Analysis
-
max time kernel
184s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 19:36
Static task
static1
Behavioral task
behavioral1
Sample
c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
Resource
win7-20220812-en
General
-
Target
c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe
-
Size
2.2MB
-
MD5
8feb836bd361e165c2befe860ebe224b
-
SHA1
d665c6418e89d8fdfc5d592f8c97ea40e6d5a8d6
-
SHA256
c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e
-
SHA512
d50b221204e0694d9804ed61e19c439231a8fa71809aecd2a7ecc4318d676b7e4dc27b65b5a84d776a8dcd81d9126d9c14f38fafb1f061f5786106b5c3e473a8
-
SSDEEP
49152:GKa3UDk3qT70fTYkyw6Uhv2qZ6SMIOT52xniiWGG05F:Gt3UDkaT4TYMJ2qdML5wiiw05F
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 4 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dll acprotect C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dll acprotect C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dll acprotect C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dll acprotect -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Drops file in Drivers directory 1 IoCs
Processes:
cscript.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts cscript.exe -
Executes dropped EXE 24 IoCs
Processes:
SoftwareDetector.exesqlite3.exesqlite3.exestorageedit.exeUpdater.exeupdater.exeupdater.exeupdater.exeupdater.exeSoftwareDetector.exeSoftwareDetector.exegpedit.exebservice.exebservice64.exewd.exeSoftwareDetector.exeFrameworkEngine.exepwdg.exeproc.exeupdater.exeupdater.exeupdater.exeupdater.exepid process 1412 SoftwareDetector.exe 516 sqlite3.exe 4240 sqlite3.exe 4660 storageedit.exe 3852 Updater.exe 3700 updater.exe 3708 updater.exe 4524 updater.exe 2276 updater.exe 4440 SoftwareDetector.exe 2936 SoftwareDetector.exe 4400 gpedit.exe 4412 bservice.exe 1708 bservice64.exe 2764 wd.exe 2052 SoftwareDetector.exe 1968 FrameworkEngine.exe 5048 pwdg.exe 2804 4876 proc.exe 4332 updater.exe 516 updater.exe 3600 updater.exe 316 updater.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Registers COM server for autorun 1 TTPs 6 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\InprocServer32\ = "C:\\Program Files (x86)\\protectedsurf\\FrameworkBHO64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\InprocServer32\ = "C:\\Program Files (x86)\\protectedsurf\\FrameworkBHO64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dll upx C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dll upx C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dll upx C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dll upx -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SoftwareDetector.exeSoftwareDetector.exeSoftwareDetector.exeSoftwareDetector.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SoftwareDetector.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SoftwareDetector.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SoftwareDetector.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SoftwareDetector.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
pwdg.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation pwdg.exe -
Loads dropped DLL 64 IoCs
Processes:
c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exebservice.exebservice64.execscript.execscript.exeFrameworkEngine.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exenetsh.exenetsh.exepwdg.exeproc.exeupdater.exeupdater.execscript.execscript.execscript.exepid process 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 4412 bservice.exe 1708 bservice64.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 3036 4316 cscript.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2280 5032 cscript.exe 1968 FrameworkEngine.exe 1836 regsvr32.exe 1836 regsvr32.exe 1752 regsvr32.exe 1752 regsvr32.exe 1632 regsvr32.exe 1632 regsvr32.exe 1480 regsvr32.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 380 4708 netsh.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2328 744 netsh.exe 5048 pwdg.exe 4876 proc.exe 960 516 updater.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 316 updater.exe 1064 1844 cscript.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 4524 1744 cscript.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 4788 4420 cscript.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 9 IoCs
Processes:
c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bench Settings Cleaner = "C:\\Program Files (x86)\\Bench\\Proxy\\cl.exe" c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\protectedsurf c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\protectedsurf-repairJob = "wscript.exe \"C:\\Users\\Admin\\AppData\\Local\\protectedsurf\\repair.js\" \"protectedsurf-repairJob\"" c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BService = "C:\\Program Files (x86)\\Bench\\BService\\1.1\\bservice.exe" c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BService64 = "C:\\Program Files (x86)\\Bench\\BService\\1.1\\bservice64.exe" c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Wd = "C:\\Program Files (x86)\\Bench\\Wd\\wd.exe" c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bench Communicator Watcher = "C:\\Program Files (x86)\\Bench\\Proxy\\pwdg.exe" c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 6 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exeregsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CAE7395-64C7-465D-BE3D-4235878F1332}\ = "protectedsurf BHO" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CAE7395-64C7-465D-BE3D-4235878F1332}\NoExplorer = "1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CAE7395-64C7-465D-BE3D-4235878F1332} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CAE7395-64C7-465D-BE3D-4235878F1332}\ = "protectedsurf BHO" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CAE7395-64C7-465D-BE3D-4235878F1332}\NoExplorer = "1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CAE7395-64C7-465D-BE3D-4235878F1332} regsvr32.exe -
Maps connected drives based on registry 3 TTPs 8 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
SoftwareDetector.exeSoftwareDetector.exeSoftwareDetector.exeSoftwareDetector.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SoftwareDetector.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 SoftwareDetector.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SoftwareDetector.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 SoftwareDetector.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SoftwareDetector.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 SoftwareDetector.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SoftwareDetector.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 SoftwareDetector.exe -
Drops file in System32 directory 4 IoCs
Processes:
gpedit.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI gpedit.exe File opened for modification C:\Windows\System32\GroupPolicy gpedit.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini gpedit.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol gpedit.exe -
Drops file in Program Files directory 64 IoCs
Processes:
