72F1B115DB7FFEE031C21A61D15A2671F7F6A62423D38B12
SHA-512:	C1C517969605FCBFE7DA6A0C4419F961F38E12A668974193FEFC0C1D1BB182A4E937EA6BF621D9C1D5DFB58E137A7B4877AFBAD7CA56401A3CFBE1674E1027D0
Malicious:	false
Reputation:	low
Preview:	INFO 2024-07-01 09:23:05 [1] [WebCompanion.UI.App #=zTY688A6jMj8KGHur5R$oUfHWnqjE] ------------------------------------------------------------------------------------------------------..INFO 2024-07-01 09:23:05 [1] [WebCompanion.UI.App #=zTY688A6jMj8KGHur5R$oUfHWnqjE] Starting Webcompanion with :C:\Users\user\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe --install --geo=..INFO 2024-07-01 09:23:06 [1] [FeatureMainComponent.Browsers.Firefox.FirefoxBrowser .ctor] Start monitoring FireFox Browser..INFO 2024-07-01 09:23:06 [1] [FeatureMainComponent.SearchProtect GetAllBrowserSetttings] Starting to collect ..INFO 2024-07-01 09:23:06 [1] [FeatureMainComponent.SearchProtect GetAllBrowserSetttings] Successfully collected information about all installed browsers..INFO 2024-07-01 09:23:06 [1] [FeatureMainComponent.SearchProtect GetAllBrowserSetttings] Starting to collect ..INFO 2024-07-01 09:23:06 [1] [FeatureMainComponent.SearchProtect GetAllBrowserSetttings] Succe

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	213656
Entropy (8bit):	5.7590593524797615
Encrypted:	false
SSDEEP:	3072:LK1c/KCOAUXk31Vv91GOtJJKuE1iA5mGPB8qd9OTymIpn+64kRAclDwRNG95ZI4Q:Ge9OAQsFtJrGPBnmIRZUL
MD5:	0CFE19791546A96C6699657A94604596
SHA1:	5D1A1B74CCA9F74FFFEBCB583661C02E4CA626DD
SHA-256:	56FDFD148F0D60805B2873A5A49739909001D11789B75DAB2B0EA8E55BC60913
SHA-512:	586CC695A2C3C03008D0A1032C221CD3384B5F4363E83C9D903753FB1DAD65B340BC8CD0659F7F891A641F8BD7535C9B889219842045854AA98CD380F0FE4AA3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......S...........!......... ........... ........@.. .......................@......sC....@.................................d...W........................2... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.653640389792838
TrID:	Win32 Executable (generic) a (10002005/4) 99.40% InstallShield setup (43055/19) 0.43% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	Setup.exe
File size:	545'352 bytes
MD5:	a081cff1d93f1bcc478835dcb98e7c47
SHA1:	00e6cb7c41860aeb346958192c68eb86b4015fb2
SHA256:	c0db81c7d38819926df96d6fb3adda34fb8783acede83d5f9bc0b681f2287845
SHA512:	c95a0db92a5a40189a515aa109e3af25570156f1b25845f21ced7f855de21dfd7e212453b075ceb54f78916573a0194a25a85a4f7282c7293b49a8743895c5ea
SSDEEP:	12288:PG5knZfFKeT4OydwORmV42Y5RBHtf8WS8sejGxUeRx7/1F:PG50ZfFKM4RCa0gDS8geepF
TLSH:	82C4F1127DE089B5D5820431CC745FA6A2B6FE560A21887773987E3E7F7F642C232A1D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s..c}...s..Yy...s..w,...s...r./.s..w....s..Yx...s.......s.......s.Zyu...s.Rich..s.................PE..L......M...

Entrypoint:	0x4148d4
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4DAC88CE [Mon Apr 18 18:54:06 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e00de6e48b9b06aceb12a81e7bf494c9

Signature Valid:	true
Signature Issuer:	CN=Entrust Extended Validation Code Signing CA - EVCS2, O="Entrust, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	5/1/2024 10:39:26 AM 5/1/2025 10:39:25 AM
Subject Chain	CN=7270356 Canada Inc., SERIALNUMBER=1417258-2, OID.2.5.4.15=Private Organization, O=7270356 Canada Inc., OID.1.3.6.1.4.1.311.60.2.1.3=CA, L=Saint-Laurent, S=Quebec, C=CA
Version:	3
Thumbprint MD5:	0E3940FCE9D8B244F0D82DDEEBE28F5E
Thumbprint SHA-1:	EA06433E6F12D2AADA040F4A6EF7C927404A4CBA
Thumbprint SHA-256:	EB0A666D9DFD790059DF788FBA544ABC93E1690F1425147BA0A6E784AFC6F5B5
Serial:	25D0CB9D7B0D6C700CDAE43D243AB1C6

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e9ac	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x27000	0x71d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x81fb0	0x3298
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1b000	0x200	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x197c0	0x19800	206b62d600beb166f8bf863ad5301f8c	False	0.5831609987745098	DOS executable (COM)	6.60822715389085	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1b000	0x4490	0x4600	b0314f39355cab7d4674a0928d3b15f2	False	0.312109375	data	4.383775518811042	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x20000	0x5a68	0x3200	8d44c03d32e0c923339cda9fae15827a	False	0.123828125	data	1.3793356235333818	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.sxdata	0x26000	0x4	0x200	35925cfdc1176bd9ffc634a58b40ec17	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x27000	0x71d4	0x7200	cd606fe2fe8a9aaa6244d6a44a46010a	False	0.3919613486842105	data	4.655199945289653	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x27354	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.37231182795698925
RT_ICON	0x2763c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5472972972972973
RT_ICON	0x27764	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2833 x 2833 px/m			0.3200354609929078
RT_ICON	0x27bcc	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2833 x 2833 px/m			0.23688524590163934
RT_ICON	0x28554	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2833 x 2833 px/m			0.1721388367729831
RT_ICON	0x295fc	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2833 x 2833 px/m			0.1241701244813278
RT_ICON	0x2bba4	0x1a7b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9648915769287506
RT_DIALOG	0x2d620	0xb8	data	English	United States	0.6684782608695652
RT_STRING	0x2d6d8	0x94	data	English	United States	0.668918918918919
RT_STRING	0x2d76c	0x34	data	English	United States	0.6538461538461539
RT_GROUP_ICON	0x2d7a0	0x4c	data			0.8289473684210527
RT_GROUP_ICON	0x2d7ec	0x22	data	English	United States	1.0
RT_VERSION	0x2d810	0x344	data	English	United States	0.4318181818181818
RT_MANIFEST	0x2db54	0x67f	exported SGML document, ASCII text, with CRLF line terminators	English	United States	0.3692122669873722

DLL	Import
OLEAUT32.dll	VariantClear, SysAllocString
USER32.dll	SendMessageA, SetTimer, DialogBoxParamW, DialogBoxParamA, SetWindowLongA, GetWindowLongA, SetWindowTextW, LoadIconA, LoadStringW, LoadStringA, CharUpperW, CharUpperA, DestroyWindow, EndDialog, PostMessageA, ShowWindow, MessageBoxW, GetDlgItem, KillTimer, SetWindowTextA
SHELL32.dll	ShellExecuteExA
KERNEL32.dll	GetCurrentDirectoryA, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, InterlockedIncrement, InterlockedDecrement, GetProcAddress, GetOEMCP, GetACP, GetCPInfo, IsBadCodePtr, IsBadReadPtr, GetFileType, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, HeapSize, GetCurrentProcess, TerminateProcess, IsBadWritePtr, HeapCreate, HeapDestroy, GetEnvironmentVariableA, SetUnhandledExceptionFilter, TlsAlloc, ExitProcess, GetVersion, GetCommandLineA, GetStartupInfoA, GetModuleHandleA, WaitForSingleObject, CloseHandle, CreateProcessA, GetCommandLineW, GetVersionExA, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, MultiByteToWideChar, WideCharToMultiByte, GetLastError, LoadLibraryA, GetModuleFileNameW, GetModuleFileNameA, LocalFree, FormatMessageW, FormatMessageA, SetFileTime, CreateFileW, SetLastError, SetFileAttributesW, SetFileAttributesA, RemoveDirectoryW, RemoveDirectoryA, CreateDirectoryW, CreateDirectoryA, DeleteFileW, DeleteFileA, GetFullPathNameW, GetFullPathNameA, SetCurrentDirectoryW, SetCurrentDirectoryA, GetCurrentDirectoryW, GetTempPathW, GetTempPathA, GetCurrentProcessId, GetTickCount, GetCurrentThreadId, FindClose, FindFirstFileW, FindFirstFileA, FindNextFileW, FindNextFileA, CreateFileA, GetFileSize, SetFilePointer, ReadFile, WriteFile, SetEndOfFile, GetStdHandle, WaitForMultipleObjects, Sleep, VirtualAlloc, VirtualFree, CreateEventA, SetEvent, ResetEvent, InitializeCriticalSection, RtlUnwind, RaiseException, HeapAlloc, HeapFree, HeapReAlloc, CreateThread, TlsSetValue, TlsGetValue, ExitThread

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 15:22:16.774072886 CEST	63926	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:22:16.784794092 CEST	53	63926	8.8.8.8	192.168.2.22
Jul 1, 2024 15:22:17.548866987 CEST	65510	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:22:17.558201075 CEST	53	65510	8.8.8.8	192.168.2.22
Jul 1, 2024 15:22:18.495419025 CEST	62672	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:22:18.505928040 CEST	53	62672	8.8.8.8	192.168.2.22
Jul 1, 2024 15:22:34.164289951 CEST	56475	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:22:34.177405119 CEST	53	56475	8.8.8.8	192.168.2.22
Jul 1, 2024 15:23:10.155729055 CEST	49384	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:23:10.166115999 CEST	53	49384	8.8.8.8	192.168.2.22
Jul 1, 2024 15:23:10.944397926 CEST	54842	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:23:10.951397896 CEST	53	54842	8.8.8.8	192.168.2.22
Jul 1, 2024 15:23:12.059725046 CEST	58105	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:23:12.071681976 CEST	53	58105	8.8.8.8	192.168.2.22
Jul 1, 2024 15:23:13.344824076 CEST	64928	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:23:13.355492115 CEST	53	64928	8.8.8.8	192.168.2.22
Jul 1, 2024 15:23:17.341917992 CEST	57390	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:23:17.351593018 CEST	53	57390	8.8.8.8	192.168.2.22
Jul 1, 2024 15:23:27.029278040 CEST	58095	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:23:27.036089897 CEST	53	58095	8.8.8.8	192.168.2.22
Jul 1, 2024 15:23:28.747982025 CEST	54261	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:23:28.759779930 CEST	53	54261	8.8.8.8	192.168.2.22
Jul 1, 2024 15:23:38.040770054 CEST	60507	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:23:38.047667027 CEST	53	60507	8.8.8.8	192.168.2.22
Jul 1, 2024 15:23:39.039028883 CEST	50446	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:23:39.049829006 CEST	53	50446	8.8.8.8	192.168.2.22
Jul 1, 2024 15:25:22.377365112 CEST	55939	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:25:22.390634060 CEST	53	55939	8.8.8.8	192.168.2.22
Jul 1, 2024 15:25:25.842619896 CEST	49608	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:25:25.850717068 CEST	53	49608	8.8.8.8	192.168.2.22
Jul 1, 2024 15:25:27.006795883 CEST	61486	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:25:27.018003941 CEST	53	61486	8.8.8.8	192.168.2.22
Jul 1, 2024 15:25:28.129336119 CEST	53	61467	8.8.8.8	192.168.2.22
Jul 1, 2024 15:25:28.164136887 CEST	61618	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:25:28.164362907 CEST	54422	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:25:28.174010038 CEST	53	61618	8.8.8.8	192.168.2.22
Jul 1, 2024 15:25:28.175121069 CEST	53	56329	8.8.8.8	192.168.2.22
Jul 1, 2024 15:25:28.175859928 CEST	53	54422	8.8.8.8	192.168.2.22
Jul 1, 2024 15:25:28.178227901 CEST	53	59447	8.8.8.8	192.168.2.22
Jul 1, 2024 15:25:28.661389112 CEST	51828	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:25:28.673327923 CEST	53	51828	8.8.8.8	192.168.2.22
Jul 1, 2024 15:25:29.348763943 CEST	49750	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:25:29.348855972 CEST	64687	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:25:29.355628014 CEST	53	49750	8.8.8.8	192.168.2.22
Jul 1, 2024 15:25:29.358153105 CEST	53	64687	8.8.8.8	192.168.2.22
Jul 1, 2024 15:25:29.359330893 CEST	53	65009	8.8.8.8	192.168.2.22
Jul 1, 2024 15:25:29.366617918 CEST	53	54521	8.8.8.8	192.168.2.22
Jul 1, 2024 15:25:29.366717100 CEST	53	63373	8.8.8.8	192.168.2.22
Jul 1, 2024 15:25:29.380970955 CEST	53	51955	8.8.8.8	192.168.2.22
Jul 1, 2024 15:25:29.514458895 CEST	58971	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:25:29.525811911 CEST	53	58971	8.8.8.8	192.168.2.22
Jul 1, 2024 15:25:30.600218058 CEST	53	53060	8.8.8.8	192.168.2.22
Jul 1, 2024 15:25:31.246788979 CEST	58257	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:25:31.246891022 CEST	54738	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:25:31.257493973 CEST	53	58257	8.8.8.8	192.168.2.22
Jul 1, 2024 15:25:31.257533073 CEST	53	54738	8.8.8.8	192.168.2.22
Jul 1, 2024 15:25:31.298573017 CEST	49478	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:25:31.298672915 CEST	49288	53	192.168.2.22	8.8.8.8
Jul 1, 2024 15:25:31.308459044 CEST	53	49478	8.8.8.8	192.168.2.22
Jul 1, 2024 15:25:31.309087038 CEST	53	49288	8.8.8.8	192.168.2.22

