88977075356dc9e4c81ff59e5ffc004ab3d62070c1062ce7b690a941d5328090

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SSDRM_for_mySingle (1).exe
Size

4.4MB
MD5

4164d80ade12fd8aa36fbaa4cc9c9740
SHA1

5f85d1550d3d654ac16a9262555a586ccf167a0f
SHA256

88977075356dc9e4c81ff59e5ffc004ab3d62070c1062ce7b690a941d5328090
SHA512

69feeb77b4b79f957a6984d4f3ad549e27282aea48f032a06caf6b59dfbb62ef4f49c1e8814f827e8570f30cf930c9d752811ce5d2906de94dacfe85c018fc82
SSDEEP

98304:v0kfXXnyek4Q7OWfjdZMX3PfKSu6vIxR1QtT29daNj1lk/va:ccW4c5fjdunPy/xLQtT29IDlkXa

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1648	PCWProtectorSetup_Voice_Service.exe
1136	PCWUpdater64.exe
468	Process not Found
1336	PCWProtectorService64.exe
2540	PCWProtectorDummy64.exe
2948	PCWProtector.exe

Loads dropped DLL 61 IoCs

pid	Process
2776	SSDRM_for_mySingle (1).exe
2776	SSDRM_for_mySingle (1).exe
2776	SSDRM_for_mySingle (1).exe
2776	SSDRM_for_mySingle (1).exe
2776	SSDRM_for_mySingle (1).exe
2776	SSDRM_for_mySingle (1).exe
2776	SSDRM_for_mySingle (1).exe
2776	SSDRM_for_mySingle (1).exe
2776	SSDRM_for_mySingle (1).exe
2776	SSDRM_for_mySingle (1).exe
2776	SSDRM_for_mySingle (1).exe
1648	PCWProtectorSetup_Voice_Service.exe
1648	PCWProtectorSetup_Voice_Service.exe
1648	PCWProtectorSetup_Voice_Service.exe
1648	PCWProtectorSetup_Voice_Service.exe
1648	PCWProtectorSetup_Voice_Service.exe
1648	PCWProtectorSetup_Voice_Service.exe
1648	PCWProtectorSetup_Voice_Service.exe
1648	PCWProtectorSetup_Voice_Service.exe
1336	PCWProtectorService64.exe
2364	regsvr32.exe
1336	PCWProtectorService64.exe
2880	regsvr32.exe
2852	regsvr32.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1648	PCWProtectorSetup_Voice_Service.exe
1336	PCWProtectorService64.exe
1648	PCWProtectorSetup_Voice_Service.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1648	PCWProtectorSetup_Voice_Service.exe
1336	PCWProtectorService64.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
1648	PCWProtectorSetup_Voice_Service.exe
1648	PCWProtectorSetup_Voice_Service.exe
1648	PCWProtectorSetup_Voice_Service.exe

Registers COM server for autorun 1 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48AAF3B1-ABED-480E-B196-CA325A4E5D03}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48AAF3B1-ABED-480E-B196-CA325A4E5D03}\InprocServer32\ = "C:\\Windows\\Protect\\PCW64.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\InprocServer32\ = "C:\\Windows\\Protect\\PCW64.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\TftLib.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\TftLib64.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\T_Prevent64.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\TDCommonLib64.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\WMlogo.bmp	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\TftLib.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\T_Prevent.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\TDepend.exe	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\TDCommonLib.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\TDepend64.exe	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\RdUtil.dll	PCWProtectorService64.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SSDRM_for_mySingle\uninstall.exe	SSDRM_for_mySingle (1).exe
File created	C:\Program Files (x86)\SSDRM_for_mySingle\PCWProtectorSetup_Voice_Service.exe	SSDRM_for_mySingle (1).exe