c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.execscript.exeupdater.execscript.exedescription ioc process File created C:\Program Files (x86)\protectedsurf\background.html c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework-ui\context_menu.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework-ui\theme\bubble\tail-left.png c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\Bench\NmHost\manifest.json c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\AppFramework\appAPI_webrequest.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\icons\icon128.png c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File opened for modification C:\Program Files (x86)\protectedsurf\extension_info.json cscript.exe File created C:\Program Files (x86)\protectedsurf\AppFramework\appAPI_common.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\AppFramework\appAPI_content.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\CanvasFramework\canvas_bg.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework-ui\notification.html c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\Bench\Updater\products.xml updater.exe File created C:\Program Files (x86)\protectedsurf\FrameworkBHO64.dll c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework-ui\theme\bubble\bottom-right.png c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework-ui\theme\bubble\top-left.png c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\FrameworkBHO.dll c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\config.xml c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\CanvasFramework\md5.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework\initialize.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework\messaging.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\Bench\BService\1.1\bhelper.dll c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\Bench\BService\1.1\bservice64.exe c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\Bench\Proxy\pwdg.exe c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\FrameworkEngine.exe c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework\io.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework\json2.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework-ui\options.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework-ui\ui_base.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\Bench\Updater\updater.exe c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\Bench\Proxy\cl.exe c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework\backgroundscript_engine.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework\i18n.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework\timer.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework\xhr.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework-ui\theme\bubble\top-right.png c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework-ui\context_menu_item_handler.html c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework-ui\theme\bubble\tail-bottom.png c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File opened for modification C:\Program Files (x86)\Bench\Updater\products.xml updater.exe File created C:\Program Files (x86)\Bench\Proxy\proc.exe c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\CanvasFramework\registry.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework-ui\theme\bubble\top-middle.png c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\AppFramework\appAPI_bg.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework\framework.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework\message_target.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework\userscript_client.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework-ui\theme\bubble\middle-left.png c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework\invoke_async.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework\updater.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework-ui\theme\bubble\bottom-middle.png c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\Bench\BService\1.1\bhelper64.dll c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework-ui\theme\bubble\bottom-left.png c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\icons\icon100.png c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\icons\icon48.png c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework\base.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework\browser.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework\console.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework\legacy.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework\utils.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\icons\button.png c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File opened for modification C:\Program Files (x86)\Bench\NmHost\manifest.json cscript.exe File created C:\Program Files (x86)\protectedsurf\CanvasFramework\canvasscript_engine.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework\global.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe File created C:\Program Files (x86)\protectedsurf\framework-ui\framework_api.js c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe -
Drops file in Windows directory 3 IoCs
Processes:
Updater.exeupdater.exeupdater.exedescription ioc process File created C:\Windows\Tasks\bench-sys.job Updater.exe File created C:\Windows\Tasks\bench-S-1-5-21-2629973501-4017243118-3254762364-1000.job updater.exe File opened for modification C:\Windows\Tasks\bench-S-1-5-21-2629973501-4017243118-3254762364-1000.job updater.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
FrameworkEngine.exeregsvr32.exec462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exeregsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9D1486DE-B44E-4995-90EA-1946199E1EAF}\AppPath = "C:\\Program Files (x86)\\protectedsurf\\" FrameworkEngine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C} = "protectedsurf" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9D1486DE-B44E-4995-90EA-1946199E1EAF} FrameworkEngine.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar regsvr32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9D1486DE-B44E-4995-90EA-1946199E1EAF} FrameworkEngine.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9D1486DE-B44E-4995-90EA-1946199E1EAF}\Policy = "3" FrameworkEngine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9D1486DE-B44E-4995-90EA-1946199E1EAF}\AppName = "FrameworkEngine.exe" FrameworkEngine.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\FrameworkEngine.exe = "10000" c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9D1486DE-B44E-4995-90EA-1946199E1EAF}\Policy = "3" FrameworkEngine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9D1486DE-B44E-4995-90EA-1946199E1EAF}\AppPath = "C:\\Program Files (x86)\\protectedsurf\\" FrameworkEngine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9D1486DE-B44E-4995-90EA-1946199E1EAF}\AppName = "FrameworkEngine.exe" FrameworkEngine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C} = "protectedsurf" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\FrameworkEngine.exe = "10000" c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe -