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 15:22:16.795782089 CEST	66	OUT	GET / HTTP/1.1 Host: geo.lavasoft.com Connection: Keep-Alive
Jul 1, 2024 15:22:17.284307003 CEST	311	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:22:17 GMT Content-Type: text/plain Content-Length: 77 Connection: keep-alive Access-Control-Allow-Origin: * CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b4398bd943c9-EWR Data Raw: 7b 22 78 2d 67 65 6f 63 6f 75 6e 74 72 79 22 3a 22 47 42 22 2c 22 78 2d 67 65 6f 63 6f 75 6e 74 72 79 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 22 2c 22 63 66 2d 69 70 63 6f 75 6e 74 72 79 22 3a 22 55 53 22 7d Data Ascii: {"x-geocountry":"GB","x-geocountryname":"United Kingdom","cf-ipcountry":"US"}
Jul 1, 2024 15:22:17.494416952 CEST	311	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:22:17 GMT Content-Type: text/plain Content-Length: 77 Connection: keep-alive Access-Control-Allow-Origin: * CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b4398bd943c9-EWR Data Raw: 7b 22 78 2d 67 65 6f 63 6f 75 6e 74 72 79 22 3a 22 47 42 22 2c 22 78 2d 67 65 6f 63 6f 75 6e 74 72 79 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 22 2c 22 63 66 2d 69 70 63 6f 75 6e 74 72 79 22 3a 22 55 53 22 7d Data Ascii: {"x-geocountry":"GB","x-geocountryname":"United Kingdom","cf-ipcountry":"US"}
Jul 1, 2024 15:22:31.914199114 CEST	42	OUT	GET / HTTP/1.1 Host: geo.lavasoft.com
Jul 1, 2024 15:22:32.052702904 CEST	311	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:22:32 GMT Content-Type: text/plain Content-Length: 77 Connection: keep-alive Access-Control-Allow-Origin: * CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b495dd3a43c9-EWR Data Raw: 7b 22 78 2d 67 65 6f 63 6f 75 6e 74 72 79 22 3a 22 47 42 22 2c 22 78 2d 67 65 6f 63 6f 75 6e 74 72 79 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 22 2c 22 63 66 2d 69 70 63 6f 75 6e 74 72 79 22 3a 22 55 53 22 7d Data Ascii: {"x-geocountry":"GB","x-geocountryname":"United Kingdom","cf-ipcountry":"US"}
Jul 1, 2024 15:22:32.262634993 CEST	311	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:22:32 GMT Content-Type: text/plain Content-Length: 77 Connection: keep-alive Access-Control-Allow-Origin: * CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b495dd3a43c9-EWR Data Raw: 7b 22 78 2d 67 65 6f 63 6f 75 6e 74 72 79 22 3a 22 47 42 22 2c 22 78 2d 67 65 6f 63 6f 75 6e 74 72 79 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 22 2c 22 63 66 2d 69 70 63 6f 75 6e 74 72 79 22 3a 22 55 53 22 7d Data Ascii: {"x-geocountry":"GB","x-geocountryname":"United Kingdom","cf-ipcountry":"US"}

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 15:23:10.175843954 CEST	66	OUT	GET / HTTP/1.1 Host: geo.lavasoft.com Connection: Keep-Alive
Jul 1, 2024 15:23:10.852588892 CEST	310	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:23:10 GMT Content-Type: text/plain Content-Length: 76 Connection: keep-alive Access-Control-Allow-Origin: * CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b5874ba48c6b-EWR Data Raw: 7b 22 78 2d 67 65 6f 63 6f 75 6e 74 72 79 22 3a 22 55 53 22 2c 22 78 2d 67 65 6f 63 6f 75 6e 74 72 79 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 66 2d 69 70 63 6f 75 6e 74 72 79 22 3a 22 55 53 22 7d Data Ascii: {"x-geocountry":"US","x-geocountryname":"United States","cf-ipcountry":"US"}
Jul 1, 2024 15:23:10.910387039 CEST	310	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:23:10 GMT Content-Type: text/plain Content-Length: 76 Connection: keep-alive Access-Control-Allow-Origin: * CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b5874ba48c6b-EWR Data Raw: 7b 22 78 2d 67 65 6f 63 6f 75 6e 74 72 79 22 3a 22 55 53 22 2c 22 78 2d 67 65 6f 63 6f 75 6e 74 72 79 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 66 2d 69 70 63 6f 75 6e 74 72 79 22 3a 22 55 53 22 7d Data Ascii: {"x-geocountry":"US","x-geocountryname":"United States","cf-ipcountry":"US"}
Jul 1, 2024 15:23:17.127691984 CEST	42	OUT	GET / HTTP/1.1 Host: geo.lavasoft.com
Jul 1, 2024 15:23:17.263679981 CEST	310	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:23:17 GMT Content-Type: text/plain Content-Length: 76 Connection: keep-alive Access-Control-Allow-Origin: * CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b5b05b6e8c6b-EWR Data Raw: 7b 22 78 2d 67 65 6f 63 6f 75 6e 74 72 79 22 3a 22 55 53 22 2c 22 78 2d 67 65 6f 63 6f 75 6e 74 72 79 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 66 2d 69 70 63 6f 75 6e 74 72 79 22 3a 22 55 53 22 7d Data Ascii: {"x-geocountry":"US","x-geocountryname":"United States","cf-ipcountry":"US"}
Jul 1, 2024 15:23:17.474452019 CEST	310	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:23:17 GMT Content-Type: text/plain Content-Length: 76 Connection: keep-alive Access-Control-Allow-Origin: * CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b5b05b6e8c6b-EWR Data Raw: 7b 22 78 2d 67 65 6f 63 6f 75 6e 74 72 79 22 3a 22 55 53 22 2c 22 78 2d 67 65 6f 63 6f 75 6e 74 72 79 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 66 2d 69 70 63 6f 75 6e 74 72 79 22 3a 22 55 53 22 7d Data Ascii: {"x-geocountry":"US","x-geocountryname":"United States","cf-ipcountry":"US"}