Drops file in Windows directory 38 IoCs

description	ioc	Process
File created	C:\Windows\Protect\WMlogo.bmp	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\PCWProtectorService64B.exe	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\PCWProtectorService64.exe	PCWUpdater64.exe
File opened for modification	C:\Windows\Protect\PCWProtector.log	regsvr32.exe
File opened for modification	C:\Windows\Protect\T_Prevent64up.dll	PCWProtectorService64.exe
File opened for modification	C:\Windows\Protect\TDCommonLib64up.dll	PCWProtectorService64.exe
File created	C:\Windows\Protect\TDCommonLibup.dll	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\TftLibup.dll	PCWProtectorSetup_Voice_Service.exe
File opened for modification	C:\Windows\Protect\PCWProtectorService64.exe	PCWUpdater64.exe
File opened for modification	C:\Windows\Protect\PCWProtector.log	PCWProtectorService64.exe
File opened for modification	C:\Windows\Protect\PCWProtector.log	regsvr32.exe
File created	C:\Windows\Protect\PCWProtectorB.exe	PCWProtectorSetup_Voice_Service.exe
File opened for modification	C:\Windows\Protect\PCWProtector.log	PCWUpdater64.exe
File opened for modification	C:\Windows\Protect\RdUtil.dll	PCWProtectorService64.exe
File opened for modification	C:\Windows\Protect\PCWProtector.log	PCWProtector.exe
File created	C:\Windows\Protect\policy.ini	PCWProtectorSetup_Voice_Service.exe
File opened for modification	C:\Windows\Protect\T_Preventup.dll	PCWProtectorService64.exe
File opened for modification	C:\Windows\Protect\TDependup.exe	PCWProtectorService64.exe
File created	C:\Windows\Protect\PCWProtectorDummy64.exe	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\TModule.dll	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\TModule64.dll	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\T_Preventup.dll	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\TDepend64up.exe	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\PCWUpdater64.exe	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\Uninstall64.exe	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\PCW.ocx	PCWProtectorSetup_Voice_Service.exe
File opened for modification	C:\Windows\Protect\TftLib64up.dll	PCWProtectorService64.exe
File created	C:\Windows\Protect\PCW64.ocx	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\PCWProtector.exe	PCWUpdater64.exe
File opened for modification	C:\Windows\Protect\TDCommonLibup.dll	PCWProtectorService64.exe
File opened for modification	C:\Windows\Protect\TDepend64up.exe	PCWProtectorService64.exe
File created	C:\Windows\Protect\TDependup.exe	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\RDUtil.dll	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\T_Prevent64up.dll	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\TDCommonLib64up.dll	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\TftLib64up.dll	PCWProtectorSetup_Voice_Service.exe
File opened for modification	C:\Windows\Protect\TftLibup.dll	PCWProtectorService64.exe
File opened for modification	C:\Windows\Protect\PCWProtector.log	PCWProtectorDummy64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0009000000015e5b-43.dat	nsis_installer_1
behavioral1/files/0x0009000000015e5b-43.dat	nsis_installer_2