Modifies registry class 64 IoCs
Processes:
FrameworkEngine.exeregsvr32.exeregsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9D1486DE-B44E-4995-90EA-1946199E1EAF}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\protectedsurf" FrameworkEngine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8ADE76E-DD8C-4150-BEBF-1491FD05827A}\ProxyStubClsid32 FrameworkEngine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4F91404-D00B-4BF5-88DE-AD533C0F66C5}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A80CE7BD-DD6F-414B-B19C-D19176054B7A}\TypeLib\ = "{9D1486DE-B44E-4995-90EA-1946199E1EAF}" FrameworkEngine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E207D57-C861-4D7F-B689-D0EAB73F390C}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E207D57-C861-4D7F-B689-D0EAB73F390C}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A8ADE76E-DD8C-4150-BEBF-1491FD05827A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" FrameworkEngine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\InprocServer32\ = "C:\\Program Files (x86)\\protectedsurf\\FrameworkBHO.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4F91404-D00B-4BF5-88DE-AD533C0F66C5}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E207D57-C861-4D7F-B689-D0EAB73F390C} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE7731D-6450-46CF-8498-4C35E88FEA32}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4F91404-D00B-4BF5-88DE-AD533C0F66C5}\1.0\0\win64 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\TypeLib\ = "{A4F91404-D00B-4BF5-88DE-AD533C0F66C5}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\ = "protectedsurf BHO" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A80CE7BD-DD6F-414B-B19C-D19176054B7A}\Version FrameworkEngine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8ADE76E-DD8C-4150-BEBF-1491FD05827A}\ = "IKangoEngine" FrameworkEngine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CE7731D-6450-46CF-8498-4C35E88FEA32}\ = "IKangoBHO" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE7731D-6450-46CF-8498-4C35E88FEA32}\ = "IKangoBHO" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE7731D-6450-46CF-8498-4C35E88FEA32}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A80CE7BD-DD6F-414B-B19C-D19176054B7A}\Programmable FrameworkEngine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\TypeLib\ = "{A4F91404-D00B-4BF5-88DE-AD533C0F66C5}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E207D57-C861-4D7F-B689-D0EAB73F390C}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\ = "protectedsurf" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A80CE7BD-DD6F-414B-B19C-D19176054B7A}\LocalServer32\ = "\"C:\\Program Files (x86)\\protectedsurf\\FrameworkEngine.exe\"" FrameworkEngine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A8ADE76E-DD8C-4150-BEBF-1491FD05827A}\ProxyStubClsid32 FrameworkEngine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E207D57-C861-4D7F-B689-D0EAB73F390C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E207D57-C861-4D7F-B689-D0EAB73F390C}\TypeLib\ = "{A4F91404-D00B-4BF5-88DE-AD533C0F66C5}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E207D57-C861-4D7F-B689-D0EAB73F390C} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9D1486DE-B44E-4995-90EA-1946199E1EAF}\1.0\HELPDIR FrameworkEngine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4F91404-D00B-4BF5-88DE-AD533C0F66C5}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\protectedsurf" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A80CE7BD-DD6F-414B-B19C-D19176054B7A}\TypeLib FrameworkEngine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A8ADE76E-DD8C-4150-BEBF-1491FD05827A}\ = "IKangoEngine" FrameworkEngine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8ADE76E-DD8C-4150-BEBF-1491FD05827A} FrameworkEngine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8ADE76E-DD8C-4150-BEBF-1491FD05827A}\TypeLib\Version = "1.0" FrameworkEngine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4F91404-D00B-4BF5-88DE-AD533C0F66C5}\1.0\ = "Framework 1.0 Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE7731D-6450-46CF-8498-4C35E88FEA32}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CE7731D-6450-46CF-8498-4C35E88FEA32}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E207D57-C861-4D7F-B689-D0EAB73F390C}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9D1486DE-B44E-4995-90EA-1946199E1EAF}\1.0\0\win32\ = "C:\\Program Files (x86)\\protectedsurf\\FrameworkEngine.exe" FrameworkEngine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4F91404-D00B-4BF5-88DE-AD533C0F66C5}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E207D57-C861-4D7F-B689-D0EAB73F390C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E207D57-C861-4D7F-B689-D0EAB73F390C}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4F91404-D00B-4BF5-88DE-AD533C0F66C5}\1.0\0\win64\ = "C:\\Program Files (x86)\\protectedsurf\\FrameworkBHO64.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A8ADE76E-DD8C-4150-BEBF-1491FD05827A} FrameworkEngine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4F91404-D00B-4BF5-88DE-AD533C0F66C5} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E207D57-C861-4D7F-B689-D0EAB73F390C}\ = "IKangoToolbar" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E8C7D5F-C852-4D43-94FF-F1EAB93F130C}\Version regsvr32.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exewd.exepid process 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2764 wd.exe 2764 wd.exe 2764 wd.exe 2764 wd.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
pwdg.exedescription pid process Token: SeDebugPrivilege 5048 pwdg.exe Token: SeDebugPrivilege 5048 pwdg.exe Token: SeDebugPrivilege 5048 pwdg.exe Token: SeDebugPrivilege 5048 pwdg.exe Token: SeDebugPrivilege 5048 pwdg.exe Token: SeDebugPrivilege 5048 pwdg.exe Token: SeDebugPrivilege 5048 pwdg.exe Token: SeDebugPrivilege 5048 pwdg.exe Token: SeDebugPrivilege 5048 pwdg.exe Token: SeDebugPrivilege 5048 pwdg.exe Token: SeDebugPrivilege 5048 pwdg.exe Token: SeDebugPrivilege 5048 pwdg.exe Token: SeDebugPrivilege 5048 pwdg.exe Token: SeDebugPrivilege 5048 pwdg.exe Token: SeDebugPrivilege 5048 pwdg.exe Token: SeDebugPrivilege 5048 pwdg.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pwdg.exepid process 5048 pwdg.exe 5048 pwdg.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pwdg.exepid process 5048 pwdg.exe 5048 pwdg.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