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 15:23:13.361488104 CEST	117	OUT	GET /Partner.svc/GetPartnerInfo?partner=IN240402 HTTP/1.1 Host: wc-partners.lavasoft.com Connection: Keep-Alive
Jul 1, 2024 15:23:13.891020060 CEST	381	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 01 Jul 2024 13:23:13 GMT Content-Type: application/json; charset=utf-8 Content-Length: 195 Connection: keep-alive X-Powered-By: ASP.NET Data Raw: 7b 22 47 65 74 50 61 72 74 6e 65 72 49 6e 66 6f 52 65 73 75 6c 74 22 3a 7b 22 43 4c 49 44 44 53 22 3a 31 30 30 30 38 37 31 2c 22 43 4c 49 44 48 50 22 3a 32 31 37 33 33 31 32 2c 22 43 54 49 44 22 3a 22 43 54 33 33 33 35 33 35 38 22 2c 22 44 65 66 61 75 6c 74 22 3a 66 61 6c 73 65 2c 22 49 6e 73 74 61 6c 6c 44 61 74 65 55 74 63 22 3a 22 37 5c 2f 31 5c 2f 32 30 32 34 20 31 3a 32 33 3a 31 33 20 50 4d 22 2c 22 50 54 41 47 22 3a 22 41 31 36 30 42 31 36 46 30 38 33 22 2c 22 50 55 52 4c 22 3a 22 64 65 66 61 75 6c 74 22 2c 22 57 43 59 49 44 22 3a 22 57 43 59 49 44 31 30 32 34 39 22 7d 7d Data Ascii: {"GetPartnerInfoResult":{"CLIDDS":1000871,"CLIDHP":2173312,"CTID":"CT3335358","Default":false,"InstallDateUtc":"7\/1\/2024 1:23:13 PM","PTAG":"A160B16F083","PURL":"default","WCYID":"WCYID10249"}}
Jul 1, 2024 15:23:13.902312994 CEST	96	OUT	GET /Partner.svc/GetPartnerInfo?partner=IN240402_wb HTTP/1.1 Host: wc-partners.lavasoft.com
Jul 1, 2024 15:23:14.017277002 CEST	389	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 01 Jul 2024 13:23:13 GMT Content-Type: application/json; charset=utf-8 Content-Length: 203 Connection: keep-alive X-Powered-By: ASP.NET Data Raw: 7b 22 47 65 74 50 61 72 74 6e 65 72 49 6e 66 6f 52 65 73 75 6c 74 22 3a 7b 22 43 4c 49 44 44 53 22 3a 31 30 30 30 38 37 31 2c 22 43 4c 49 44 48 50 22 3a 32 31 37 33 33 31 32 2c 22 43 54 49 44 22 3a 22 43 54 33 33 32 39 33 38 30 22 2c 22 44 65 66 61 75 6c 74 22 3a 74 72 75 65 2c 22 49 6e 73 74 61 6c 6c 44 61 74 65 55 74 63 22 3a 22 37 5c 2f 31 5c 2f 32 30 32 34 20 31 3a 32 33 3a 31 33 20 50 4d 22 2c 22 50 54 41 47 22 3a 22 41 30 33 31 45 44 39 34 32 36 37 33 46 34 38 36 34 42 39 46 22 2c 22 50 55 52 4c 22 3a 22 64 65 66 61 75 6c 74 22 2c 22 57 43 59 49 44 22 3a 22 57 43 59 49 44 31 30 30 30 30 22 7d 7d Data Ascii: {"GetPartnerInfoResult":{"CLIDDS":1000871,"CLIDHP":2173312,"CTID":"CT3329380","Default":true,"InstallDateUtc":"7\/1\/2024 1:23:13 PM","PTAG":"A031ED942673F4864B9F","PURL":"default","WCYID":"WCYID10000"}}
Jul 1, 2024 15:23:14.018591881 CEST	96	OUT	GET /Partner.svc/GetPartnerInfo?partner=IN240402_ab HTTP/1.1 Host: wc-partners.lavasoft.com
Jul 1, 2024 15:23:14.133461952 CEST	389	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 01 Jul 2024 13:23:14 GMT Content-Type: application/json; charset=utf-8 Content-Length: 203 Connection: keep-alive X-Powered-By: ASP.NET Data Raw: 7b 22 47 65 74 50 61 72 74 6e 65 72 49 6e 66 6f 52 65 73 75 6c 74 22 3a 7b 22 43 4c 49 44 44 53 22 3a 31 30 30 30 38 37 31 2c 22 43 4c 49 44 48 50 22 3a 32 31 37 33 33 31 32 2c 22 43 54 49 44 22 3a 22 43 54 33 33 32 39 33 38 30 22 2c 22 44 65 66 61 75 6c 74 22 3a 74 72 75 65 2c 22 49 6e 73 74 61 6c 6c 44 61 74 65 55 74 63 22 3a 22 37 5c 2f 31 5c 2f 32 30 32 34 20 31 3a 32 33 3a 31 34 20 50 4d 22 2c 22 50 54 41 47 22 3a 22 41 30 33 31 45 44 39 34 32 36 37 33 46 34 38 36 34 42 39 46 22 2c 22 50 55 52 4c 22 3a 22 64 65 66 61 75 6c 74 22 2c 22 57 43 59 49 44 22 3a 22 57 43 59 49 44 31 30 30 30 30 22 7d 7d Data Ascii: {"GetPartnerInfoResult":{"CLIDDS":1000871,"CLIDHP":2173312,"CTID":"CT3329380","Default":true,"InstallDateUtc":"7\/1\/2024 1:23:14 PM","PTAG":"A031ED942673F4864B9F","PURL":"default","WCYID":"WCYID10000"}}
Jul 1, 2024 15:23:14.134572983 CEST	96	OUT	GET /Partner.svc/GetPartnerInfo?partner=IN240402_ac HTTP/1.1 Host: wc-partners.lavasoft.com
Jul 1, 2024 15:23:14.251740932 CEST	389	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 01 Jul 2024 13:23:14 GMT Content-Type: application/json; charset=utf-8 Content-Length: 203 Connection: keep-alive X-Powered-By: ASP.NET Data Raw: 7b 22 47 65 74 50 61 72 74 6e 65 72 49 6e 66 6f 52 65 73 75 6c 74 22 3a 7b 22 43 4c 49 44 44 53 22 3a 31 30 30 30 38 37 31 2c 22 43 4c 49 44 48 50 22 3a 32 31 37 33 33 31 32 2c 22 43 54 49 44 22 3a 22 43 54 33 33 32 39 33 38 30 22 2c 22 44 65 66 61 75 6c 74 22 3a 74 72 75 65 2c 22 49 6e 73 74 61 6c 6c 44 61 74 65 55 74 63 22 3a 22 37 5c 2f 31 5c 2f 32 30 32 34 20 31 3a 32 33 3a 31 34 20 50 4d 22 2c 22 50 54 41 47 22 3a 22 41 30 33 31 45 44 39 34 32 36 37 33 46 34 38 36 34 42 39 46 22 2c 22 50 55 52 4c 22 3a 22 64 65 66 61 75 6c 74 22 2c 22 57 43 59 49 44 22 3a 22 57 43 59 49 44 31 30 30 30 30 22 7d 7d Data Ascii: {"GetPartnerInfoResult":{"CLIDDS":1000871,"CLIDHP":2173312,"CTID":"CT3329380","Default":true,"InstallDateUtc":"7\/1\/2024 1:23:14 PM","PTAG":"A031ED942673F4864B9F","PURL":"default","WCYID":"WCYID10000"}}

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 15:23:17.356937885 CEST	110	OUT	GET /version_logs?json=true&version=13.900.0.1080 HTTP/1.1 Host: webcompanion.com Connection: Keep-Alive
Jul 1, 2024 15:23:17.851248980 CEST	629	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:23:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.2.34 Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b5b4190742bf-EWR Data Raw: 31 35 38 0d 0a 3c 62 72 20 2f 3e 0a 3c 62 3e 57 61 72 6e 69 6e 67 3c 2f 62 3e 3a 20 20 63 6f 75 6e 74 28 29 3a 20 50 61 72 61 6d 65 74 65 72 20 6d 75 73 74 20 62 65 20 61 6e 20 61 72 72 61 79 20 6f 72 20 61 6e 20 6f 62 6a 65 63 74 20 74 68 61 74 20 69 6d 70 6c 65 6d 65 6e 74 73 20 43 6f 75 6e 74 61 62 6c 65 20 69 6e 20 3c 62 3e 2f 76 61 72 2f 77 77 77 2f 68 74 6d 6c 2f 69 6e 63 6c 75 64 65 73 2f 66 75 6e 63 74 69 6f 6e 73 2e 70 68 70 3c 2f 62 3e 20 6f 6e 20 6c 69 6e 65 20 3c 62 3e 39 31 3c 2f 62 3e 3c 62 72 20 2f 3e 0a 3c 62 72 20 2f 3e 0a 3c 62 3e 57 61 72 6e 69 6e 67 3c 2f 62 3e 3a 20 20 63 6f 75 6e 74 28 29 3a 20 50 61 72 61 6d 65 74 65 72 20 6d 75 73 74 20 62 65 20 61 6e 20 61 72 72 61 79 20 6f 72 20 61 6e 20 6f 62 6a 65 63 74 20 74 68 61 74 20 69 6d 70 6c 65 6d 65 6e 74 73 20 43 6f 75 6e 74 61 62 6c 65 20 69 6e 20 3c 62 3e 2f 76 61 72 2f 77 77 77 2f 68 74 6d 6c 2f 69 6e 63 6c 75 64 65 73 2f 66 75 6e 63 74 69 6f 6e 73 2e 70 68 70 3c 2f 62 3e 20 6f 6e 20 6c 69 6e 65 20 3c 62 3e 39 38 3c 2f 62 3e [TRUNCATED] Data Ascii: 158<br /><b>Warning</b>: count(): Parameter must be an array or an object that implements Countable in <b>/var/www/html/includes/functions.php</b> on line <b>91</b><br /><br /><b>Warning</b>: count(): Parameter must be an array or an object that implements Countable in <b>/var/www/html/includes/functions.php</b> on line <b>98</b><br />null0
Jul 1, 2024 15:23:18.062539101 CEST	629	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:23:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.2.34 Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b5b4190742bf-EWR Data Raw: 31 35 38 0d 0a 3c 62 72 20 2f 3e 0a 3c 62 3e 57 61 72 6e 69 6e 67 3c 2f 62 3e 3a 20 20 63 6f 75 6e 74 28 29 3a 20 50 61 72 61 6d 65 74 65 72 20 6d 75 73 74 20 62 65 20 61 6e 20 61 72 72 61 79 20 6f 72 20 61 6e 20 6f 62 6a 65 63 74 20 74 68 61 74 20 69 6d 70 6c 65 6d 65 6e 74 73 20 43 6f 75 6e 74 61 62 6c 65 20 69 6e 20 3c 62 3e 2f 76 61 72 2f 77 77 77 2f 68 74 6d 6c 2f 69 6e 63 6c 75 64 65 73 2f 66 75 6e 63 74 69 6f 6e 73 2e 70 68 70 3c 2f 62 3e 20 6f 6e 20 6c 69 6e 65 20 3c 62 3e 39 31 3c 2f 62 3e 3c 62 72 20 2f 3e 0a 3c 62 72 20 2f 3e 0a 3c 62 3e 57 61 72 6e 69 6e 67 3c 2f 62 3e 3a 20 20 63 6f 75 6e 74 28 29 3a 20 50 61 72 61 6d 65 74 65 72 20 6d 75 73 74 20 62 65 20 61 6e 20 61 72 72 61 79 20 6f 72 20 61 6e 20 6f 62 6a 65 63 74 20 74 68 61 74 20 69 6d 70 6c 65 6d 65 6e 74 73 20 43 6f 75 6e 74 61 62 6c 65 20 69 6e 20 3c 62 3e 2f 76 61 72 2f 77 77 77 2f 68 74 6d 6c 2f 69 6e 63 6c 75 64 65 73 2f 66 75 6e 63 74 69 6f 6e 73 2e 70 68 70 3c 2f 62 3e 20 6f 6e 20 6c 69 6e 65 20 3c 62 3e 39 38 3c 2f 62 3e [TRUNCATED] Data Ascii: 158<br /><b>Warning</b>: count(): Parameter must be an array or an object that implements Countable in <b>/var/www/html/includes/functions.php</b> on line <b>91</b><br /><br /><b>Warning</b>: count(): Parameter must be an array or an object that implements Countable in <b>/var/www/html/includes/functions.php</b> on line <b>98</b><br />null0