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
2456	tasklist.exe
1080	tasklist.exe
2004	tasklist.exe
1980	tasklist.exe
1308	tasklist.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\TypeLib\ = "{E9662742-1760-4CC7-9BD9-CECFD6F0F594}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9662742-1760-4CC7-9BD9-CECFD6F0F594}\1.0\FLAGS\ = "2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BF057EB-2D2F-4396-911F-B564A366AAA5}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCW.PCWCtrl.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B331BA4-FE84-4EE4-ACFC-F941B02F6282}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B331BA4-FE84-4EE4-ACFC-F941B02F6282}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9662742-1760-4CC7-9BD9-CECFD6F0F594}\1.0\HELPDIR\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9662742-1760-4CC7-9BD9-CECFD6F0F594}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9662742-1760-4CC7-9BD9-CECFD6F0F594}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BF057EB-2D2F-4396-911F-B564A366AAA5}\ = "_DPCW"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BF057EB-2D2F-4396-911F-B564A366AAA5}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48AAF3B1-ABED-480E-B196-CA325A4E5D03}\InprocServer32\ = "C:\\Windows\\Protect\\PCW.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9662742-1760-4CC7-9BD9-CECFD6F0F594}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\InprocServer32\ = "C:\\Windows\\Protect\\PCW.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48AAF3B1-ABED-480E-B196-CA325A4E5D03}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9662742-1760-4CC7-9BD9-CECFD6F0F594}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BF057EB-2D2F-4396-911F-B564A366AAA5}\ = "_DPCW"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B331BA4-FE84-4EE4-ACFC-F941B02F6282}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\ = "PCW Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9662742-1760-4CC7-9BD9-CECFD6F0F594}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BF057EB-2D2F-4396-911F-B564A366AAA5}\TypeLib\ = "{E9662742-1760-4CC7-9BD9-CECFD6F0F594}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCW.PCWCtrl.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48AAF3B1-ABED-480E-B196-CA325A4E5D03}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BF057EB-2D2F-4396-911F-B564A366AAA5}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BF057EB-2D2F-4396-911F-B564A366AAA5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9662742-1760-4CC7-9BD9-CECFD6F0F594}\1.0\ = "PCW ActiveX ÄÁÆ®·Ñ ¸ðµâ"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48AAF3B1-ABED-480E-B196-CA325A4E5D03}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BF057EB-2D2F-4396-911F-B564A366AAA5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B331BA4-FE84-4EE4-ACFC-F941B02F6282}\TypeLib\ = "{E9662742-1760-4CC7-9BD9-CECFD6F0F594}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\Control\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BF057EB-2D2F-4396-911F-B564A366AAA5}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PCW.PCWCtrl.1\ = "PCW Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9662742-1760-4CC7-9BD9-CECFD6F0F594}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48AAF3B1-ABED-480E-B196-CA325A4E5D03}\ = "PCW Property Page"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9662742-1760-4CC7-9BD9-CECFD6F0F594}\1.0\0\win64\ = "C:\\Windows\\Protect\\PCW64.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BF057EB-2D2F-4396-911F-B564A366AAA5}\TypeLib\ = "{E9662742-1760-4CC7-9BD9-CECFD6F0F594}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PCW.PCWCtrl.1\ = "PCW Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCW.PCWCtrl.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9662742-1760-4CC7-9BD9-CECFD6F0F594}\1.0\0\win32\ = "C:\\Windows\\Protect\\PCW.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PCW.PCWCtrl.1\CLSID\ = "{E0A34207-F738-4474-9E89-0A184BD3E947}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\ToolboxBitmap32\ = "C:\\Windows\\Protect\\PCW64.ocx, 1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BF057EB-2D2F-4396-911F-B564A366AAA5}	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1648	PCWProtectorSetup_Voice_Service.exe
1648	PCWProtectorSetup_Voice_Service.exe
1648	PCWProtectorSetup_Voice_Service.exe
1648	PCWProtectorSetup_Voice_Service.exe
1648	PCWProtectorSetup_Voice_Service.exe
1648	PCWProtectorSetup_Voice_Service.exe
1648	PCWProtectorSetup_Voice_Service.exe
1648	PCWProtectorSetup_Voice_Service.exe
1136	PCWUpdater64.exe
1136	PCWUpdater64.exe
1136	PCWUpdater64.exe
1136	PCWUpdater64.exe
1136	PCWUpdater64.exe
1136	PCWUpdater64.exe
1136	PCWUpdater64.exe
1136	PCWUpdater64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1648	PCWProtectorSetup_Voice_Service.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1648	PCWProtectorSetup_Voice_Service.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
1648	PCWProtectorSetup_Voice_Service.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
2540	PCWProtectorDummy64.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
1648	PCWProtectorSetup_Voice_Service.exe
1336	PCWProtectorService64.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
1336	PCWProtectorService64.exe
1336	PCWProtectorService64.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
2948	PCWProtector.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2456	tasklist.exe