bservice.exebservice64.exepid process 4412 bservice.exe 1708 bservice64.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.execscript.exenet.exeupdater.exeupdater.execscript.execscript.exedescription pid process target process PID 2288 wrote to memory of 1960 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe cscript.exe PID 2288 wrote to memory of 1960 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe cscript.exe PID 2288 wrote to memory of 1960 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe cscript.exe PID 2288 wrote to memory of 4920 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe cscript.exe PID 2288 wrote to memory of 4920 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe cscript.exe PID 2288 wrote to memory of 4920 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe cscript.exe PID 4920 wrote to memory of 1412 4920 cscript.exe SoftwareDetector.exe PID 4920 wrote to memory of 1412 4920 cscript.exe SoftwareDetector.exe PID 4920 wrote to memory of 1412 4920 cscript.exe SoftwareDetector.exe PID 4920 wrote to memory of 516 4920 cscript.exe sqlite3.exe PID 4920 wrote to memory of 516 4920 cscript.exe sqlite3.exe PID 4920 wrote to memory of 516 4920 cscript.exe sqlite3.exe PID 4920 wrote to memory of 4240 4920 cscript.exe sqlite3.exe PID 4920 wrote to memory of 4240 4920 cscript.exe sqlite3.exe PID 4920 wrote to memory of 4240 4920 cscript.exe sqlite3.exe PID 4920 wrote to memory of 4660 4920 cscript.exe storageedit.exe PID 4920 wrote to memory of 4660 4920 cscript.exe storageedit.exe PID 4920 wrote to memory of 4660 4920 cscript.exe storageedit.exe PID 2288 wrote to memory of 224 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe net.exe PID 2288 wrote to memory of 224 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe net.exe PID 2288 wrote to memory of 224 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe net.exe PID 224 wrote to memory of 2308 224 net.exe net1.exe PID 224 wrote to memory of 2308 224 net.exe net1.exe PID 224 wrote to memory of 2308 224 net.exe net1.exe PID 2288 wrote to memory of 3852 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe Updater.exe PID 2288 wrote to memory of 3852 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe Updater.exe PID 2288 wrote to memory of 3852 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe Updater.exe PID 2288 wrote to memory of 3700 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe updater.exe PID 2288 wrote to memory of 3700 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe updater.exe PID 2288 wrote to memory of 3700 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe updater.exe PID 3700 wrote to memory of 3708 3700 updater.exe updater.exe PID 3700 wrote to memory of 3708 3700 updater.exe updater.exe PID 3700 wrote to memory of 3708 3700 updater.exe updater.exe PID 2288 wrote to memory of 4524 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe updater.exe PID 2288 wrote to memory of 4524 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe updater.exe PID 2288 wrote to memory of 4524 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe updater.exe PID 4524 wrote to memory of 2276 4524 updater.exe updater.exe PID 4524 wrote to memory of 2276 4524 updater.exe updater.exe PID 4524 wrote to memory of 2276 4524 updater.exe updater.exe PID 2288 wrote to memory of 1152 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe cscript.exe PID 2288 wrote to memory of 1152 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe cscript.exe PID 2288 wrote to memory of 1152 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe cscript.exe PID 1152 wrote to memory of 4440 1152 cscript.exe SoftwareDetector.exe PID 1152 wrote to memory of 4440 1152 cscript.exe SoftwareDetector.exe PID 1152 wrote to memory of 4440 1152 cscript.exe SoftwareDetector.exe PID 2288 wrote to memory of 1228 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe cscript.exe PID 2288 wrote to memory of 1228 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe cscript.exe PID 2288 wrote to memory of 1228 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe cscript.exe PID 1228 wrote to memory of 2936 1228 cscript.exe SoftwareDetector.exe PID 1228 wrote to memory of 2936 1228 cscript.exe SoftwareDetector.exe PID 1228 wrote to memory of 2936 1228 cscript.exe SoftwareDetector.exe PID 1228 wrote to memory of 4400 1228 cscript.exe gpedit.exe PID 1228 wrote to memory of 4400 1228 cscript.exe gpedit.exe PID 1228 wrote to memory of 4400 1228 cscript.exe gpedit.exe PID 2288 wrote to memory of 1652 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe cscript.exe PID 2288 wrote to memory of 1652 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe cscript.exe PID 2288 wrote to memory of 1652 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe cscript.exe PID 2288 wrote to memory of 4412 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe bservice.exe PID 2288 wrote to memory of 4412 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe bservice.exe PID 2288 wrote to memory of 4412 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe bservice.exe PID 2288 wrote to memory of 1708 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe bservice64.exe PID 2288 wrote to memory of 1708 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe bservice64.exe PID 2288 wrote to memory of 2764 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe wd.exe PID 2288 wrote to memory of 2764 2288 c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe wd.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
cscript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{9CAE7395-64C7-465D-BE3D-4235878F1332} = "1" cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID cscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe"C:\Users\Admin\AppData\Local\Temp\c462d2e363012cbb22862af11b6023b0244b9e526c670b37f7ea6d677c6cf79e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\system32\cscript.exe" //Nologo "ping.js" "http://www.installping5.info/installer-run/b2d30cb54a6319e0f028c35ff0441b68/783c77e05498ce500056c842042b599e/xriderexe/7114365/?pid=38991&sub_id=default&uzid=7114365&subid=&pid=2027" "C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\pz_info" ""2⤵
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\system32\cscript.exe" //Nologo "migrate.js" /iversion=20141023 /programfiles="C:\Program Files (x86)" /localapps="C:\Users\Admin\AppData\Local" /chrome-dir="" /firefox-dir="C:\Users\Admin\AppData\Local\protectedsurf\firefox" /ie-dir="C:\Program Files (x86)\protectedsurf" /product-name="protectedsurf" /installation-time="1669338547" /pid="2027" /zone="7114365" /czoneid="" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38991" /updateip="54.235.90.58" /version="1.0" /straoi="" /enable-extensions /enable-incognito /chrome-id="palhdiakifnjfamgjhknifndhdmhkkap" /chrome-update-url="http://palhdiakifnjfamgjhknifndhdmhkkap/check/.eJwNiUkOgCAMAP_SMzF65TOmkWJL2QJoTIx_l9ssLwzsChYObiURGLipdSl5pm1Zp0vuA2OkBna0iwzQM3Zx81eM7ARVfA4e0xlY82THLrEqVvh-3PshJg.FaCAANFWFab0R3qWEsdrxsOY9HE" /close-chrome /close-firefox /close-ie2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\protectedsurf\SoftwareDetector.exeSoftwareDetector.exe3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
-