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:22:18 UTC	143	OUT	POST /api/feature/WC HTTP/1.1 Content-Type: application/json Host: featureflags.lavasoft.com Content-Length: 194 Connection: Keep-Alive
2024-07-01 13:22:18 UTC	194	OUT	Data Raw: 7b 22 47 65 6f 22 3a 22 47 42 22 2c 22 50 61 72 74 6e 65 72 22 3a 22 49 4e 32 34 30 34 30 32 22 2c 22 43 61 6d 70 61 69 67 6e 22 3a 22 32 30 35 34 31 36 31 39 31 33 31 22 2c 22 49 6e 73 74 61 6c 6c 44 61 74 65 22 3a 22 32 30 32 34 30 37 30 31 22 2c 22 54 72 69 67 67 65 72 54 79 70 65 22 3a 22 69 6e 73 74 61 6c 6c 22 2c 22 54 72 69 67 67 65 72 45 76 65 6e 74 22 3a 22 69 6e 73 74 61 6c 6c 65 72 22 2c 22 56 65 72 73 69 6f 6e 22 3a 22 31 33 2e 39 30 30 2e 30 2e 31 30 38 30 22 2c 22 66 65 61 74 75 72 65 77 70 22 3a 74 72 75 65 2c 22 66 65 61 74 75 72 65 61 6c 22 3a 74 72 75 65 7d Data Ascii: {"Geo":"GB","Partner":"IN240402","Campaign":"20541619131","InstallDate":"20240701","TriggerType":"install","TriggerEvent":"installer","Version":"13.900.0.1080","featurewp":true,"featureal":true}
2024-07-01 13:22:18 UTC	472	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:22:18 GMT Content-Type: application/json; charset=utf-8 Content-Length: 846 Connection: close Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin Access-Control-Expose-Headers: Content-Length,Content-Range CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b4403ef67290-EWR
2024-07-01 13:22:18 UTC	846	IN	Data Raw: 5b 7b 22 73 65 63 74 69 6f 6e 43 6f 64 65 22 3a 22 57 41 43 22 2c 22 63 6f 64 65 22 3a 22 57 41 43 22 2c 22 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 22 3a 22 7b 5c 22 49 63 6f 6e 5c 22 3a 20 5c 22 68 74 74 70 73 3a 2f 2f 77 65 62 63 6f 6d 70 61 6e 69 6f 6e 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 5c 22 2c 20 5c 22 41 70 70 4e 61 6d 65 5c 22 3a 20 5c 22 57 65 62 20 43 6f 6d 70 61 6e 69 6f 6e 5c 22 2c 20 5c 22 53 65 74 74 69 6e 67 73 5c 22 3a 20 5b 5c 22 57 43 41 75 74 6f 55 70 64 61 74 65 5c 22 2c 20 5c 22 45 6e 61 62 6c 65 47 72 61 6e 75 6c 61 72 69 74 79 5c 22 2c 20 5c 22 50 6f 73 74 52 75 6e 56 32 41 63 74 69 6f 6e 5c 22 2c 20 5c 22 50 6f 73 74 52 75 6e 54 69 6d 65 72 41 63 74 69 6f 6e 5c 22 2c 20 5c 22 45 6e 61 62 6c 65 54 65 Data Ascii: [{"sectionCode":"WAC","code":"WAC","configuration":"{\"Icon\": \"https://webcompanion.com/images/favicon.ico\", \"AppName\": \"Web Companion\", \"Settings\": [\"WCAutoUpdate\", \"EnableGranularity\", \"PostRunV2Action\", \"PostRunTimerAction\", \"EnableTe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:22:19 UTC	166	OUT	POST /v1/event-stat?Type=Start&ProductID=wc&EventVersion=1 HTTP/1.1 Content-Type: application/json Host: flwadw.com Content-Length: 470 Connection: Keep-Alive
2024-07-01 13:22:19 UTC	470	OUT	Data Raw: 7b 22 44 61 74 61 22 3a 20 7b 0d 0a 20 20 22 4d 61 63 68 69 6e 65 49 64 22 3a 20 22 64 65 34 32 32 39 66 63 2d 66 39 37 66 2d 35 38 37 39 2d 66 35 30 66 2d 38 66 64 33 33 39 35 34 30 34 37 39 22 2c 0d 0a 20 20 22 49 6e 73 74 61 6c 6c 49 64 22 3a 20 22 61 38 38 61 65 64 64 66 2d 62 31 38 61 2d 34 34 61 33 2d 61 64 62 35 2d 61 38 32 37 62 36 38 38 39 37 33 61 22 2c 0d 0a 20 20 22 56 65 72 73 69 6f 6e 22 3a 20 22 31 33 2e 39 30 30 2e 30 2e 31 30 38 30 22 2c 0d 0a 20 20 22 54 72 69 67 67 65 72 22 3a 20 22 69 6e 73 74 61 6c 6c 22 2c 0d 0a 20 20 22 4f 73 56 65 72 73 69 6f 6e 22 3a 20 22 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c 20 53 65 72 76 69 63 65 20 50 61 63 6b 20 31 22 2c 0d 0a 20 20 22 4f 73 42 69 74 Data Ascii: {"Data": { "MachineId": "de4229fc-f97f-5879-f50f-8fd339540479", "InstallId": "a88aeddf-b18a-44a3-adb5-a827b688973a", "Version": "13.900.0.1080", "Trigger": "install", "OsVersion": "Microsoft Windows 7 Professional Service Pack 1", "OsBit
2024-07-01 13:22:19 UTC	479	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:22:19 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin Access-Control-Expose-Headers: Content-Length,Content-Range CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b448598f41c1-EWR
2024-07-01 13:22:19 UTC	35	IN	Data Raw: 31 64 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 22 45 76 65 6e 74 20 70 65 72 73 69 73 74 65 64 22 7d 0d 0a Data Ascii: 1d{"message":"Event persisted"}
2024-07-01 13:22:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:22:20 UTC	145	OUT	POST /v1/event-stat-wc?Type=Start&ProductID=wc&EventVersion=1 HTTP/1.1 Content-Type: application/json Host: flwadw.com Content-Length: 421
2024-07-01 13:22:20 UTC	421	OUT	Data Raw: 7b 22 44 61 74 61 22 3a 20 7b 22 4d 61 63 68 69 6e 65 49 64 22 3a 22 64 65 34 32 32 39 66 63 2d 66 39 37 66 2d 35 38 37 39 2d 66 35 30 66 2d 38 66 64 33 33 39 35 34 30 34 37 39 22 2c 22 49 6e 73 74 61 6c 6c 49 64 22 3a 22 61 38 38 61 65 64 64 66 2d 62 31 38 61 2d 34 34 61 33 2d 61 64 62 35 2d 61 38 32 37 62 36 38 38 39 37 33 61 22 2c 22 56 65 72 73 69 6f 6e 22 3a 22 31 33 2e 39 30 30 2e 30 2e 31 30 38 30 22 2c 22 54 72 69 67 67 65 72 22 3a 22 69 6e 73 74 61 6c 6c 22 2c 22 4f 73 56 65 72 73 69 6f 6e 22 3a 22 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c 20 53 65 72 76 69 63 65 20 50 61 63 6b 20 31 22 2c 22 4f 73 42 69 74 22 3a 22 36 34 22 2c 22 50 61 72 74 6e 65 72 49 44 22 3a 22 49 4e 32 34 30 34 30 32 22 Data Ascii: {"Data": {"MachineId":"de4229fc-f97f-5879-f50f-8fd339540479","InstallId":"a88aeddf-b18a-44a3-adb5-a827b688973a","Version":"13.900.0.1080","Trigger":"install","OsVersion":"Microsoft Windows 7 Professional Service Pack 1","OsBit":"64","PartnerID":"IN240402"
2024-07-01 13:22:20 UTC	235	IN	HTTP/1.1 400 Bad Request Date: Mon, 01 Jul 2024 13:22:20 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b44c7d6243c9-EWR
2024-07-01 13:22:20 UTC	39	IN	Data Raw: 32 31 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 22 49 6e 76 61 6c 69 64 20 66 6f 72 6d 61 74 2f 64 61 74 61 22 7d 0d 0a Data Ascii: 21{"message":"Invalid format/data"}
2024-07-01 13:22:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:22:20 UTC	152	OUT	POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1 Content-Type: application/json Host: flwadw.com Content-Length: 531
2024-07-01 13:22:20 UTC	531	OUT	Data Raw: 7b 22 44 61 74 61 22 3a 20 7b 0d 0a 20 20 22 4d 61 63 68 69 6e 65 49 64 22 3a 20 22 64 65 34 32 32 39 66 63 2d 66 39 37 66 2d 35 38 37 39 2d 66 35 30 66 2d 38 66 64 33 33 39 35 34 30 34 37 39 22 2c 0d 0a 20 20 22 49 6e 73 74 61 6c 6c 49 64 22 3a 20 22 61 38 38 61 65 64 64 66 2d 62 31 38 61 2d 34 34 61 33 2d 61 64 62 35 2d 61 38 32 37 62 36 38 38 39 37 33 61 22 2c 0d 0a 20 20 22 56 65 72 73 69 6f 6e 22 3a 20 22 31 33 2e 39 30 30 2e 30 2e 31 30 38 30 22 2c 0d 0a 20 20 22 4f 73 56 65 72 73 69 6f 6e 22 3a 20 22 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c 20 53 65 72 76 69 63 65 20 50 61 63 6b 20 31 22 2c 0d 0a 20 20 22 4f 73 42 69 74 22 3a 20 22 36 34 22 2c 0d 0a 20 20 22 50 61 72 74 6e 65 72 49 64 22 3a 20 Data Ascii: {"Data": { "MachineId": "de4229fc-f97f-5879-f50f-8fd339540479", "InstallId": "a88aeddf-b18a-44a3-adb5-a827b688973a", "Version": "13.900.0.1080", "OsVersion": "Microsoft Windows 7 Professional Service Pack 1", "OsBit": "64", "PartnerId":
2024-07-01 13:22:20 UTC	479	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:22:20 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin Access-Control-Expose-Headers: Content-Length,Content-Range CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b4508aa56a58-EWR
2024-07-01 13:22:20 UTC	35	IN	Data Raw: 31 64 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 22 45 76 65 6e 74 20 70 65 72 73 69 73 74 65 64 22 7d 0d 0a Data Ascii: 1d{"message":"Event persisted"}
2024-07-01 13:22:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:22:21 UTC	155	OUT	POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1 Content-Type: application/json Host: flwadw.com Content-Length: 669
2024-07-01 13:22:21 UTC	669	OUT	Data Raw: 7b 22 44 61 74 61 22 3a 20 7b 22 4d 61 63 68 69 6e 65 49 64 22 3a 22 64 65 34 32 32 39 66 63 2d 66 39 37 66 2d 35 38 37 39 2d 66 35 30 66 2d 38 66 64 33 33 39 35 34 30 34 37 39 22 2c 22 49 6e 73 74 61 6c 6c 49 64 22 3a 22 61 38 38 61 65 64 64 66 2d 62 31 38 61 2d 34 34 61 33 2d 61 64 62 35 2d 61 38 32 37 62 36 38 38 39 37 33 61 22 2c 22 56 65 72 73 69 6f 6e 22 3a 22 31 33 2e 39 30 30 2e 30 2e 31 30 38 30 22 2c 22 4f 73 56 65 72 73 69 6f 6e 22 3a 22 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c 20 53 65 72 76 69 63 65 20 50 61 63 6b 20 31 22 2c 22 4f 73 42 69 74 22 3a 22 36 34 22 2c 22 50 61 72 74 6e 65 72 49 44 22 3a 22 49 4e 32 34 30 34 30 32 22 2c 22 50 61 72 74 6e 65 72 49 64 22 3a 22 49 4e 32 34 30 34 Data Ascii: {"Data": {"MachineId":"de4229fc-f97f-5879-f50f-8fd339540479","InstallId":"a88aeddf-b18a-44a3-adb5-a827b688973a","Version":"13.900.0.1080","OsVersion":"Microsoft Windows 7 Professional Service Pack 1","OsBit":"64","PartnerID":"IN240402","PartnerId":"IN2404
2024-07-01 13:22:21 UTC	479	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:22:21 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin Access-Control-Expose-Headers: Content-Length,Content-Range CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b454cf8f43f1-EWR
2024-07-01 13:22:21 UTC	35	IN	Data Raw: 31 64 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 22 45 76 65 6e 74 20 70 65 72 73 69 73 74 65 64 22 7d 0d 0a Data Ascii: 1d{"message":"Event persisted"}
2024-07-01 13:22:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:22:22 UTC	152	OUT	POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1 Content-Type: application/json Host: flwadw.com Content-Length: 538
2024-07-01 13:22:22 UTC	538	OUT	Data Raw: 7b 22 44 61 74 61 22 3a 20 7b 0d 0a 20 20 22 4d 61 63 68 69 6e 65 49 64 22 3a 20 22 64 65 34 32 32 39 66 63 2d 66 39 37 66 2d 35 38 37 39 2d 66 35 30 66 2d 38 66 64 33 33 39 35 34 30 34 37 39 22 2c 0d 0a 20 20 22 49 6e 73 74 61 6c 6c 49 64 22 3a 20 22 61 38 38 61 65 64 64 66 2d 62 31 38 61 2d 34 34 61 33 2d 61 64 62 35 2d 61 38 32 37 62 36 38 38 39 37 33 61 22 2c 0d 0a 20 20 22 56 65 72 73 69 6f 6e 22 3a 20 22 31 33 2e 39 30 30 2e 30 2e 31 30 38 30 22 2c 0d 0a 20 20 22 4f 73 56 65 72 73 69 6f 6e 22 3a 20 22 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c 20 53 65 72 76 69 63 65 20 50 61 63 6b 20 31 22 2c 0d 0a 20 20 22 4f 73 42 69 74 22 3a 20 22 36 34 22 2c 0d 0a 20 20 22 50 61 72 74 6e 65 72 49 64 22 3a 20 Data Ascii: {"Data": { "MachineId": "de4229fc-f97f-5879-f50f-8fd339540479", "InstallId": "a88aeddf-b18a-44a3-adb5-a827b688973a", "Version": "13.900.0.1080", "OsVersion": "Microsoft Windows 7 Professional Service Pack 1", "OsBit": "64", "PartnerId":
2024-07-01 13:22:23 UTC	479	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:22:22 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin Access-Control-Expose-Headers: Content-Length,Content-Range CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b45d2ed342f8-EWR
2024-07-01 13:22:23 UTC	35	IN	Data Raw: 31 64 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 22 45 76 65 6e 74 20 70 65 72 73 69 73 74 65 64 22 7d 0d 0a Data Ascii: 1d{"message":"Event persisted"}
2024-07-01 13:22:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:22:24 UTC	152	OUT	POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1 Content-Type: application/json Host: flwadw.com Content-Length: 538
2024-07-01 13:22:24 UTC	538	OUT	Data Raw: 7b 22 44 61 74 61 22 3a 20 7b 0d 0a 20 20 22 4d 61 63 68 69 6e 65 49 64 22 3a 20 22 64 65 34 32 32 39 66 63 2d 66 39 37 66 2d 35 38 37 39 2d 66 35 30 66 2d 38 66 64 33 33 39 35 34 30 34 37 39 22 2c 0d 0a 20 20 22 49 6e 73 74 61 6c 6c 49 64 22 3a 20 22 61 38 38 61 65 64 64 66 2d 62 31 38 61 2d 34 34 61 33 2d 61 64 62 35 2d 61 38 32 37 62 36 38 38 39 37 33 61 22 2c 0d 0a 20 20 22 56 65 72 73 69 6f 6e 22 3a 20 22 31 33 2e 39 30 30 2e 30 2e 31 30 38 30 22 2c 0d 0a 20 20 22 4f 73 56 65 72 73 69 6f 6e 22 3a 20 22 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c 20 53 65 72 76 69 63 65 20 50 61 63 6b 20 31 22 2c 0d 0a 20 20 22 4f 73 42 69 74 22 3a 20 22 36 34 22 2c 0d 0a 20 20 22 50 61 72 74 6e 65 72 49 64 22 3a 20 Data Ascii: {"Data": { "MachineId": "de4229fc-f97f-5879-f50f-8fd339540479", "InstallId": "a88aeddf-b18a-44a3-adb5-a827b688973a", "Version": "13.900.0.1080", "OsVersion": "Microsoft Windows 7 Professional Service Pack 1", "OsBit": "64", "PartnerId":
2024-07-01 13:22:24 UTC	479	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:22:24 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin Access-Control-Expose-Headers: Content-Length,Content-Range CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b465dcc843fd-EWR
2024-07-01 13:22:24 UTC	35	IN	Data Raw: 31 64 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 22 45 76 65 6e 74 20 70 65 72 73 69 73 74 65 64 22 7d 0d 0a Data Ascii: 1d{"message":"Event persisted"}
2024-07-01 13:22:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Lavasoft\Web Companion\Logs\Webcompanion\webcompanion.log