Token: SeDebugPrivilege	1080	tasklist.exe
Token: SeDebugPrivilege	2004	tasklist.exe
Token: SeDebugPrivilege	1980	tasklist.exe
Token: SeDebugPrivilege	1308	tasklist.exe
Token: SeDebugPrivilege	1648	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	1648	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	1648	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	1648	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	1648	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	1648	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	1648	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	1648	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	1648	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	1648	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	1648	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	1648	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	1648	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	1648	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	1136	PCWUpdater64.exe
Token: SeDebugPrivilege	1136	PCWUpdater64.exe
Token: SeDebugPrivilege	1336	PCWProtectorService64.exe
Token: SeDebugPrivilege	2364	regsvr32.exe
Token: SeDebugPrivilege	2852	regsvr32.exe
Token: SeDebugPrivilege	1648	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	1648	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	1648	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	2540	PCWProtectorDummy64.exe
Token: SeDebugPrivilege	2948	PCWProtector.exe
Token: SeDebugPrivilege	1648	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	1648	PCWProtectorSetup_Voice_Service.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1136	PCWUpdater64.exe
1136	PCWUpdater64.exe
2540	PCWProtectorDummy64.exe
2540	PCWProtectorDummy64.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
2948	PCWProtector.exe
2948	PCWProtector.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2544	2776	SSDRM_for_mySingle (1).exe	30
PID 2776 wrote to memory of 2544	2776	SSDRM_for_mySingle (1).exe	30
PID 2776 wrote to memory of 2544	2776	SSDRM_for_mySingle (1).exe	30
PID 2776 wrote to memory of 2544	2776	SSDRM_for_mySingle (1).exe	30
PID 2544 wrote to memory of 2456	2544	cmd.exe	32
PID 2544 wrote to memory of 2456	2544	cmd.exe	32
PID 2544 wrote to memory of 2456	2544	cmd.exe	32
PID 2544 wrote to memory of 2456	2544	cmd.exe	32
PID 2544 wrote to memory of 2520	2544	cmd.exe	33
PID 2544 wrote to memory of 2520	2544	cmd.exe	33
PID 2544 wrote to memory of 2520	2544	cmd.exe	33
PID 2544 wrote to memory of 2520	2544	cmd.exe	33
PID 2776 wrote to memory of 1016	2776	SSDRM_for_mySingle (1).exe	35
PID 2776 wrote to memory of 1016	2776	SSDRM_for_mySingle (1).exe	35
PID 2776 wrote to memory of 1016	2776	SSDRM_for_mySingle (1).exe	35
PID 2776 wrote to memory of 1016	2776	SSDRM_for_mySingle (1).exe	35
PID 1016 wrote to memory of 1080	1016	cmd.exe	37
PID 1016 wrote to memory of 1080	1016	cmd.exe	37
PID 1016 wrote to memory of 1080	1016	cmd.exe	37
PID 1016 wrote to memory of 1080	1016	cmd.exe	37
PID 1016 wrote to memory of 572	1016	cmd.exe	38
PID 1016 wrote to memory of 572	1016	cmd.exe	38
PID 1016 wrote to memory of 572	1016	cmd.exe	38
PID 1016 wrote to memory of 572	1016	cmd.exe	38
PID 2776 wrote to memory of 1104	2776	SSDRM_for_mySingle (1).exe	39
PID 2776 wrote to memory of 1104	2776	SSDRM_for_mySingle (1).exe	39
PID 2776 wrote to memory of 1104	2776	SSDRM_for_mySingle (1).exe	39
PID 2776 wrote to memory of 1104	2776	SSDRM_for_mySingle (1).exe	39
PID 1104 wrote to memory of 2004	1104	cmd.exe	41
PID 1104 wrote to memory of 2004	1104	cmd.exe	41
PID 1104 wrote to memory of 2004	1104	cmd.exe	41
PID 1104 wrote to memory of 2004	1104	cmd.exe	41
PID 1104 wrote to memory of 832	1104	cmd.exe	42
PID 1104 wrote to memory of 832	1104	cmd.exe	42
PID 1104 wrote to memory of 832	1104	cmd.exe	42
PID 1104 wrote to memory of 832	1104	cmd.exe	42
PID 2776 wrote to memory of 2204	2776	SSDRM_for_mySingle (1).exe	43
PID 2776 wrote to memory of 2204	2776	SSDRM_for_mySingle (1).exe	43
PID 2776 wrote to memory of 2204	2776	SSDRM_for_mySingle (1).exe	43
PID 2776 wrote to memory of 2204	2776	SSDRM_for_mySingle (1).exe	43
PID 2204 wrote to memory of 1980	2204	cmd.exe	45
PID 2204 wrote to memory of 1980	2204	cmd.exe	45
PID 2204 wrote to memory of 1980	2204	cmd.exe	45
PID 2204 wrote to memory of 1980	2204	cmd.exe	45
PID 2204 wrote to memory of 1804	2204	cmd.exe	46
PID 2204 wrote to memory of 1804	2204	cmd.exe	46
PID 2204 wrote to memory of 1804	2204	cmd.exe	46
PID 2204 wrote to memory of 1804	2204	cmd.exe	46
PID 2776 wrote to memory of 2316	2776	SSDRM_for_mySingle (1).exe	47
PID 2776 wrote to memory of 2316	2776	SSDRM_for_mySingle (1).exe	47
PID 2776 wrote to memory of 2316	2776	SSDRM_for_mySingle (1).exe	47
PID 2776 wrote to memory of 2316	2776	SSDRM_for_mySingle (1).exe	47
PID 2316 wrote to memory of 1308	2316	cmd.exe	49
PID 2316 wrote to memory of 1308	2316	cmd.exe	49
PID 2316 wrote to memory of 1308	2316	cmd.exe	49
PID 2316 wrote to memory of 1308	2316	cmd.exe	49
PID 2316 wrote to memory of 2368	2316	cmd.exe	50
PID 2316 wrote to memory of 2368	2316	cmd.exe	50
PID 2316 wrote to memory of 2368	2316	cmd.exe	50
PID 2316 wrote to memory of 2368	2316	cmd.exe	50
PID 2776 wrote to memory of 1648	2776	SSDRM_for_mySingle (1).exe	51
PID 2776 wrote to memory of 1648	2776	SSDRM_for_mySingle (1).exe	51
PID 2776 wrote to memory of 1648	2776	SSDRM_for_mySingle (1).exe	51
PID 2776 wrote to memory of 1648	2776	SSDRM_for_mySingle (1).exe	51