C:\Users\Admin\AppData\Local\protectedsurf\sqlite3.exe"C:\Users\Admin\AppData\Local\protectedsurf\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_palhdiakifnjfamgjhknifndhdmhkkap_0.localstorage" "SELECT value FROM ItemTable WHERE key='_GPL_zoneid';"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\protectedsurf\sqlite3.exe"C:\Users\Admin\AppData\Local\protectedsurf\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vybwayxr.Admin\framework-f0b7380a-85d9-50c6-97ad-85d373c7aa0f.sqlite" "SELECT value FROM user_storage WHERE key='_GPL_zoneid';"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\protectedsurf\storageedit.exestorageedit.exe ie {9CAE7395-64C7-465D-BE3D-4235878F1332} get _GPL_zoneid3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\net.exenet.exe start schedule2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule3⤵
-
C:\Program Files (x86)\Bench\Updater\1.7.0.0\Updater.exe"C:\Program Files (x86)\Bench\Updater\1.7.0.0\Updater.exe" -runmode=addsystask2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Program Files (x86)\Bench\Updater\updater.exe"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addtask2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addtask3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Program Files (x86)\Bench\Updater\updater.exe"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\Temp\nsa20E9.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\Temp\nsa20E9.tmp"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\system32\cscript.exe" //Nologo "main_installer.js" install /product-name="protectedsurf" /installation-time="1669338547" /pid="2027" /zone="7114365" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38991" /updateip="54.235.90.58" /version="1.0" /straoi="" /enable-extensions /enable-incognito /chrome-id="palhdiakifnjfamgjhknifndhdmhkkap" /chrome-update-url="http://palhdiakifnjfamgjhknifndhdmhkkap/check/.eJwNiUkOgCAMAP_SMzF65TOmkWJL2QJoTIx_l9ssLwzsChYObiURGLipdSl5pm1Zp0vuA2OkBna0iwzQM3Zx81eM7ARVfA4e0xlY82THLrEqVvh-3PshJg.FaCAANFWFab0R3qWEsdrxsOY9HE" /close-chrome /close-firefox /close-ie2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\protectedsurf\SoftwareDetector.exeSoftwareDetector.exe3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\system32\cscript.exe" //Nologo "installer.js" install chrome "" /product-name="protectedsurf" /installation-time="1669338547" /pid="2027" /zone="7114365" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38991" /updateip="54.235.90.58" /version="1.0" /straoi="" /enable-extensions /enable-incognito /chrome-id="palhdiakifnjfamgjhknifndhdmhkkap" /chrome-update-url="http://palhdiakifnjfamgjhknifndhdmhkkap/check/.eJwNiUkOgCAMAP_SMzF65TOmkWJL2QJoTIx_l9ssLwzsChYObiURGLipdSl5pm1Zp0vuA2OkBna0iwzQM3Zx81eM7ARVfA4e0xlY82THLrEqVvh-3PshJg.FaCAANFWFab0R3qWEsdrxsOY9HE" /close-chrome /close-firefox /close-ie2⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\protectedsurf\SoftwareDetector.exeSoftwareDetector.exe3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
-
C:\Users\Admin\AppData\Local\protectedsurf\gpedit.exegpedit.exe chrome add-extension palhdiakifnjfamgjhknifndhdmhkkap http://palhdiakifnjfamgjhknifndhdmhkkap/check/.eJwNiUkOgCAMAP_SMzF65TOmkWJL2QJoTIx_l9ssLwzsChYObiURGLipdSl5pm1Zp0vuA2OkBna0iwzQM3Zx81eM7ARVfA4e0xlY82THLrEqVvh-3PshJg.FaCAANFWFab0R3qWEsdrxsOY9HE3⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\system32\cscript.exe" //Nologo "chrome_gp_update.js" /product-name="protectedsurf" /installation-time="1669338547" /pid="2027" /zone="7114365" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38991" /updateip="54.235.90.58" /version="1.0" /straoi="" /enable-extensions /enable-incognito /chrome-id="palhdiakifnjfamgjhknifndhdmhkkap" /chrome-update-url="http://palhdiakifnjfamgjhknifndhdmhkkap/check/.eJwNiUkOgCAMAP_SMzF65TOmkWJL2QJoTIx_l9ssLwzsChYObiURGLipdSl5pm1Zp0vuA2OkBna0iwzQM3Zx81eM7ARVfA4e0xlY82THLrEqVvh-3PshJg.FaCAANFWFab0R3qWEsdrxsOY9HE" /close-chrome /close-firefox /close-ie2⤵
-
C:\Program Files (x86)\Bench\BService\1.1\bservice.exe"C:\Program Files (x86)\Bench\BService\1.1\bservice.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Bench\BService\1.1\bservice64.exe"C:\Program Files (x86)\Bench\BService\1.1\bservice64.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Bench\Wd\wd.exe"C:\Program Files (x86)\Bench\Wd\wd.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\system32\cscript.exe" //Nologo "installer.js" install firefox "C:\Users\Admin\AppData\Local\protectedsurf\firefox\" /product-name="protectedsurf" /installation-time="1669338547" /pid="2027" /zone="7114365" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38991" /updateip="54.235.90.58" /version="1.0" /straoi="" /enable-extensions /enable-incognito /chrome-id="palhdiakifnjfamgjhknifndhdmhkkap" /chrome-update-url="http://palhdiakifnjfamgjhknifndhdmhkkap/check/.eJwNiUkOgCAMAP_SMzF65TOmkWJL2QJoTIx_l9ssLwzsChYObiURGLipdSl5pm1Zp0vuA2OkBna0iwzQM3Zx81eM7ARVfA4e0xlY82THLrEqVvh-3PshJg.FaCAANFWFab0R3qWEsdrxsOY9HE" /close-chrome /close-firefox /close-ie2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\system32\cscript.exe" //Nologo "installer.js" install ie "C:\Program Files (x86)\protectedsurf\" /product-name="protectedsurf" /installation-time="1669338547" /pid="2027" /zone="7114365" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38991" /updateip="54.235.90.58" /version="1.0" /straoi="" /enable-extensions /enable-incognito /chrome-id="palhdiakifnjfamgjhknifndhdmhkkap" /chrome-update-url="http://palhdiakifnjfamgjhknifndhdmhkkap/check/.eJwNiUkOgCAMAP_SMzF65TOmkWJL2QJoTIx_l9ssLwzsChYObiURGLipdSl5pm1Zp0vuA2OkBna0iwzQM3Zx81eM7ARVfA4e0xlY82THLrEqVvh-3PshJg.FaCAANFWFab0R3qWEsdrxsOY9HE" /close-chrome /close-firefox /close-ie2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System policy modification
-
C:\Users\Admin\AppData\Local\protectedsurf\SoftwareDetector.exeSoftwareDetector.exe3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
-
C:\Program Files (x86)\protectedsurf\FrameworkEngine.exe"C:\Program Files (x86)\protectedsurf\FrameworkEngine.exe" /RegServer3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\protectedsurf\FrameworkBHO.dll"3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\protectedsurf\FrameworkBHO64.dll"3⤵
- Loads dropped DLL
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\protectedsurf\FrameworkBHO64.dll"4⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\protectedsurf\RequestHelper.dll"3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="proc.exe" protocol=TCP dir=in localip=127.0.0.1 remoteip=127.0.0.1 localport=3128 action=allow program="C:\Program Files (x86)\Bench\Proxy\proc.exe"2⤵
- Modifies Windows Firewall
- Loads dropped DLL
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="pwdg.exe" protocol=TCP dir=in localip=127.0.0.1 remoteip=127.0.0.1 localport=3128 action=allow program="C:\Program Files (x86)\Bench\Proxy\pwdg.exe"2⤵
- Modifies Windows Firewall
- Loads dropped DLL
-