C:\Users\user\AppData\Local\Lavasoft\WebCompanion.exe_Url_yp2hpg3cf5eojnthoee4kcwsmwwiacqj\13.900.0.1080\155oeosf.newcfg

C:\Users\user\AppData\Local\Lavasoft\WebCompanion.exe_Url_yp2hpg3cf5eojnthoee4kcwsmwwiacqj\13.900.0.1080\1eyjg5un.newcfg

C:\Users\user\AppData\Local\Lavasoft\WebCompanion.exe_Url_yp2hpg3cf5eojnthoee4kcwsmwwiacqj\13.900.0.1080\3ljphqa5.newcfg

C:\Users\user\AppData\Local\Lavasoft\WebCompanion.exe_Url_yp2hpg3cf5eojnthoee4kcwsmwwiacqj\13.900.0.1080\bu202zfu.newcfg

C:\Users\user\AppData\Local\Lavasoft\WebCompanion.exe_Url_yp2hpg3cf5eojnthoee4kcwsmwwiacqj\13.900.0.1080\cjju51tc.newcfg

C:\Users\user\AppData\Local\Lavasoft\WebCompanion.exe_Url_yp2hpg3cf5eojnthoee4kcwsmwwiacqj\13.900.0.1080\ckxtsujp.newcfg

C:\Users\user\AppData\Local\Lavasoft\WebCompanion.exe_Url_yp2hpg3cf5eojnthoee4kcwsmwwiacqj\13.900.0.1080\d2zczf42.newcfg

C:\Users\user\AppData\Local\Lavasoft\WebCompanion.exe_Url_yp2hpg3cf5eojnthoee4kcwsmwwiacqj\13.900.0.1080\ecx1uqkv.newcfg

C:\Users\user\AppData\Local\Lavasoft\WebCompanion.exe_Url_yp2hpg3cf5eojnthoee4kcwsmwwiacqj\13.900.0.1080\epvcswql.newcfg

C:\Users\user\AppData\Local\Lavasoft\WebCompanion.exe_Url_yp2hpg3cf5eojnthoee4kcwsmwwiacqj\13.900.0.1080\figgaxwc.newcfg

C:\Users\user\AppData\Local\Lavasoft\WebCompanion.exe_Url_yp2hpg3cf5eojnthoee4kcwsmwwiacqj\13.900.0.1080\fyq3btjf.newcfg

C:\Users\user\AppData\Local\Lavasoft\WebCompanion.exe_Url_yp2hpg3cf5eojnthoee4kcwsmwwiacqj\13.900.0.1080\gvivsu1u.newcfg

C:\Users\user\AppData\Local\Lavasoft\WebCompanion.exe_Url_yp2hpg3cf5eojnthoee4kcwsmwwiacqj\13.900.0.1080\hdoy2tpb.newcfg