C:\Users\Admin\AppData\Local\Temp\SSDRM_for_mySingle (1).exe
"C:\Users\Admin\AppData\Local\Temp\SSDRM_for_mySingle (1).exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C %SystemRoot%\System32\tasklist /NH /FI "IMAGENAME eq xensvc.exe" | %SystemRoot%\System32\find /I "xensvc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\SysWOW64\tasklist.exe
    C:\Windows\System32\tasklist /NH /FI "IMAGENAME eq xensvc.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- - C:\Windows\SysWOW64\find.exe
    C:\Windows\System32\find /I "xensvc.exe"
    3⤵
    PID:2520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C %SystemRoot%\System32\tasklist /NH /FI "IMAGENAME eq xenservice.exe" | %SystemRoot%\System32\find /I "xenservice.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\SysWOW64\tasklist.exe
    C:\Windows\System32\tasklist /NH /FI "IMAGENAME eq xenservice.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1080
- - C:\Windows\SysWOW64\find.exe
    C:\Windows\System32\find /I "xenservice.exe"
    3⤵
    PID:572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C %SystemRoot%\System32\tasklist /NH /FI "IMAGENAME eq WorkstationAgent.exe" | %SystemRoot%\System32\find /I "WorkstationAgent.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\SysWOW64\tasklist.exe
    C:\Windows\System32\tasklist /NH /FI "IMAGENAME eq WorkstationAgent.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Windows\SysWOW64\find.exe
    C:\Windows\System32\find /I "WorkstationAgent.exe"
    3⤵
    PID:832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C %SystemRoot%\System32\tasklist /NH /FI "IMAGENAME eq pcoip_server_win32.exe" | %SystemRoot%\System32\find /I "pcoip_server_win32.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\tasklist.exe
    C:\Windows\System32\tasklist /NH /FI "IMAGENAME eq pcoip_server_win32.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- - C:\Windows\SysWOW64\find.exe
    C:\Windows\System32\find /I "pcoip_server_win32.exe"
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C %SystemRoot%\System32\tasklist /NH /FI "IMAGENAME eq VMwareView-rdeServer.exe" | %SystemRoot%\System32\find /I "VMwareView-rdeServer.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\tasklist.exe
    C:\Windows\System32\tasklist /NH /FI "IMAGENAME eq VMwareView-rdeServer.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1308
- - C:\Windows\SysWOW64\find.exe
    C:\Windows\System32\find /I "VMwareView-rdeServer.exe"
    3⤵
    PID:2368
- C:\Program Files (x86)\SSDRM_for_mySingle\PCWProtectorSetup_Voice_Service.exe
  "C:\Program Files (x86)\SSDRM_for_mySingle\PCWProtectorSetup_Voice_Service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- - C:\Windows\Protect\PCWUpdater64.exe
    C:\Windows\Protect\PCWUpdater64.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1136
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /s "C:\Windows\Protect\PCW.ocx"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2364
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /s "C:\Windows\Protect\PCW64.ocx"
    3⤵
    - Loads dropped DLL
    PID:2880
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Windows\Protect\PCW64.ocx"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Drops file in Windows directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:2852