C:\Program Files (x86)\Bench\Proxy\pwdg.exe"C:\Program Files (x86)\Bench\Proxy\pwdg.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Bench\Proxy\proc.exe"C:\Program Files (x86)\Bench\Proxy\proc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Bench\Updater\updater.exe"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addtask2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addtask3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Program Files (x86)\Bench\Updater\updater.exe"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\protectedsurf\info.xml"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\protectedsurf\info.xml"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\system32\cscript.exe" //Nologo "ping.js" "http://www.installping5.info/tbi-ping/b2d30cb54a6319e0f028c35ff0441b68/783c77e05498ce500056c842042b599e/xriderexe/7114365/?pid=38991&sub_id=default&uzid=7114365&subid=&pid=2027" "" ""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\system32\cscript.exe" //Nologo "ping.js" "http://www.installping5.info/id-check/b2d30cb54a6319e0f028c35ff0441b68/" "C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\get.dat" ""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\system32\cscript.exe" //Nologo "ping.js" "http://www.installping5.info/newuser-ping/b2d30cb54a6319e0f028c35ff0441b68/783c77e05498ce500056c842042b599e/0/xriderexe/7114365/0/?pid=38991&sub_id=default&uzid=7114365&subid=&pid=2027&os=8.1&admin=1" "" ""2⤵
- Loads dropped DLL
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Bench\BService\1.1\bhelper.dllFilesize
52KB
MD572b1a3d56f812839ae5ba3420a5ed812
SHA10fadb783c6c38284e5819bcaded2a1c50503f7af
SHA256cc54e42139a9f01777833c5fbe9e545e008c74b6fa0abbc37d6d29d9976098be
SHA5125bca01f36822e4345c792e9a65cb9823bed6ab8e7406906e089731c464056b9330dee014a968a5b4c069e72f682cf8167b131e6cc5cdb5478eb36aef6994b2b8
-
C:\Program Files (x86)\Bench\BService\1.1\bhelper.dllFilesize
52KB
MD572b1a3d56f812839ae5ba3420a5ed812
SHA10fadb783c6c38284e5819bcaded2a1c50503f7af
SHA256cc54e42139a9f01777833c5fbe9e545e008c74b6fa0abbc37d6d29d9976098be
SHA5125bca01f36822e4345c792e9a65cb9823bed6ab8e7406906e089731c464056b9330dee014a968a5b4c069e72f682cf8167b131e6cc5cdb5478eb36aef6994b2b8
-
C:\Program Files (x86)\Bench\BService\1.1\bhelper64.dllFilesize
108KB
MD51ee6f52ca4a576a5a21f11bc91634fa1
SHA1cc88403e0541a0f8ab9ebc3beb4eef27132cee1d
SHA256eee40028b8d3074cdd8c44714c04ee514578fddc21bcad9fb35624b4ab3e7865
SHA5121295e08d0cc43c6297ede90aff02f75783939dfe39b6a93de0a701de2e2c84325e6b17374e4adcdf975579935c2cbd6ba39c840ec2bbe2e0bb5908921298d106
-
C:\Program Files (x86)\Bench\BService\1.1\bhelper64.dllFilesize
108KB
MD51ee6f52ca4a576a5a21f11bc91634fa1
SHA1cc88403e0541a0f8ab9ebc3beb4eef27132cee1d
SHA256eee40028b8d3074cdd8c44714c04ee514578fddc21bcad9fb35624b4ab3e7865
SHA5121295e08d0cc43c6297ede90aff02f75783939dfe39b6a93de0a701de2e2c84325e6b17374e4adcdf975579935c2cbd6ba39c840ec2bbe2e0bb5908921298d106
-
C:\Program Files (x86)\Bench\BService\1.1\bservice.exeFilesize
51KB
MD5a7bea13873210cdfccb51f54c2799a83
SHA1ccfcd73f208f834c854e46e6f31db11aada5cf08
SHA256e5f5765909b57d992640fb4a48815b0b4e84588b98eef61423dc77e8dc1afa26
SHA512435a16fda6cc3b9e5087e3747a262e05341f89a96529eea182875ca86f23fd23f21a0759973c3f08a8114f2cd2fd589401f3188f08481730deb06fac8d5d00fe
-
C:\Program Files (x86)\Bench\BService\1.1\bservice.exeFilesize
51KB
MD5a7bea13873210cdfccb51f54c2799a83
SHA1ccfcd73f208f834c854e46e6f31db11aada5cf08
SHA256e5f5765909b57d992640fb4a48815b0b4e84588b98eef61423dc77e8dc1afa26
SHA512435a16fda6cc3b9e5087e3747a262e05341f89a96529eea182875ca86f23fd23f21a0759973c3f08a8114f2cd2fd589401f3188f08481730deb06fac8d5d00fe
-
C:\Program Files (x86)\Bench\BService\1.1\bservice64.exeFilesize
108KB
MD5f51d7d7a34492a032c2eee93a53308f3
SHA1c9976887ba98e303142d710b450957c5c8ae0d3f
SHA2569b4f14184ad6291b9f919214d973b747b26118a4ffc6dcac5fbdd1309b45379c
SHA51266490aad7a4aab96cd62e8ec7638e1e9de43cb277ec840fd4106ff4b1053ed077e4d4d450ff2890fe3c6cd29051fb98f2d206ca73f50bcb0c80271c80f54e7d5
-
C:\Program Files (x86)\Bench\BService\1.1\bservice64.exeFilesize
108KB
MD5f51d7d7a34492a032c2eee93a53308f3
SHA1c9976887ba98e303142d710b450957c5c8ae0d3f
SHA2569b4f14184ad6291b9f919214d973b747b26118a4ffc6dcac5fbdd1309b45379c
SHA51266490aad7a4aab96cd62e8ec7638e1e9de43cb277ec840fd4106ff4b1053ed077e4d4d450ff2890fe3c6cd29051fb98f2d206ca73f50bcb0c80271c80f54e7d5
-
C:\Program Files (x86)\Bench\NmHost\manifest.jsonFilesize
221B
MD5a88a5c36a39e517cd6606eb59bd5c462
SHA16bfe7b8d96e8f09c672057375dad9d40bf60b98a
SHA256e476626b33e414fdbf5a0429dfdcdf516cbecb6289ea05ff14a2f1f704def543
SHA51293278ade40f1d296c1f1bf03731cdd33f33bedb531454b7d11a3a746566975bef05df944ca183ee2fe72e5476eb19107d7ab097a447fa323a5070e681196c8c3
-
C:\Program Files (x86)\Bench\Updater\1.7.0.0\Updater.exeFilesize
363KB
MD5fa3604b8da1416662d3a0eceeb38476b
SHA1fc416a610cdd50eb3bb2e23a1245fcc748c22162
SHA2560c3e827cf4da900b9d3f8e48fca64575f573b9fe2f2dce82b4795929d3013df9
SHA5129544228712ec8a6487e2875da2b7a56ebbe1b2f7cc7c0c0b741b97a82e191ec40f3aeeeed8b11716ff81c30b4b70493c95a45e18274ba7444c13070db9c119df
-
C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exeFilesize
363KB
MD5fa3604b8da1416662d3a0eceeb38476b
SHA1fc416a610cdd50eb3bb2e23a1245fcc748c22162
SHA2560c3e827cf4da900b9d3f8e48fca64575f573b9fe2f2dce82b4795929d3013df9
SHA5129544228712ec8a6487e2875da2b7a56ebbe1b2f7cc7c0c0b741b97a82e191ec40f3aeeeed8b11716ff81c30b4b70493c95a45e18274ba7444c13070db9c119df
-
C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exeFilesize
363KB
MD5fa3604b8da1416662d3a0eceeb38476b
SHA1fc416a610cdd50eb3bb2e23a1245fcc748c22162
SHA2560c3e827cf4da900b9d3f8e48fca64575f573b9fe2f2dce82b4795929d3013df9
SHA5129544228712ec8a6487e2875da2b7a56ebbe1b2f7cc7c0c0b741b97a82e191ec40f3aeeeed8b11716ff81c30b4b70493c95a45e18274ba7444c13070db9c119df
-
C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exeFilesize
363KB
MD5fa3604b8da1416662d3a0eceeb38476b
SHA1fc416a610cdd50eb3bb2e23a1245fcc748c22162
SHA2560c3e827cf4da900b9d3f8e48fca64575f573b9fe2f2dce82b4795929d3013df9
SHA5129544228712ec8a6487e2875da2b7a56ebbe1b2f7cc7c0c0b741b97a82e191ec40f3aeeeed8b11716ff81c30b4b70493c95a45e18274ba7444c13070db9c119df
-
C:\Program Files (x86)\Bench\Updater\updater.exeFilesize
70KB
MD5158ea53d1c77e8d3ce592f55f4bf38dc
SHA14829a71560afa9aafe840dafcf4a275d575eac6a
SHA2569078c4f9b220c887fce151b71086aa38d31d58a9fcb1c15547c000b2426f8d8f
SHA512c61ccce9052a1a28add8a224618faf50a5dc6dfd9429bfab5547a4d40d0b04c31d8119c44d1e77343d61b8633f8cef3313134e981ea279ebc6a8bda1bb7157ca
-
C:\Program Files (x86)\Bench\Updater\updater.exeFilesize
70KB
MD5158ea53d1c77e8d3ce592f55f4bf38dc
SHA14829a71560afa9aafe840dafcf4a275d575eac6a
SHA2569078c4f9b220c887fce151b71086aa38d31d58a9fcb1c15547c000b2426f8d8f
SHA512c61ccce9052a1a28add8a224618faf50a5dc6dfd9429bfab5547a4d40d0b04c31d8119c44d1e77343d61b8633f8cef3313134e981ea279ebc6a8bda1bb7157ca
-
C:\Program Files (x86)\Bench\Updater\updater.exeFilesize
70KB
MD5158ea53d1c77e8d3ce592f55f4bf38dc
SHA14829a71560afa9aafe840dafcf4a275d575eac6a
SHA2569078c4f9b220c887fce151b71086aa38d31d58a9fcb1c15547c000b2426f8d8f
SHA512c61ccce9052a1a28add8a224618faf50a5dc6dfd9429bfab5547a4d40d0b04c31d8119c44d1e77343d61b8633f8cef3313134e981ea279ebc6a8bda1bb7157ca
-
C:\Program Files (x86)\Bench\Wd\wd.exeFilesize
90KB
MD5506bb43c05afe64fd3d5034d39c208be
SHA1558b9f18f39f980bb52f023d2aefe3522591aae9
SHA2565ab5c2450a621db03bd1f0b602adbfe1a73b4d27cb5b1d6ff5adcc026f3830c2
SHA5121eba87a6ceb4d392a73003de9c0316551d7c0f26cb739dee0e3625f3f75563831a7b920909fe89c7e8f3afb54db16892f23d4182ec263e3c3768c0e23291a9bd
-
C:\Program Files (x86)\Bench\Wd\wd.exeFilesize
90KB
MD5506bb43c05afe64fd3d5034d39c208be
SHA1558b9f18f39f980bb52f023d2aefe3522591aae9