Windows Analysis Report
Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:22:25 UTC	152	OUT	POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1 Content-Type: application/json Host: flwadw.com Content-Length: 550
2024-07-01 13:22:25 UTC	550	OUT	Data Raw: 7b 22 44 61 74 61 22 3a 20 7b 0d 0a 20 20 22 4d 61 63 68 69 6e 65 49 64 22 3a 20 22 64 65 34 32 32 39 66 63 2d 66 39 37 66 2d 35 38 37 39 2d 66 35 30 66 2d 38 66 64 33 33 39 35 34 30 34 37 39 22 2c 0d 0a 20 20 22 49 6e 73 74 61 6c 6c 49 64 22 3a 20 22 61 38 38 61 65 64 64 66 2d 62 31 38 61 2d 34 34 61 33 2d 61 64 62 35 2d 61 38 32 37 62 36 38 38 39 37 33 61 22 2c 0d 0a 20 20 22 56 65 72 73 69 6f 6e 22 3a 20 22 31 33 2e 39 30 30 2e 30 2e 31 30 38 30 22 2c 0d 0a 20 20 22 4f 73 56 65 72 73 69 6f 6e 22 3a 20 22 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c 20 53 65 72 76 69 63 65 20 50 61 63 6b 20 31 22 2c 0d 0a 20 20 22 4f 73 42 69 74 22 3a 20 22 36 34 22 2c 0d 0a 20 20 22 50 61 72 74 6e 65 72 49 64 22 3a 20 Data Ascii: {"Data": { "MachineId": "de4229fc-f97f-5879-f50f-8fd339540479", "InstallId": "a88aeddf-b18a-44a3-adb5-a827b688973a", "Version": "13.900.0.1080", "OsVersion": "Microsoft Windows 7 Professional Service Pack 1", "OsBit": "64", "PartnerId":
2024-07-01 13:22:25 UTC	479	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:22:25 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin Access-Control-Expose-Headers: Content-Length,Content-Range CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b46e98ee0cbc-EWR
2024-07-01 13:22:25 UTC	35	IN	Data Raw: 31 64 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 22 45 76 65 6e 74 20 70 65 72 73 69 73 74 65 64 22 7d 0d 0a Data Ascii: 1d{"message":"Event persisted"}
2024-07-01 13:22:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:22:26 UTC	155	OUT	POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1 Content-Type: application/json Host: flwadw.com Content-Length: 489
2024-07-01 13:22:26 UTC	489	OUT	Data Raw: 7b 22 44 61 74 61 22 3a 20 7b 22 4d 61 63 68 69 6e 65 49 64 22 3a 22 64 65 34 32 32 39 66 63 2d 66 39 37 66 2d 35 38 37 39 2d 66 35 30 66 2d 38 66 64 33 33 39 35 34 30 34 37 39 22 2c 22 49 6e 73 74 61 6c 6c 49 64 22 3a 22 61 38 38 61 65 64 64 66 2d 62 31 38 61 2d 34 34 61 33 2d 61 64 62 35 2d 61 38 32 37 62 36 38 38 39 37 33 61 22 2c 22 56 65 72 73 69 6f 6e 22 3a 22 31 33 2e 39 30 30 2e 30 2e 31 30 38 30 22 2c 22 4f 73 56 65 72 73 69 6f 6e 22 3a 22 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c 20 53 65 72 76 69 63 65 20 50 61 63 6b 20 31 22 2c 22 4f 73 42 69 74 22 3a 22 36 34 22 2c 22 50 61 72 74 6e 65 72 49 44 22 3a 22 49 4e 32 34 30 34 30 32 22 2c 22 50 61 72 74 6e 65 72 49 64 22 3a 22 49 4e 32 34 30 34 Data Ascii: {"Data": {"MachineId":"de4229fc-f97f-5879-f50f-8fd339540479","InstallId":"a88aeddf-b18a-44a3-adb5-a827b688973a","Version":"13.900.0.1080","OsVersion":"Microsoft Windows 7 Professional Service Pack 1","OsBit":"64","PartnerID":"IN240402","PartnerId":"IN2404
2024-07-01 13:22:26 UTC	479	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:22:26 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin Access-Control-Expose-Headers: Content-Length,Content-Range CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b472ee1c5e78-EWR
2024-07-01 13:22:26 UTC	35	IN	Data Raw: 31 64 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 22 45 76 65 6e 74 20 70 65 72 73 69 73 74 65 64 22 7d 0d 0a Data Ascii: 1d{"message":"Event persisted"}
2024-07-01 13:22:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:22:27 UTC	155	OUT	POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1 Content-Type: application/json Host: flwadw.com Content-Length: 481
2024-07-01 13:22:27 UTC	481	OUT	Data Raw: 7b 22 44 61 74 61 22 3a 20 7b 22 4d 61 63 68 69 6e 65 49 64 22 3a 22 64 65 34 32 32 39 66 63 2d 66 39 37 66 2d 35 38 37 39 2d 66 35 30 66 2d 38 66 64 33 33 39 35 34 30 34 37 39 22 2c 22 49 6e 73 74 61 6c 6c 49 64 22 3a 22 61 38 38 61 65 64 64 66 2d 62 31 38 61 2d 34 34 61 33 2d 61 64 62 35 2d 61 38 32 37 62 36 38 38 39 37 33 61 22 2c 22 56 65 72 73 69 6f 6e 22 3a 22 31 33 2e 39 30 30 2e 30 2e 31 30 38 30 22 2c 22 4f 73 56 65 72 73 69 6f 6e 22 3a 22 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c 20 53 65 72 76 69 63 65 20 50 61 63 6b 20 31 22 2c 22 4f 73 42 69 74 22 3a 22 36 34 22 2c 22 50 61 72 74 6e 65 72 49 44 22 3a 22 49 4e 32 34 30 34 30 32 22 2c 22 50 61 72 74 6e 65 72 49 64 22 3a 22 49 4e 32 34 30 34 Data Ascii: {"Data": {"MachineId":"de4229fc-f97f-5879-f50f-8fd339540479","InstallId":"a88aeddf-b18a-44a3-adb5-a827b688973a","Version":"13.900.0.1080","OsVersion":"Microsoft Windows 7 Professional Service Pack 1","OsBit":"64","PartnerID":"IN240402","PartnerId":"IN2404
2024-07-01 13:22:27 UTC	479	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:22:27 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin Access-Control-Expose-Headers: Content-Length,Content-Range CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b47b4e096a52-EWR
2024-07-01 13:22:27 UTC	35	IN	Data Raw: 31 64 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 22 45 76 65 6e 74 20 70 65 72 73 69 73 74 65 64 22 7d 0d 0a Data Ascii: 1d{"message":"Event persisted"}
2024-07-01 13:22:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:22:28 UTC	152	OUT	POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1 Content-Type: application/json Host: flwadw.com Content-Length: 543
2024-07-01 13:22:28 UTC	543	OUT	Data Raw: 7b 22 44 61 74 61 22 3a 20 7b 0d 0a 20 20 22 4d 61 63 68 69 6e 65 49 64 22 3a 20 22 64 65 34 32 32 39 66 63 2d 66 39 37 66 2d 35 38 37 39 2d 66 35 30 66 2d 38 66 64 33 33 39 35 34 30 34 37 39 22 2c 0d 0a 20 20 22 49 6e 73 74 61 6c 6c 49 64 22 3a 20 22 61 38 38 61 65 64 64 66 2d 62 31 38 61 2d 34 34 61 33 2d 61 64 62 35 2d 61 38 32 37 62 36 38 38 39 37 33 61 22 2c 0d 0a 20 20 22 56 65 72 73 69 6f 6e 22 3a 20 22 31 33 2e 39 30 30 2e 30 2e 31 30 38 30 22 2c 0d 0a 20 20 22 4f 73 56 65 72 73 69 6f 6e 22 3a 20 22 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c 20 53 65 72 76 69 63 65 20 50 61 63 6b 20 31 22 2c 0d 0a 20 20 22 4f 73 42 69 74 22 3a 20 22 36 34 22 2c 0d 0a 20 20 22 50 61 72 74 6e 65 72 49 64 22 3a 20 Data Ascii: {"Data": { "MachineId": "de4229fc-f97f-5879-f50f-8fd339540479", "InstallId": "a88aeddf-b18a-44a3-adb5-a827b688973a", "Version": "13.900.0.1080", "OsVersion": "Microsoft Windows 7 Professional Service Pack 1", "OsBit": "64", "PartnerId":
2024-07-01 13:22:28 UTC	479	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:22:28 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin Access-Control-Expose-Headers: Content-Length,Content-Range CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b47fbc084210-EWR
2024-07-01 13:22:28 UTC	35	IN	Data Raw: 31 64 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 22 45 76 65 6e 74 20 70 65 72 73 69 73 74 65 64 22 7d 0d 0a Data Ascii: 1d{"message":"Event persisted"}
2024-07-01 13:22:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:22:29 UTC	155	OUT	POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1 Content-Type: application/json Host: flwadw.com Content-Length: 483
2024-07-01 13:22:29 UTC	483	OUT	Data Raw: 7b 22 44 61 74 61 22 3a 20 7b 22 4d 61 63 68 69 6e 65 49 64 22 3a 22 64 65 34 32 32 39 66 63 2d 66 39 37 66 2d 35 38 37 39 2d 66 35 30 66 2d 38 66 64 33 33 39 35 34 30 34 37 39 22 2c 22 49 6e 73 74 61 6c 6c 49 64 22 3a 22 61 38 38 61 65 64 64 66 2d 62 31 38 61 2d 34 34 61 33 2d 61 64 62 35 2d 61 38 32 37 62 36 38 38 39 37 33 61 22 2c 22 56 65 72 73 69 6f 6e 22 3a 22 31 33 2e 39 30 30 2e 30 2e 31 30 38 30 22 2c 22 4f 73 56 65 72 73 69 6f 6e 22 3a 22 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c 20 53 65 72 76 69 63 65 20 50 61 63 6b 20 31 22 2c 22 4f 73 42 69 74 22 3a 22 36 34 22 2c 22 50 61 72 74 6e 65 72 49 44 22 3a 22 49 4e 32 34 30 34 30 32 22 2c 22 50 61 72 74 6e 65 72 49 64 22 3a 22 49 4e 32 34 30 34 Data Ascii: {"Data": {"MachineId":"de4229fc-f97f-5879-f50f-8fd339540479","InstallId":"a88aeddf-b18a-44a3-adb5-a827b688973a","Version":"13.900.0.1080","OsVersion":"Microsoft Windows 7 Professional Service Pack 1","OsBit":"64","PartnerID":"IN240402","PartnerId":"IN2404
2024-07-01 13:22:29 UTC	479	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:22:29 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin Access-Control-Expose-Headers: Content-Length,Content-Range CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b483ea507d05-EWR
2024-07-01 13:22:29 UTC	35	IN	Data Raw: 31 64 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 22 45 76 65 6e 74 20 70 65 72 73 69 73 74 65 64 22 7d 0d 0a Data Ascii: 1d{"message":"Event persisted"}
2024-07-01 13:22:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:22:30 UTC	155	OUT	POST /v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1 Content-Type: application/json Host: flwadw.com Content-Length: 498
2024-07-01 13:22:30 UTC	498	OUT	Data Raw: 7b 22 44 61 74 61 22 3a 20 7b 22 4d 61 63 68 69 6e 65 49 64 22 3a 22 64 65 34 32 32 39 66 63 2d 66 39 37 66 2d 35 38 37 39 2d 66 35 30 66 2d 38 66 64 33 33 39 35 34 30 34 37 39 22 2c 22 49 6e 73 74 61 6c 6c 49 64 22 3a 22 61 38 38 61 65 64 64 66 2d 62 31 38 61 2d 34 34 61 33 2d 61 64 62 35 2d 61 38 32 37 62 36 38 38 39 37 33 61 22 2c 22 56 65 72 73 69 6f 6e 22 3a 22 31 33 2e 39 30 30 2e 30 2e 31 30 38 30 22 2c 22 4f 73 56 65 72 73 69 6f 6e 22 3a 22 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c 20 53 65 72 76 69 63 65 20 50 61 63 6b 20 31 22 2c 22 4f 73 42 69 74 22 3a 22 36 34 22 2c 22 50 61 72 74 6e 65 72 49 44 22 3a 22 49 4e 32 34 30 34 30 32 22 2c 22 50 61 72 74 6e 65 72 49 64 22 3a 22 49 4e 32 34 30 34 Data Ascii: {"Data": {"MachineId":"de4229fc-f97f-5879-f50f-8fd339540479","InstallId":"a88aeddf-b18a-44a3-adb5-a827b688973a","Version":"13.900.0.1080","OsVersion":"Microsoft Windows 7 Professional Service Pack 1","OsBit":"64","PartnerID":"IN240402","PartnerId":"IN2404
2024-07-01 13:22:30 UTC	479	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:22:30 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin Access-Control-Expose-Headers: Content-Length,Content-Range CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b48c4e6e4407-EWR
2024-07-01 13:22:30 UTC	35	IN	Data Raw: 31 64 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 22 45 76 65 6e 74 20 70 65 72 73 69 73 74 65 64 22 7d 0d 0a Data Ascii: 1d{"message":"Event persisted"}
2024-07-01 13:22:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:22:31 UTC	152	OUT	POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1 Content-Type: application/json Host: flwadw.com Content-Length: 543
2024-07-01 13:22:31 UTC	543	OUT	Data Raw: 7b 22 44 61 74 61 22 3a 20 7b 0d 0a 20 20 22 4d 61 63 68 69 6e 65 49 64 22 3a 20 22 64 65 34 32 32 39 66 63 2d 66 39 37 66 2d 35 38 37 39 2d 66 35 30 66 2d 38 66 64 33 33 39 35 34 30 34 37 39 22 2c 0d 0a 20 20 22 49 6e 73 74 61 6c 6c 49 64 22 3a 20 22 61 38 38 61 65 64 64 66 2d 62 31 38 61 2d 34 34 61 33 2d 61 64 62 35 2d 61 38 32 37 62 36 38 38 39 37 33 61 22 2c 0d 0a 20 20 22 56 65 72 73 69 6f 6e 22 3a 20 22 31 33 2e 39 30 30 2e 30 2e 31 30 38 30 22 2c 0d 0a 20 20 22 4f 73 56 65 72 73 69 6f 6e 22 3a 20 22 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c 20 53 65 72 76 69 63 65 20 50 61 63 6b 20 31 22 2c 0d 0a 20 20 22 4f 73 42 69 74 22 3a 20 22 36 34 22 2c 0d 0a 20 20 22 50 61 72 74 6e 65 72 49 64 22 3a 20 Data Ascii: {"Data": { "MachineId": "de4229fc-f97f-5879-f50f-8fd339540479", "InstallId": "a88aeddf-b18a-44a3-adb5-a827b688973a", "Version": "13.900.0.1080", "OsVersion": "Microsoft Windows 7 Professional Service Pack 1", "OsBit": "64", "PartnerId":
2024-07-01 13:22:31 UTC	479	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:22:31 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin Access-Control-Expose-Headers: Content-Length,Content-Range CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b490694a8c48-EWR
2024-07-01 13:22:31 UTC	35	IN	Data Raw: 31 64 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 22 45 76 65 6e 74 20 70 65 72 73 69 73 74 65 64 22 7d 0d 0a Data Ascii: 1d{"message":"Event persisted"}
2024-07-01 13:22:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:22:32 UTC	118	OUT	POST /api/Update/WC HTTP/1.1 Content-Type: application/json Host: featureflags.lavasoft.com Content-Length: 194
2024-07-01 13:22:32 UTC	194	OUT	Data Raw: 7b 22 47 65 6f 22 3a 22 47 42 22 2c 22 50 61 72 74 6e 65 72 22 3a 22 49 4e 32 34 30 34 30 32 22 2c 22 43 61 6d 70 61 69 67 6e 22 3a 22 32 30 35 34 31 36 31 39 31 33 31 22 2c 22 49 6e 73 74 61 6c 6c 44 61 74 65 22 3a 22 32 30 32 34 30 37 30 31 22 2c 22 54 72 69 67 67 65 72 54 79 70 65 22 3a 22 69 6e 73 74 61 6c 6c 22 2c 22 54 72 69 67 67 65 72 45 76 65 6e 74 22 3a 22 69 6e 73 74 61 6c 6c 65 72 22 2c 22 56 65 72 73 69 6f 6e 22 3a 22 31 33 2e 39 30 30 2e 30 2e 31 30 38 30 22 2c 22 66 65 61 74 75 72 65 77 70 22 3a 74 72 75 65 2c 22 66 65 61 74 75 72 65 61 6c 22 3a 74 72 75 65 7d Data Ascii: {"Geo":"GB","Partner":"IN240402","Campaign":"20541619131","InstallDate":"20240701","TriggerType":"install","TriggerEvent":"installer","Version":"13.900.0.1080","featurewp":true,"featureal":true}
2024-07-01 13:22:32 UTC	472	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:22:32 GMT Content-Type: application/json; charset=utf-8 Content-Length: 320 Connection: close Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin Access-Control-Expose-Headers: Content-Length,Content-Range CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b49a3f7e423e-EWR
2024-07-01 13:22:32 UTC	320	IN	Data Raw: 7b 22 63 6f 64 65 22 3a 22 55 50 44 22 2c 22 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 22 3a 22 7b 5c 22 56 65 72 73 69 6f 6e 5c 22 3a 20 5c 22 31 33 2e 39 30 30 2e 30 2e 31 30 38 30 5c 22 2c 20 5c 22 49 6e 73 74 61 6c 6c 65 72 45 78 65 5c 22 3a 20 5c 22 68 74 74 70 73 3a 2f 2f 77 63 64 6f 77 6e 6c 6f 61 64 65 72 63 64 6e 2e 6c 61 76 61 73 6f 66 74 2e 63 6f 6d 2f 31 33 2e 30 2e 30 2e 31 30 38 30 2f 57 43 49 6e 73 74 61 6c 6c 65 72 5f 4e 6f 6e 41 64 6d 69 6e 2e 65 78 65 5c 22 2c 20 5c 22 49 6e 73 74 61 6c 6c 65 72 5a 69 70 5c 22 3a 20 5c 22 68 74 74 70 73 3a 2f 2f 77 63 64 6f 77 6e 6c 6f 61 64 65 72 63 64 6e 2e 6c 61 76 61 73 6f 66 74 2e 63 6f 6d 2f 31 33 2e 39 30 30 2e 30 2e 31 30 38 30 2f 57 65 62 43 6f 6d 70 61 6e 69 6f 6e 2d 31 33 2e 39 30 30 2e 30 2e 31 Data Ascii: {"code":"UPD","configuration":"{\"Version\": \"13.900.0.1080\", \"InstallerExe\": \"https://wcdownloadercdn.lavasoft.com/13.0.0.1080/WCInstaller_NonAdmin.exe\", \"InstallerZip\": \"https://wcdownloadercdn.lavasoft.com/13.900.0.1080/WebCompanion-13.900.0.1