C:\Windows\Protect\PCWProtectorService64.exe
C:\Windows\Protect\PCWProtectorService64.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1336
- C:\Windows\Protect\PCWProtectorDummy64.exe
  C:\Windows\Protect\PCWProtectorDummy64.exe 1
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2540
- - C:\Windows\Protect\PCWProtector.exe
    C:\Windows\Protect\PCWProtector.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsj80E4.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj80E4.tmp\PCWProtector.log

Filesize
37B

MD5
fe66a57578e17ad360ab1a5ee9508730

SHA1
e3a6c924df65990dcf271caa04cf82746a30f07a

SHA256
226ca4ce9e25d28d691c3430a706d9a20095aec6a2b479167a29ca2dbdceb621

SHA512
634becc06bbb328c85d0ae34416f754f0d7ac324311a2c833fa4d9f55810749d7786ec5d60e5627425372f412f1d805eede882198569dd9eddd29e45476017af

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj80E4.tmp\ioSpecial.ini

Filesize
526B

MD5
ac78435152ec91ed3a9c623129e3d69a

SHA1
719addc39b367a7dbc9c6d61fc561916aa3db048

SHA256
7c273d9fc2c688cc1080a0a06c47555017d7a7ebdcb2b3f00874ba67414a3834

SHA512
0b842eb95efcceca51163b88e56b966410e0121e836b397ddba318fb59c207db48aef72f4f99443da3515d837cf40a6e252a3076ce50b002f14efcfef7802d16

Download Submit
C:\Windows\Protect\PCW.ocx

Filesize
399KB

MD5
074b45a78113cf096d43187a5d38bbb6

SHA1
d31653a23df8e96c1f3f0f46a6178e8c3b05dcb5

SHA256
0b26f0cdc7dedcda0668ba6628aa9d3774ed5c97c7801c18b582cf4f43367f7c

SHA512
725755591e127e809be2aa7b3262178328257ff49f7666cb1005cdecb56b37936ca9b5cf83c3c343851f8c0063664def10efd9b183d94e78fcbbf46945e66c89

Download Submit
C:\Windows\Protect\PCWProtector.log

Filesize
197B

MD5
f4d12e5d11d503fd398e7f48fdf04bf4

SHA1
1217cbd64c36edfd853efeaee3810f4ecdde19bd

SHA256
e50157f90a3cd3838bef6ea293cbeac4480e931e8f2b07fcba7cc448b2d448f1

SHA512
2c1a3e59ec35562292053ce7a065790d02e8e4b0e1ef07b87d3181c274daa3dc8a9291cadba77722e8bb1d29a062e7dd63a75981bc3b76e4e3e5b9d3ebebbbbd

Download Submit
C:\Windows\Protect\PCWProtector.log

Filesize
862B

MD5
b6cb36ab2cb2ed25e290939dc587fb94

SHA1
84f3dc73b3faad7a4de22c352a8251418c436c1f

SHA256
60131a979dadf7ecfcf1cb48378357c348bfbe8f26fd44dc9873990a2dd5a213

SHA512
8a44c82f10b6690e5947021cd1b8f9e89acc3c7b5445e3bc7317fc3b64be3815885707ca2d17c8b875e551bed9a1491cae0e5f00a57336e02d75c6ee6dba4196

Download Submit
C:\Windows\Protect\PCWProtectorB.exe

Filesize
567KB

MD5
6ce74b64aee3c89d3939bb15ecfe7888

SHA1
58ec5c6b43b90aaa6fa7919c1dbf46812378efae

SHA256
ccb0bd5f3e296c35b38348cf4f231f93ce9bb57af42c328b0aba9e29103ee391

SHA512
f39486655c3d58a62d5c310ce181da0f7dee61e2d3179571b6c1e25ceba3b20c9061565708b8e7c5c5232ca3210348ed82305a105b3b678fadef7b62a2be8c64

Download Submit
C:\Windows\Protect\PCWProtectorService64B.exe

Filesize
287KB

MD5
eb2aa21de1026a8a831af0797aac9a78

SHA1
0e5e03f209a50a46ac14246ae46ef19ee14d7233

SHA256
82c4c819c4d543f6131cbc462206e9cdaf4931abe6f73c21b6df4968897572a2

SHA512
89758110eef34b9c08b09cfb10569b0ce4b16788dc68029c12fda84859240d514d2a41827a61e99b9e2a8f1be1ce251a2fd8aeba990dfbb176158f6096ad11e2