SHA2565ab5c2450a621db03bd1f0b602adbfe1a73b4d27cb5b1d6ff5adcc026f3830c2
SHA5121eba87a6ceb4d392a73003de9c0316551d7c0f26cb739dee0e3625f3f75563831a7b920909fe89c7e8f3afb54db16892f23d4182ec263e3c3768c0e23291a9bd
-
C:\Program Files (x86)\protectedsurf\extension_info.jsonFilesize
1KB
MD505b6eb0a8aee29f46b6a8647e7e62ded
SHA1f5d71ca05715ed29526c01a73409e336e1e9f6dc
SHA2566ca680fe6e679f665637eba74954840e11c5fc0d1f91209eb3c62090d3b43213
SHA512b56df1f56584757fb6f999fd03dce2895ce78944f78741de70a20da4ffee909d31e4feb2f5383af4e220274fa0106bc1db84093de9c3091f2771bd0f046e7cce
-
C:\Users\Admin\AppData\Local\Temp\nsa20E9.tmpFilesize
328B
MD5dc319c0badb088e49524b21ffe309fff
SHA1cce86c789ebf0ad28ec1fa067ebee03d8f6a1bc5
SHA2568aebf487a44350ba83fd49ba742d3edf75eec109125354233f5a570459a40c4e
SHA512ab3a0f00b976f39d1235a0f20b9d75ea8e60c02e5b44f85adabaa432c04e5a2c56f6446aaee470014fc898d77a99cecb7ed247c66c68bf779de5b8b3a247e78a
-
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\System.dllFilesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dllFilesize
6KB
MD50745ff646f5af1f1cdd784c06f40fce9
SHA1bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA5128d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da
-
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dllFilesize
6KB
MD50745ff646f5af1f1cdd784c06f40fce9
SHA1bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA5128d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da
-
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dllFilesize
6KB
MD50745ff646f5af1f1cdd784c06f40fce9
SHA1bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA5128d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da
-
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\md5dll.dllFilesize
6KB
MD50745ff646f5af1f1cdd784c06f40fce9
SHA1bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA5128d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da
-
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dllFilesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dllFilesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dllFilesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dllFilesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dllFilesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dllFilesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dllFilesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dllFilesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dllFilesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dllFilesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dllFilesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dllFilesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dllFilesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsExec.dllFilesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsProcess.dllFilesize
4KB
MD505450face243b3a7472407b999b03a72
SHA1ffd88af2e338ae606c444390f7eaaf5f4aef2cd9
SHA25695fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89
SHA512f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b
-
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsProcess.dllFilesize
4KB
MD505450face243b3a7472407b999b03a72
SHA1ffd88af2e338ae606c444390f7eaaf5f4aef2cd9
SHA25695fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89
SHA512f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b
-
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\nsProcess2.dllFilesize
35KB
MD56e96ea8b0dfdb326c0852a5b64d920a6
SHA15ea182cb6ae5c104ca064fa8464df8ed1904eaa7
SHA256b8762c09c2b45fc836c65a9052951de05177651d278e4cf154c754d9f5573e7a
SHA51202d0bd8f16ddad829b80764926f1e6dcfb35b60fbce02bec0a7fc2011164d86f633074af012de71fae33b90732ec4c7633f8a70ab24c19717926757f9c56fb4f
-
C:\Users\Admin\AppData\Local\Temp\nseF979.tmp\ping.jsFilesize
541B
MD51d6e3a358460c1398aa1e560ee15cde8
SHA132044b503fb2b13c78f6e46b1b30b2b9cb125a86
SHA25632b4c5a71ababac7ee683d88694a07c39bcb391a01fc1daeb7fa283768c6527c
SHA51255866db4dbeba4be3ad3f245a4b390275467b603dbb7c383b41d0a71850904634b874cc7a2e5313b1f60674db8ee41db7620e03e5b3b406d1fe1ddc1b675a8eb
-
C:\Users\Admin\AppData\Local\protectedsurf\SoftwareDetector.exeFilesize
120KB
MD5791a36c814a825fdfe596e5e7eea27b7
SHA110ac78b8899a727bb3bdf924312a940b8ba0bac1
SHA2560186d765b4dc4132c243b20214c6fb1de49e645fc1b5acddbe954d6e5682f84f
SHA512bd13f3c19905b5a6062614267f20d054141926c3c6837e1583de6b821f310de7d48da79164a8c3c9ccb8a3a46e76292554faca4a2384cfe0a045c597a9ea3a86
-
C:\Users\Admin\AppData\Local\protectedsurf\SoftwareDetector.exeFilesize
120KB
MD5791a36c814a825fdfe596e5e7eea27b7
SHA110ac78b8899a727bb3bdf924312a940b8ba0bac1
SHA2560186d765b4dc4132c243b20214c6fb1de49e645fc1b5acddbe954d6e5682f84f
SHA512bd13f3c19905b5a6062614267f20d054141926c3c6837e1583de6b821f310de7d48da79164a8c3c9ccb8a3a46e76292554faca4a2384cfe0a045c597a9ea3a86
-
C:\Users\Admin\AppData\Local\protectedsurf\SoftwareDetector.exeFilesize
120KB
MD5791a36c814a825fdfe596e5e7eea27b7
SHA110ac78b8899a727bb3bdf924312a940b8ba0bac1
SHA2560186d765b4dc4132c243b20214c6fb1de49e645fc1b5acddbe954d6e5682f84f
SHA512bd13f3c19905b5a6062614267f20d054141926c3c6837e1583de6b821f310de7d48da79164a8c3c9ccb8a3a46e76292554faca4a2384cfe0a045c597a9ea3a86
-
C:\Users\Admin\AppData\Local\protectedsurf\SoftwareDetector.exeFilesize
120KB
MD5791a36c814a825fdfe596e5e7eea27b7
SHA110ac78b8899a727bb3bdf924312a940b8ba0bac1
SHA2560186d765b4dc4132c243b20214c6fb1de49e645fc1b5acddbe954d6e5682f84f
SHA512bd13f3c19905b5a6062614267f20d054141926c3c6837e1583de6b821f310de7d48da79164a8c3c9ccb8a3a46e76292554faca4a2384cfe0a045c597a9ea3a86
-
C:\Users\Admin\AppData\Local\protectedsurf\chrome_gp_update.jsFilesize
2KB
MD5c15a7afa4a3ed3464df40e6eb840cc73
SHA151807d6d3f2567de9c4716b32f91ecc8839cc117
SHA25641fe7e7445819a935215fd0928f5bb1bb3a2e3df36f0c27111c99cb716064f18
SHA51290c7a06ceafc6cc7ab35254b3f394702d10881f363527b8fe2e2c6b3fec391141333fe7153a5cae83a6f8889fd55e7a478f1d979497d557fabcb4bcff9cc7ae7
-
C:\Users\Admin\AppData\Local\protectedsurf\chrome_installer.jsFilesize
6KB
MD5b84e6bbca06fb8a9489da545c7eefa57
SHA176035835e1777bfff7d86e7d056392d7bd37e3a7
SHA256aa681b9306c2c020e2164660e266c7298b31fc8b21c1b3abd5151358047ecb1f
SHA512a560f81cdb76ac68f4e056df85789b8576e3f66b408f7a0da1c68f4efe46b63ca17734de20dd476386aa4a9e9122db7800ca8a19475d1d52f121c76db3a89dc4
-
C:\Users\Admin\AppData\Local\protectedsurf\common.jsFilesize
13KB
MD5b2138aac6406d0c00245703bba442164
SHA1269be35d6d0c909dfd08950134d7d8d9261c057c
SHA256bb03ad0805409eced066c7c3dac7696761ffcc69a73f21d2ed0b8e13ed731f76
SHA512f450fc962f12d9a9141a01ee7ce93f539909df89b2af01b31c74996f83659ce475c096265633e9f0193cb8e7cc816f042bfab3d5c781d0cc1d24e0df8ebb6c51
-
C:\Users\Admin\AppData\Local\protectedsurf\firefox\extension_info.jsonFilesize
1KB
MD576597b4b2ababd04c7e557b22982a7b4
SHA172a68c71c7d35f6d843b2e5d2a5a188190c9399f
SHA256fb1b1618893894eeda8c0eb3f570f538027121940bd8595e4d501707a95cd78e
SHA51285a082252c02cfe87228124da7d2cd218dd2cdc58a0d602d5d4001d2ed6820edf367f5b25fba2c74d52ee3d9d0816eff972fd503a99002ebcb1140d0c05549d2
-
C:\Users\Admin\AppData\Local\protectedsurf\firefox_installer.jsFilesize
6KB
MD56e8d14076e1b88eb8e5f1be916807a9b