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:22:33 UTC	152	OUT	POST /v1/event-stat?Type=ProgressInstall&ProductID=wc&EventVersion=1 HTTP/1.1 Content-Type: application/json Host: flwadw.com Content-Length: 540
2024-07-01 13:22:33 UTC	540	OUT	Data Raw: 7b 22 44 61 74 61 22 3a 20 7b 0d 0a 20 20 22 4d 61 63 68 69 6e 65 49 64 22 3a 20 22 64 65 34 32 32 39 66 63 2d 66 39 37 66 2d 35 38 37 39 2d 66 35 30 66 2d 38 66 64 33 33 39 35 34 30 34 37 39 22 2c 0d 0a 20 20 22 49 6e 73 74 61 6c 6c 49 64 22 3a 20 22 61 38 38 61 65 64 64 66 2d 62 31 38 61 2d 34 34 61 33 2d 61 64 62 35 2d 61 38 32 37 62 36 38 38 39 37 33 61 22 2c 0d 0a 20 20 22 56 65 72 73 69 6f 6e 22 3a 20 22 31 33 2e 39 30 30 2e 30 2e 31 30 38 30 22 2c 0d 0a 20 20 22 4f 73 56 65 72 73 69 6f 6e 22 3a 20 22 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c 20 53 65 72 76 69 63 65 20 50 61 63 6b 20 31 22 2c 0d 0a 20 20 22 4f 73 42 69 74 22 3a 20 22 36 34 22 2c 0d 0a 20 20 22 50 61 72 74 6e 65 72 49 64 22 3a 20 Data Ascii: {"Data": { "MachineId": "de4229fc-f97f-5879-f50f-8fd339540479", "InstallId": "a88aeddf-b18a-44a3-adb5-a827b688973a", "Version": "13.900.0.1080", "OsVersion": "Microsoft Windows 7 Professional Service Pack 1", "OsBit": "64", "PartnerId":
2024-07-01 13:22:33 UTC	479	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:22:33 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin Access-Control-Expose-Headers: Content-Length,Content-Range CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c6b49ec8f643f7-EWR
2024-07-01 13:22:33 UTC	35	IN	Data Raw: 31 64 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 22 45 76 65 6e 74 20 70 65 72 73 69 73 74 65 64 22 7d 0d 0a Data Ascii: 1d{"message":"Event persisted"}
2024-07-01 13:22:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-07-01 13:22:34 UTC	127	OUT	GET /13.900.0.1080/WebCompanion-13.900.0.1080-prod.zip HTTP/1.1 Host: wcdownloadercdn.lavasoft.com Connection: Keep-Alive
2024-07-01 13:22:34 UTC	378	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 13:22:34 GMT Content-Type: application/zip Content-Length: 10494317 Connection: close ETag: "4139849418" Last-Modified: Wed, 15 May 2024 10:29:47 GMT CF-Cache-Status: REVALIDATED Expires: Mon, 01 Jul 2024 17:22:34 GMT Cache-Control: public, max-age=14400 Accept-Ranges: bytes Server: cloudflare CF-RAY: 89c6b4a78d944228-EWR
2024-07-01 13:22:34 UTC	991	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 d3 25 ae 58 c9 f2 0a dc 46 46 03 00 98 24 07 00 13 00 00 00 41 70 70 6c 69 63 61 74 69 6f 6e 2f 37 7a 61 2e 65 78 65 ec bd 79 78 54 45 d6 38 7c 7b 49 d2 59 48 27 40 43 58 c4 56 5b 8d 84 25 43 50 93 34 68 5f d2 4d 6e 43 47 40 44 51 a3 a0 68 0b ae 18 fa 86 20 8b 60 27 be e9 5c 5b 1d c5 19 75 1c c7 79 67 9c cf 19 97 51 47 59 5c bb 13 c8 c2 be b8 b0 8c 8a 7b 85 16 64 91 10 b6 dc ef 9c 53 b7 b7 10 a2 cf f7 fc 7e ff 7d 79 9e f4 dd aa 4e 9d 3a 75 ea d4 a9 53 a7 4e 55 dc f4 a4 60 10 04 c1 08 ff aa 2a 08 6b 04 fe e7 10 7e fd 8f c1 7f f6 f9 ef 65 0b ef a4 6f be 60 8d ce b3 f9 82 eb e6 ce 5b 60 9d 5f f5 c0 5d 55 b7 dd 67 9d 73 db fd f7 3f e0 b3 de 7e a7 b5 4a be df 3a ef 7e ab 73 ca 74 eb 7d 0f dc 71 e7 a8 3e 7d 32 6c 1a 8c f3 87 dd dd Data Ascii: PK%XFF$Application/7za.exeyxTE8\|{IYH'@CXV[%CP4h_MnCG@DQh `'\[uygQGY\{dS~}yN:uSNU`*k~eo`[`_]Ugs?~J:~st}q>}2l
2024-07-01 13:22:34 UTC	1369	IN	Data Raw: 68 16 65 1b d6 f6 c2 2b 0c 82 7f 89 ad 50 f0 0d c7 24 f9 1c 18 0a 38 68 10 2c ec c3 6c ed 56 62 6f c3 6d fb fd 54 69 fc f2 b7 f8 97 67 a3 b7 c5 2c 88 25 fb d7 cd 25 ee 8b b7 51 b0 a2 98 0d de 1e 6d 9f 4d 67 b5 71 b0 42 62 27 b7 f5 f6 3d 9f ed e9 e5 bb 12 c4 aa 32 33 2f 1d 93 38 81 1f ad dd fa ae 14 6b b7 0a e5 90 47 f9 46 52 0e 17 ed 2d b9 c9 64 ae 3d 4f 8f b4 d7 7b fd c5 23 cd 75 39 f0 a0 34 69 e4 73 06 ef 51 95 88 d3 be b1 fa 41 e8 f4 6e 65 a0 72 aa 78 b0 af 9f 84 dd 51 52 43 c5 79 f2 71 85 a7 14 ed 67 96 95 04 cb 75 a2 dd 69 33 2d cc 77 2b 59 36 e0 4b 3d db d1 4f 10 4a 9b 7c d9 ca fa 28 48 e5 e7 48 8e 96 29 92 a6 dd a8 eb dd fe 96 3c fb 6b b6 57 e0 a1 ea 8f 4e 7b 64 e9 40 29 78 8d 55 0a 5a 76 6f 33 0a 6c df 00 41 18 13 6a af 86 51 46 0c ce 80 ae 3f ce Data Ascii: he+P$8h,lVbomTig,%%QmMgqBb'=23/8kGFR-d=O{#u94isQAnerxQRCyqgui3-w+Y6K=OJ\|(HH)<kWN{d@)xUZvo3lAjQF?
2024-07-01 13:22:34 UTC	1369	IN	Data Raw: a9 81 72 98 19 0c 9d 00 5c 03 59 ae 80 c1 ad 64 96 c9 37 92 0b a1 2b 53 50 08 39 6d 33 71 74 cb 26 71 d8 ca fe 60 e1 63 1b ca a3 2d ac 76 04 f5 84 c2 59 b7 26 4b 94 c4 3e 33 93 0d 4e 11 12 f5 5e f1 3a 69 c5 4f cb b1 9e d1 01 44 54 18 2a 3b f0 38 97 b4 6f ae b0 ce 65 83 7c 28 66 1d a5 2d 72 4a 3b 33 e0 10 ad 69 80 73 d9 25 f7 c2 14 92 3e 6c c5 0f 2b 96 d8 f2 f7 a9 ea c3 55 29 ed 1f 1b a2 aa ed 97 a0 d7 3c b9 e2 cc 9b 30 01 35 d7 4e 00 96 5a 71 e6 2d ba bf 42 c7 93 cc 64 8b fb 90 d4 01 55 15 74 a2 3b aa 73 51 ae e2 fb bf e0 e0 8e af 3d c1 c7 6c ad a4 12 81 d0 bd 0e 68 41 a5 33 ad f4 21 38 aa cf 64 25 c6 98 7a 39 0a 6f db ed 80 03 48 f8 56 52 0d 00 8a 4f 4b 98 13 4f 98 42 09 fb 6a c8 ce 65 97 dd 23 08 1e a5 d2 36 53 cb 37 a1 7e 5c 9e 02 63 a7 dd 97 a1 86 80 Data Ascii: r\Yd7+SP9m3qt&q`c-vY&K>3N^:iODT*;8oe\|(f-rJ;3is%>l+U)<05NZq-BdUt;sQ=lhA3!8d%z9oHVROKOBje#6S7~\c
2024-07-01 13:22:34 UTC	1369	IN	Data Raw: 41 c2 42 a3 d7 df 68 f5 06 72 71 34 32 af ce f5 d6 ed 90 bf 6b da 14 d5 c7 78 e3 79 94 af 61 b4 18 6a f3 2a 4b 05 34 e4 a2 44 f7 da bf f2 4d f3 fa 4f dd 56 95 0b bf 0f 2d 4c 09 2e d8 17 01 4d f2 d4 c3 0b 53 bc ca d1 48 96 79 f5 46 d5 e2 f8 00 2b 71 c8 eb 57 6f ab 1a 06 bf 0f 2d 4c f5 fa 7f b6 46 fa c2 fd c3 d5 90 66 ab 6a 19 4a 69 3a bd f6 e3 72 5f 6f dd 5e 79 25 ef 79 9a 5c 87 5e 79 78 13 e8 fe e9 91 e1 2e a8 a0 1b d0 04 fd 94 e3 9e 02 3a 74 c8 1a 14 3f 1e 37 68 a1 61 79 d8 6a 5e d5 06 b5 0d cb 59 0d 19 a0 1c d7 b6 c9 9b df d4 01 00 ac 6f 16 52 2e 4f e2 a3 2e 0c c9 40 1a bb 0e 2a 15 f2 fd 00 09 20 19 96 b1 dd d5 a0 77 36 64 b8 21 95 da e8 2a 0d fb 2e c4 a2 00 78 aa 18 94 ac 30 e7 68 68 15 79 69 46 98 0d 59 c5 d2 36 d9 04 70 e5 d6 68 31 08 03 80 67 00 a6 Data Ascii: ABhrq42kxyajK4DMOV-L.MSHyF+qWo-LFfjJi:r_o^y%y\^yx.:t?7hayj^YoR.O.@ w6d!*.x0hhyiFY6ph1g