Download Submit
C:\Windows\Protect\RdUtil.dll

Filesize
274KB

MD5
47c45dc36bbf3c5e6130dcfe37c89347

SHA1
5098af2483b5e2edf205bca47d43b086ddfd8d9d

SHA256
6f149b8ff0e97d0d2dcae5a952e6bdbc6222116eb2f865c7129f32f3fd3c5fa2

SHA512
f99724202d538a554c1bc591f7d50fe3362f42b66d243b8875a4f5d9cece8b817b6d8db35c35a2016b3268be1d0f92fff12127d1ef91be784b563a88e9902c41

Download Submit
C:\Windows\Protect\TDCommonLib64up.dll

Filesize
249KB

MD5
0e00def51125c6b54261001e3bacc19d

SHA1
a361eae15275148b77f8e168bba93e05bb04abe4

SHA256
b5945295ba8cb45903c77057b13d09c80dbd6a31eb64cff1d3a7d486e02d57a1

SHA512
597b83237db5677044ede9eb71e984bc5347e64ab86780707942a8375e4a7fb700e387f10f4dbf392367bdd7ce2ce79db0877f8422ff59e79f046691cdb52aca

Download Submit
C:\Windows\Protect\TDCommonLibup.dll

Filesize
212KB

MD5
ac67f6efefd9227789aefa657264508b

SHA1
007b50e73b92d34d3f19b96ffbf64f9289f1d4d8

SHA256
35a1fe7507c35696348fb28c6f3cb5e9c2fe1a8a6966b0a0b8fd469e521f384d

SHA512
af070714a26ccd462933ffc94f8634de8e6e2da57aebf2155444413ae05741e0b6e964a539bb79db893dd75d42339e7f8c2f450c8dc7800fc830f1f606c88f0d

Download Submit
C:\Windows\Protect\TDepend64up.exe

Filesize
490KB

MD5
b48cdc4af3bda1f3c5fc02deb759cfa2

SHA1
a007d162d5de321cfe7504c4d5212dc139f54fb0

SHA256
dfabe6784c2ab53bac3e579853449a3f57e291dd16af2fc56ebb84a56e8853aa

SHA512
33cc0c7336b8651005cebd466795d90a4a66720267756652c347593868f13fb59d601c46353d714f50fb5f47c21f1c107ca3212f42f743fe725d128e8f3a0496

Download Submit
C:\Windows\Protect\TDependup.exe

Filesize
387KB

MD5
6581da8becde34bd00604ae3a34fdf22

SHA1
310597bc32305530b9864ad517cdab915bb8310e

SHA256
a46584ab1229da1cf3b16a47e90a651b5d385e5b1c7b61d63e27d0b89148687a

SHA512
6e6e0478075639ebd105c3f8201646c5728be724311ee02500ccf0295e042b57ae072a2e694be5820df44aa47466f687960056ad8bb93e060301ba4f61be0264

Download Submit
C:\Windows\Protect\T_Prevent64up.dll

Filesize
309KB

MD5
d85f0082a012d73167921468731d1503

SHA1
43e6814e086b8385a3c03fc16526ab39adb7983a

SHA256
85235decb50cb8075a305d42809eb76f2237368d7e8155bc01cb8037c9caa18c

SHA512
3dbf52b866514c0b86fcc5752fc136d71bb4a802342801d64fe0127dfffcb6b8437e89d17fa81489c7cfcddf1c97908f1e1cdeeda67b0a1aabc48e8c78376849

Download Submit
C:\Windows\Protect\T_Preventup.dll

Filesize
258KB

MD5
c84ed9fe6e818185b971a6d10f0c16b7

SHA1
95daabafe876ebea94b24f8389ca6b0c8330e4af

SHA256
2a3324961c95098164646161108231510135f461d73e8ff07a1ee1216fff286f

SHA512
f1ffbeb198d3974afc03a4c5ca466cfb325db305e6bcb48852816e2bb1a516c441ece2bd74aaecce1e2597d59219e2b2e60c880bf2a98d7634138257ac90d3d4