SHA1d99d91a0ec88d8d3ff20c983607ae0df539a3200
SHA256c03190cd1fe25cd564fe69ef0c9b4ab1cf4d2fc51118aac60389f68f73953b27
SHA51276b47fba913aa7b5b281584a5145b43a426a54e7ca49ade7682db0171bed67288cb748d6e88d8c8043484c9adfad6a86253d1252fe5e361bba835940f33b59a5
-
C:\Users\Admin\AppData\Local\protectedsurf\gpedit.exeFilesize
91KB
MD547a3a3fe7cdde150add526bbcd8d571c
SHA148334e741ecc51cd8715cd12a511eafe4bf5b24b
SHA2564e7f9b09f3eae4088f8cbd4cbc29a03125906775e2724683ae841fe0d71e892e
SHA5126a7efa47735a658f114f981b0f65ea903bd8cf85a1d85d66b8fbba0d63c57a612dd16ae2ede9d15f21d0f93940d3da409852d76cf4d0577574f59dcb36911b21
-
C:\Users\Admin\AppData\Local\protectedsurf\gpedit.exeFilesize
91KB
MD547a3a3fe7cdde150add526bbcd8d571c
SHA148334e741ecc51cd8715cd12a511eafe4bf5b24b
SHA2564e7f9b09f3eae4088f8cbd4cbc29a03125906775e2724683ae841fe0d71e892e
SHA5126a7efa47735a658f114f981b0f65ea903bd8cf85a1d85d66b8fbba0d63c57a612dd16ae2ede9d15f21d0f93940d3da409852d76cf4d0577574f59dcb36911b21
-
C:\Users\Admin\AppData\Local\protectedsurf\ie_installer.jsFilesize
3KB
MD53de39b38af916bcf07f7a68c5b065ffe
SHA15a9dd39ca54f4fc76f805879669b25c5ad29d213
SHA2561bba4e6523b1a0581c008b6d7b348260a2f9f61a22daf445ed6ffa37c970c2b8
SHA512893c2e487a37366fea9ba8e8a61064af5c63ae5937a026ba3565872758caa6653125abcea74d84f6c2ee95c23fce030f403159c6fde6616c0ed7f1af28e0a479
-
C:\Users\Admin\AppData\Local\protectedsurf\installer.jsFilesize
799B
MD51d2e2b33ed23d2687ac7551613e3ce10
SHA1738fdf284c336d88f8fc178371aa073a75ac4f0f
SHA256e6bc0ed8424b80085a08df410ad0d43ba37b052ccadfb6450a2337f37ca1288f
SHA512af221b4bcb6e00015aced99bd47db97ad994441ee5f251106686a6da05d98289a6783a5c0ccd8e50b76216b53f1d4ab3cfda6c7fc8108b4e2f56f512cb4e7393
-
C:\Users\Admin\AppData\Local\protectedsurf\main_installer.jsFilesize
1KB
MD54ca1909eb243f179f48935c8106fdbc9
SHA1cbc20846bb8b96fcf3b3bbb9d80709c8024a8366
SHA2567acaec9a466eb71fc663f6c6c3bc41ec080f544b4e864cd1e5d6d3cd06230232
SHA51266cc6deee36443539e6fa66ec7ef7ca0932b9b9a085296648a4448628ae21efd53a56cd592f242c5f17e88d7924b1510af1d49da220a6980aa1d004deae199a8
-
C:\Users\Admin\AppData\Local\protectedsurf\migrate.jsFilesize
4KB
MD57c936cb5190fc3ad0b581a562875e9a4
SHA1ec727ee61e1598bafaf0085817151cc3a9d741c4
SHA2569770fd38208bf2b6e1676f833a90f0f5129bae080fd890614d719b43c290c167
SHA512987e4093e606d2ada424c3681f21a23cd8d4135a995c1286407aef3c1dcdbecec42be30961c9bb2fe92ac5a9ee5eb2715fc9c12192e6a328295f7dad28cbc341
-
C:\Users\Admin\AppData\Local\protectedsurf\projectInstaller.jsFilesize
2KB
MD52d4d6d3c8aea670a0742f1dbfb2928d2
SHA1f6e3fa626bd3d65e439f534ea215e477ae33f66c
SHA25602ca4af05e5620f2bc7bd253cf002259dbf3908a8dabb941496c35b790444967
SHA512130969c86ecdd1dd9fa7bf88c15a526262992d93c40207e334f4774163789e3605851477480f15012b04dc678b4daa299104d63a495017a947af709fd2cb34cc
-
C:\Users\Admin\AppData\Local\protectedsurf\sqlite3.exeFilesize
481KB
MD582771129b12517cf5c6e2244d14e8360
SHA14e2a55e517f0e1324d3e8840e7db41f3883e4a01
SHA2563441036aa8be132d8476bbee2648e966db130e3fdba1eb97c9972d55248bf9bc
SHA512862028b3ae8bf3ae8e218326a5df634b19d816bcd86b830675214713e543d7672cead28e3178ef23081d508501630e4ef622066f123681c3c6d98d19e6e20c46
-
C:\Users\Admin\AppData\Local\protectedsurf\sqlite3.exeFilesize
481KB
MD582771129b12517cf5c6e2244d14e8360
SHA14e2a55e517f0e1324d3e8840e7db41f3883e4a01
SHA2563441036aa8be132d8476bbee2648e966db130e3fdba1eb97c9972d55248bf9bc
SHA512862028b3ae8bf3ae8e218326a5df634b19d816bcd86b830675214713e543d7672cead28e3178ef23081d508501630e4ef622066f123681c3c6d98d19e6e20c46
-
C:\Users\Admin\AppData\Local\protectedsurf\sqlite3.exeFilesize
481KB
MD582771129b12517cf5c6e2244d14e8360
SHA14e2a55e517f0e1324d3e8840e7db41f3883e4a01
SHA2563441036aa8be132d8476bbee2648e966db130e3fdba1eb97c9972d55248bf9bc
SHA512862028b3ae8bf3ae8e218326a5df634b19d816bcd86b830675214713e543d7672cead28e3178ef23081d508501630e4ef622066f123681c3c6d98d19e6e20c46
-
C:\Users\Admin\AppData\Local\protectedsurf\storageedit.exeFilesize
73KB
MD5ce8dcc1beadec52dd545174b12ac0b0b
SHA1e6518a880c5f3561340310f468a8fc3ae379c2de
SHA2563a2ecbde1415deaf9ea6786e0739d1392807a36f29d838824957aabbeffb407d
SHA51273a08b869cdf0d01650756ba6083308f82a940325e6ef9b20358f68b489edf21f7720e15e874be4d2aed071be7c7b2e4c5a1a87bbfe4048da0c2a87697540ad8
-
C:\Users\Admin\AppData\Local\protectedsurf\storageedit.exeFilesize
73KB
MD5ce8dcc1beadec52dd545174b12ac0b0b
SHA1e6518a880c5f3561340310f468a8fc3ae379c2de
SHA2563a2ecbde1415deaf9ea6786e0739d1392807a36f29d838824957aabbeffb407d
SHA51273a08b869cdf0d01650756ba6083308f82a940325e6ef9b20358f68b489edf21f7720e15e874be4d2aed071be7c7b2e4c5a1a87bbfe4048da0c2a87697540ad8
-
memory/224-170-0x0000000000000000-mapping.dmp
-
memory/316-239-0x0000000000000000-mapping.dmp
-
memory/516-237-0x0000000000000000-mapping.dmp
-
memory/516-159-0x0000000000000000-mapping.dmp
-
memory/744-233-0x0000000000000000-mapping.dmp
-
memory/1152-190-0x0000000000000000-mapping.dmp
-
memory/1228-197-0x0000000000000000-mapping.dmp
-
memory/1412-152-0x0000000000000000-mapping.dmp
-
memory/1480-231-0x0000000000000000-mapping.dmp
-
memory/1632-230-0x0000000000000000-mapping.dmp
-
memory/1652-207-0x0000000000000000-mapping.dmp
-
memory/1708-214-0x0000000000000000-mapping.dmp
-
memory/1744-241-0x0000000000000000-mapping.dmp
-
memory/1752-229-0x0000000000000000-mapping.dmp
-
memory/1836-228-0x0000000000000000-mapping.dmp
-
memory/1844-240-0x0000000000000000-mapping.dmp
-
memory/1960-141-0x0000000000000000-mapping.dmp
-
memory/1968-227-0x0000000000000000-mapping.dmp
-
memory/2052-226-0x0000000000000000-mapping.dmp
-
memory/2276-186-0x0000000000000000-mapping.dmp
-
memory/2288-174-0x0000000003020000-0x0000000003029000-memory.dmpFilesize
36KB
-
memory/2288-140-0x0000000003020000-0x0000000003029000-memory.dmpFilesize
36KB
-
memory/2288-172-0x0000000003020000-0x0000000003029000-memory.dmpFilesize
36KB
-
memory/2288-173-0x0000000003020000-0x0000000003029000-memory.dmpFilesize
36KB
-
memory/2288-175-0x0000000003020000-0x0000000003029000-memory.dmpFilesize
36KB
-
memory/2288-243-0x0000000003020000-0x0000000003025000-memory.dmpFilesize
20KB
-
memory/2288-139-0x0000000003020000-0x0000000003029000-memory.dmpFilesize
36KB
-
memory/2308-171-0x0000000000000000-mapping.dmp
-
memory/2764-217-0x0000000000000000-mapping.dmp
-
memory/2936-199-0x0000000000000000-mapping.dmp
-
memory/3600-238-0x0000000000000000-mapping.dmp
-
memory/3700-179-0x0000000000000000-mapping.dmp
-
memory/3708-182-0x0000000000000000-mapping.dmp
-
memory/3852-176-0x0000000000000000-mapping.dmp
-
memory/4240-162-0x0000000000000000-mapping.dmp
-
memory/4316-222-0x0000000000000000-mapping.dmp
-
memory/4332-236-0x0000000000000000-mapping.dmp
-
memory/4400-202-0x0000000000000000-mapping.dmp
-
memory/4412-209-0x0000000000000000-mapping.dmp
-
memory/4420-242-0x0000000000000000-mapping.dmp
-
memory/4440-193-0x0000000000000000-mapping.dmp
-
memory/4524-184-0x0000000000000000-mapping.dmp
-
memory/4660-165-0x0000000000000000-mapping.dmp
-
memory/4708-232-0x0000000000000000-mapping.dmp
-
memory/4876-235-0x0000000000000000-mapping.dmp
-
memory/4920-148-0x0000000000000000-mapping.dmp
-
memory/5032-225-0x0000000000000000-mapping.dmp
-
memory/5048-234-0x0000000000000000-mapping.dmp