2024-07-01 13:22:34 UTC	1369	IN	Data Raw: d1 64 1a 2d 78 47 82 fd 0b 2a 94 76 04 3e 17 80 13 64 ad b6 9f e1 c4 cb 0f 80 9d 41 17 cc c6 b3 ec c0 47 6e e5 53 36 1f 5e f1 02 f2 63 2b 09 bc 1f 89 8a c3 54 a1 98 9c ca 04 a8 76 5f 9c 14 3a 6d e4 e2 11 80 19 11 ab 51 a3 53 8f c2 84 be 87 cb ef 6d 5e b1 c4 14 f0 d8 1c 4e a5 cd 67 4e 68 8e 12 93 fc 0b 2d 91 56 28 ad 31 a8 1b d9 a8 24 48 67 8d 1f 38 68 b0 65 87 7a 18 3f 34 8e 8c 8e 20 b1 3e 6d 5e b5 e7 3d 6e 6d 3e c1 6e 3b a3 8d 00 2d 5e 31 30 c4 2b b6 94 e9 f9 54 64 16 95 a5 c9 ae bd dc d8 ea 2d 19 0c 3a 3a c8 0f 40 58 6d 22 f6 f9 05 9a fb 3c 9a 65 65 3b 83 65 3a 20 1a 32 8e 7d 25 f6 bf e6 38 ff 27 c3 29 1e 1c 13 81 4d 5c 04 ee 64 bb 4e ab 6a 1d 34 c5 30 df 40 b7 b2 51 d9 69 5e 95 26 81 64 0e 90 6e 28 a9 1b e4 83 80 9c f1 66 21 19 6e b7 f1 ec e9 d3 28 0f Data Ascii: d-xG*v>dAGnS6^c+Tv_:mQSm^NgNh-V(1$Hg8hez?4 >m^=nm>n;-^10+Td-::@Xm"<ee;e: 2}%8')M\dNj40@Qi^&dn(f!n(
2024-07-01 13:22:34 UTC	1369	IN	Data Raw: 2e a4 b0 9a 0b 5d ca 3a 34 0d 6f 61 af 9f 46 fd 0d 6a 8a 0f 87 40 a7 15 0d 07 ec f7 9b aa 36 24 29 ac 09 e3 7b 31 88 d0 16 91 34 45 51 61 a4 22 3a 95 49 d0 72 47 a0 1a d0 c4 e6 da 97 04 5c 3a d4 2b 9b 8b 76 80 46 cb fd 9a d0 c8 2f d0 22 40 fe 3f 10 49 a5 53 b6 a9 96 fe 74 ef ab 82 29 d2 8a a9 7c 8a 34 1b 52 ce f6 5d 63 14 d8 a7 8f 01 e7 d8 cb b2 aa 33 10 d3 8d ec 2f 47 b0 25 0c 4e 18 c5 3c 4a 6a d1 0e 65 73 60 89 2d 1f 57 db ad aa 65 c7 cb 08 49 c6 c9 d6 95 67 41 52 10 52 a0 cc 84 d3 3b 50 6a 8d 12 69 a8 c5 bc 66 ce fa 24 9f 42 8f f2 5f 6e 7f d6 79 94 bf db b0 2a ae a2 0e 67 e0 41 93 b3 be d0 55 3f d6 86 75 05 ed c6 a3 ec 77 d9 b7 50 75 33 75 54 dd 8a c0 82 4e f8 3f e4 0a 2c 60 80 dc 56 b8 df a7 5a 26 00 5e a2 bd 59 39 24 8f 56 2d 17 f3 07 73 ed 2e 5a f2 Data Ascii: .]:4oaFj@6$){14EQa":IrG\:+vF/"@?ISt)\|4R]c3/G%N<Jjes`-WeIgARR;Pjif$B_ny*gAU?uwPu3uTN?,`VZ&^Y9$V-s.Z
2024-07-01 13:22:34 UTC	1369	IN	Data Raw: cb 00 19 f3 ca 50 fb 03 70 fb a6 ae 1d 5d d8 34 bd 9e e6 03 1b d0 6d 20 38 74 02 a8 63 92 7d 0f fa fe 95 e1 9c a5 d2 97 0d bf a3 7d 26 c9 0e 44 d8 25 33 50 5c dc 4a 9b a7 a0 d1 bd bd 93 2d 26 f3 0b f0 dd 56 ae 3c b5 ff e3 20 1a 3d 7b 81 3b da eb 5f dc 55 09 5d 1b 2e a3 65 23 70 70 d7 6f 2f 2e ab 7b 71 57 1e e4 36 d6 e9 49 56 8a 3d b1 8e fe e3 61 cc b0 d5 19 74 c0 3c c7 30 29 d8 df c1 fe 8b c6 f3 84 05 16 65 9a a9 08 cd b2 30 9f 49 f7 fa 4b 86 fb fa c1 ef d5 be 3e 2a ad 5b da 1b ab f6 f3 15 59 18 10 8a 76 78 ed 8d be 7c af 7f 91 be 54 be c0 5b 32 cd 28 0f f1 8e bf 4d a8 4a f5 8e 7f 48 a8 06 69 26 0a 7c cd 92 4c 75 0d 8d f1 39 d7 f2 45 b9 82 af 70 f9 a2 be 82 6f f8 f2 45 fd 04 9f ed 7d 4c 52 72 a3 09 f4 27 45 07 83 fd 88 bf 62 5b 9a c8 b5 23 ff 45 d2 d1 f4 Data Ascii: Pp]4m 8tc}}&D%3P\J-&V< ={;_U].e#ppo/.{qW6IV=at<0)e0IK>*[Yvx\|T[2(MJHi&\|Lu9EpoE}LRr'Eb[#E
2024-07-01 13:22:34 UTC	1369	IN	Data Raw: ea 93 4a 93 12 b1 9f aa be 97 76 1e 57 08 5e d1 3f 2e ab d2 67 a2 eb 68 79 b2 53 59 af 99 38 79 9e 6a d0 1d 39 5b bc f6 09 d2 9a cf d4 71 37 82 39 b6 d7 2e 15 f5 50 03 36 3d 37 01 1d 39 a5 17 82 2e 1d 6e 56 5c a7 b7 ff 5c f5 c7 82 4e 65 1b 6e 73 c6 3d 7c e4 33 89 90 87 c6 20 5f db 0d 72 7c 17 df 6b df d1 4a b6 b6 d3 e1 79 80 ab f9 51 4e fe 84 c8 27 f5 d0 10 c9 7e 94 1b fe d0 db 1e bb e5 c4 2b 3b 93 5c 96 cf fa fe 55 fc bb b3 de 69 cb d3 64 14 b5 55 3e b6 95 5b 39 2c 36 30 50 cd 80 6b 5d 0d ad 1e a5 b1 68 07 bb ec 04 17 c1 cd a9 02 28 a4 57 e2 16 cb 54 9d b3 61 33 e8 7c 6f eb 70 2a 86 7b b1 1c 0d 0c 3a a8 ce fc e8 40 f2 eb 07 1a e6 e0 a7 41 9d aa 8a 16 09 50 5f ea 4f 6a 3b d4 80 66 85 6c d7 49 cd 65 bb 10 dd 20 80 e7 2d d8 8d af 42 04 95 8d ec 8a 9d 7c 26 Data Ascii: JvW^?.ghySY8yj9[q79.P6=79.nV\\Nens=\|3 _r\|kJyQN'~+;\UidU>[9,60Pk]h(WTa3\|op*{:@AP_Oj;flIe -B\|&
2024-07-01 13:22:34 UTC	1369	IN	Data Raw: 67 73 38 e1 47 c2 1f 0f 3e 4e c5 bb 99 f8 53 89 8f b3 f1 6e 2e fe dc 2b 05 a7 e4 91 fa cf 1c 5d 04 94 56 5e 59 a4 13 45 a6 c7 36 95 7d ad dd 39 d8 5d 31 65 98 8d 6b a5 a5 5c c0 d6 6d d7 74 ca cb 5a b9 44 bd 80 ae 99 38 03 4e d2 88 cf 7b 80 7b 81 88 ea 66 51 d9 84 2a b1 a4 8c 6b 25 6d fc 7f d0 8b de 59 b2 c0 e4 1b 4c 95 ef 8f 3d 58 49 67 6f ec a7 aa cb 46 67 fd 82 7e 62 e9 41 54 1b a7 e4 a3 fe b5 0e 54 80 08 48 f9 29 c5 f8 b4 0a 9f ce 4f 4a f0 37 7c 95 15 4d f0 0c 0f 7e 30 3f 39 06 53 d2 bc e5 a9 ce de f6 51 e6 13 6f 1c 0c 74 8f 65 54 93 c0 e8 38 1b 91 fc 8d c5 34 3a 17 80 40 2e 3a 50 72 8f d5 fc e8 7f 31 6e 86 66 9b 33 a6 e2 bc eb 15 ea 2f 21 13 de d3 32 2f 5f 2b 7a 3a 82 06 30 73 a0 8e 9c 37 a9 55 57 6a cb c0 48 f3 9c cf 01 64 08 7b 8f 03 fe f1 ea c1 9f Data Ascii: gs8G>NSn.+]V^YE6}9]1ek\mtZD8N{{fQ*k%mYL=XIgoFg~bATTH)OJ7\|M~0?9SQoteT84:@.:Pr1nf3/!2/_+z:0s7UWjHd{
2024-07-01 13:22:34 UTC	1369	IN	Data Raw: 01 c4 42 01 24 fa 51 1e e2 1b fd d8 87 80 57 d1 de d2 26 19 03 08 0c 74 2a cd 68 a3 db ac 5a c6 03 0c c9 0e b3 bb 34 2d bc 65 f7 bd 6e 5c ed 67 4b 13 f3 c3 e4 6e 8b 6a c9 e8 96 35 ea f3 02 03 7b 21 6d ab 00 54 fb cc 90 52 b5 ce ae 18 a2 0b 2e 6b 52 30 60 08 da 38 bc dc 17 51 b5 34 2f 35 0a e3 8d f0 7a a1 05 6a 94 1b f3 1a bf 7f 0b d9 43 d1 56 b8 62 1d 42 e5 b8 f5 68 4b 89 ca 18 f6 f2 26 f2 51 93 f8 7e 8f 8d 6c 1e b7 cd 5e 40 f1 d0 b6 a3 66 56 63 51 43 f6 32 d3 82 ec 64 4f 44 5c f1 c1 31 cd 52 5e cb e3 7b dd b3 35 79 e3 cf d9 be 6c 52 cc 97 4d 42 5f 36 07 5b f9 70 82 2f 9b 66 97 c1 2d 47 3c a8 a5 83 34 1d 8a 3a e1 20 a1 cc 3a 61 fe db c2 43 a5 e9 a2 41 85 34 49 a9 49 6d 2d d4 1a 5a b5 d1 b9 4c 69 29 da b1 56 e8 87 54 2b 5c 4c 0c 70 13 ea 75 cf 6a 95 1d 47 Data Ascii: B$QW&t*hZ4-en\gKnj5{!mTR.kR0`8Q4/5zjCVbBhK&Q~l^@fVcQC2dOD\1R^{5ylRMB_6[p/f-G<4: :aCA4IIm-ZLi)VT+\LpujG