Download Submit
C:\Windows\Protect\TftLib64up.dll

Filesize
303KB

MD5
69848fcf204e88745974c7650c4cb133

SHA1
cabb555c3bd71277e61eb5578267e359fd4b0809

SHA256
4cbec29c1857389174f7cd2e52d09b18307f1f58e8587c5102b12ea827a08423

SHA512
26086752234fdc212155620adf50ac6853b4b0515b5bd861a07bbf0eb6eff93c1838fc2911a471912f28195355438198c28eb0d9cef51774e010b79fda4627a2

Download Submit
C:\Windows\Protect\TftLibup.dll

Filesize
254KB

MD5
7bc750a3e94403913851e41f1028a832

SHA1
d035d67133c760b48522713bd3158ec2bf17fcbc

SHA256
64aaa65abb2d5cfd49c96d349dec267e904457ec70c91fa64d0ee60b0b155817

SHA512
8de51b3bb24cedf37a8a138f5c6177d3f8ad3602b81d387a129b2a7662c53ffe91afbba09b9f26844de535bab29ade8da7e25621efbc032e903882dda3974d61

Download Submit
C:\Windows\Protect\WMlogo.bmp

Filesize
210KB

MD5
dc27cb08c2e57eb137797d6ceab3f23c

SHA1
0caac5731c117db54d0e5fdb554b5a5c5d1f7d22

SHA256
07b7953d1a9b2fac4f4208649ed18ac1cffdca7f68ccbf1373d0e5120d837e95

SHA512
51618c56101d5a9fee1806a4ca08f31eaecbd80c53ec21628f297d6d651086384d8e2bdac054240870a2b66af6ee02b3697bcf2df4af059132e495d1295cc4da

Download Submit
\Program Files (x86)\SSDRM_for_mySingle\PCWProtectorSetup_Voice_Service.exe

Filesize
4.4MB

MD5
f14cc766cc424af695d5a22cf4603b00

SHA1
c305a43566ccc3427207c47f15ea348fb042ca60

SHA256
1e679e36e89a01b3c78d9e29600350d92469bded84088b4d00df2b70d50386f7

SHA512
bd7a7dbbb0e21c8893e968a5caa0390951e00281a7670f5d226cb8417b515e581d4726e61e36a39a83cdff4942204c96c57bdd7e5c11d50c178831ac63113739

Download Submit
\Users\Admin\AppData\Local\Temp\nsj80E4.tmp\PCWPlugin.dll

Filesize
262KB

MD5
8240bee02c3ad64fe256a67479de886c

SHA1
afb6f7fede3ef1509b1be979dd3ca1ce5ea03db6

SHA256
d0a7db3315f28a3b1016b21a78d30b71d961b5979d50635c716df5c11fd1351e

SHA512
34170981f78f77814c6869f3833631726c869ddab28827260d3a9ab9fd9b899414f53a7c94517cf25afebb883e2638190c1b396259fead3cb3dc1f123b94ad33

Download Submit
\Users\Admin\AppData\Local\Temp\nsj80E4.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsj80E4.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
\Users\Admin\AppData\Local\Temp\nso77DF.tmp\ExecCmd.dll

Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Windows\Protect\PCW64.ocx

Filesize
524KB

MD5
61b0ff9ac09a1da24fc7c08d22f5a33d

SHA1
9a3411af07a241d6a5fd482d3ade8d7872944d60

SHA256
68ab12650aaefa3933928ac44ab01451c8923dfdf10b309c5723affe2c946550

SHA512
2d954b764c9e793f203a07a20df6fb7fe0044652ffe61053d55872c2763708039514ee2cc13fa67bf9070d2ab93b54227681e86f663a9f4df5f711d89f4045ef

Download Submit
\Windows\Protect\PCWUpdater64.exe

Filesize
520KB

MD5
506ce3ed7e4ee4d42c05482ebd9e230f

SHA1
4eb0d15002fad41803818600aa24002581b40bfa

SHA256
29ecf971c9d8b5301171b6f786164a1cea29fbf27e20949635e4b95307b2880b

SHA512
1997a7406afee2c460200addd76aca44478df66a5f5e16d153d4ff6e4e9e2b83fca12f338b4c6a55dfad843dfae243d005d7ef1f3870b376cfe8b21ff83dd74c

Download Submit
memory/1336-163-0x00000000008C0000-0x000000000090A000-memory.dmp

Filesize
296KB

Download
memory/2948-242-0x0000000000550000-0x000000000058E000-memory.dmp

Filesize
248KB

Download