Analysis Overview
SHA256
a780198a0feede3a91b8e794d8f2404b85ecb5a93298c38e5223413e1b61acaf
Threat Level: Likely malicious
The file 3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Stops running service(s)
Creates new service(s)
Registers COM server for autorun
Reads user/profile data of web browsers
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
VMProtect packed file
Checks installed software on the system
Adds Run key to start application
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Program crash
NSIS installer
Suspicious behavior: GetForegroundWindowSpam
Runs .reg file with regedit
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Modifies registry class
Suspicious use of WriteProcessMemory
Runs net.exe
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-12 14:09
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
151s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 536 wrote to memory of 1420 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 536 wrote to memory of 1420 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 536 wrote to memory of 1420 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\CCBDMBDI.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\CCBDMBDI.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1420 -ip 1420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 636
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4456 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.169.74:443 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.64.52.20.in-addr.arpa | udp |
Files
memory/1420-0-0x0000000074C20000-0x0000000074D43000-memory.dmp
memory/1420-1-0x0000000074C20000-0x0000000074D43000-memory.dmp
memory/1420-4-0x0000000074C20000-0x0000000074D43000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win7-20240419-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\InstallP11.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\InstallP11.exe"
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
100s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1472 wrote to memory of 1852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1472 wrote to memory of 1852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1472 wrote to memory of 1852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AnimGif.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AnimGif.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1852 -ip 1852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| NL | 52.111.243.29:443 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CCBCertificate = "C:\\Program Files (x86)\\CCBComponents\\DMWZ\\CCBCertificate.exe" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\usbccid.inf | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\usbccid.sys | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\language\Chinese.ini | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\language\TraditionalChinese.ini | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CheckP11.exe | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\setting.ini | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\uninst.exe | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npdmwritecert.dll | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\DMWZ\log\202405.log | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\usbccid.cat | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\language\English.ini | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\DMWZ\setting.ini | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\InstallerCCID.exe | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npdmccbplugin.dll | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\ProgID | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757}\InprocServer32\ = "C:\\Windows\\SysWow64\\GetID.ocx" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\TypeLib\ = "{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\ProgID\ = "GETID.GetIDCtrl.1" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\MiscStatus\ = "0" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Control\ | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Control | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\GetID.ocx" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\GetID.ocx, 1" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32\ = "C:\\Windows\\SysWow64\\GetID.ocx" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\ToolboxBitmap32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GETID.GetIDCtrl.1\ = "GetID Control" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GETID.GetIDCtrl.1\CLSID | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib\ = "{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\TypeLib\ = "{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\ = "GetID ActiveX Control module" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\MiscStatus\1\ = "132241" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\ = "_DGetIDEvents" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GETID.GetIDCtrl.1\CLSID\ = "{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib\ = "{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\ = "_DGetIDEvents" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Version | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GETID.GetIDCtrl.1 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\FLAGS\ = "2" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\ = "_DGetID" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757}\ = "GetID Property Page" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\MiscStatus\1 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\ | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\HELPDIR\ | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\MiscStatus | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\ | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe"
C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe
"C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsn40A5.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsn40A5.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\nsn40A5.tmp\GetVersion.dll
| MD5 | b4cec45a9909c10a8d387c8eb72e8d0d |
| SHA1 | 609e1ff7627aa88db0adbf79897fc8c786f42be5 |
| SHA256 | aea495c63eb5aef15961c03a73213ac586830ced769f489b147e8076e59eb8c8 |
| SHA512 | 337e84ec8b5acec83091833d70ffb4828442467d82a044ec6986547d4d55c9e39a861f3d06fd76289dad81b98f44ef7fe70f449db5baa51699464a7d95cc301a |
memory/3776-58-0x0000000002420000-0x000000000242D000-memory.dmp
C:\Windows\SysWOW64\CCBKCSPV2.dll
| MD5 | 1c9bbec0fb2356025abfbe9e5ab2389e |
| SHA1 | 1afcb5b13146983c981c3e069c0af41102e4b7de |
| SHA256 | 2e51dde6b79f7cd4655b716b8560d368a4728af50c8cad4f14378937948033fd |
| SHA512 | 814b0f195978d35f7b101881033a82f0628e9d02d345b5053db0afe4bf8b7b69f14f9c7e0119a49d9c043bbade944b2a787c5297dce7c0bcc016e34908441724 |
C:\Windows\SysWOW64\CCBKCSP.dll
| MD5 | 635c71f7a76a2917bdc642d3fe726e59 |
| SHA1 | f48ede1e746c83daa4362147b5e9bd00a3b0b012 |
| SHA256 | 2321e45539ce5d286aa8ecdbb5a402e8ee11a3d29d1ee8aed784bcb47b8df129 |
| SHA512 | 4e948e351d7ad587aab8813aa1159095687f10a4b8dc19218e5d827ceaf1d77ff946b32977560debf5e6dedf32cfd7eadc3d4197c1f5c35c3dba0f2f692ab6f7 |
memory/3776-65-0x0000000002420000-0x000000000242D000-memory.dmp
C:\Windows\SysWOW64\GetID.ocx
| MD5 | 5e46a2ab8198982de8b4a432e9b1ffa5 |
| SHA1 | 4605855364ce1f5cca174b0a721be8f4ad539816 |
| SHA256 | d128f2f8863db79ca5ad1f18ecb07c56b9f194ca5d9c049e0e53fa4916f83a93 |
| SHA512 | 6981db8de870c1f13c87155d97ac650b7d1805c03d66d9d567d1561e1ee5cd001f3d7251fb7361eea4a92e65373f52816218cab023e92977746ff094ff55b0b5 |
memory/3776-72-0x0000000002420000-0x0000000002485000-memory.dmp
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe
| MD5 | 4cf8946b95aaacc7397528f87f544931 |
| SHA1 | ea453cca204512982e0f60d848e434e5f069bc94 |
| SHA256 | 690eca7ebb28c4839e2971b5d268eab080c84a34eefff6a3ed1c80bd38b618b1 |
| SHA512 | f4cc9da0a33760daa331da1c5d8c73f8cdd69b5c9ad76db4a76252b4898fb1ab01a35d9aa856d07a9771e0d8da175ccb569c1f17cb7986ecc599fbd3a4408207 |
C:\Windows\SysWOW64\TerminateProcess_dmwz.dll
| MD5 | b8923aa4efbb7be1b46dae19947be9d8 |
| SHA1 | 13f411716c5c0020c1d7873ca06e2d0aa93898fe |
| SHA256 | 6448b4fac741623589cd16a8a26b97e17bb4fa37216138ec0ce34946b5e6fb27 |
| SHA512 | a775ea0e55e1b215b3cb9294a6edfdfc52a00624b07f2763fe34ff7d4f48b2bd6c091dee979a0909b05a16897db17e7d88dee320a67d0e7b002d664ae5b5abb4 |
memory/3776-85-0x0000000003610000-0x000000000364A000-memory.dmp
C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe
| MD5 | e0bde08c8be884457141256a21bbb8f1 |
| SHA1 | 1069d31ff832614a24e74ac70725857f18fb5232 |
| SHA256 | 63d72f7643282e2271d194c84f96bcc8db8f1885def02d6b908fadf5906d380a |
| SHA512 | 1a9334172383620410f8aff12c57795ca9ff93d53b1e72c97d5567bf862dadef95cd3ee4ae79f05b579142148a197422877fb6f445b69e5dc1f3a0a74bfa2241 |
memory/2924-231-0x0000000000140000-0x0000000000243000-memory.dmp
C:\Windows\SysWOW64\CCBDMBDI.dll
| MD5 | f193cf67af971f235f316af24f200d86 |
| SHA1 | 3b22b8a07d0e4348a14a5b4a8288740e1780f5de |
| SHA256 | 20c1c1f9bfc08e8068a259f99fadecad71084d252aa7a2fe7d23f69a1588bbd0 |
| SHA512 | 84db1b26898d696ad4741126c9856d740ef8d43c85f390a981029973c8adbfca47d432b8dcddfc0ba5c40dd93d810263d517feaa1b8924936a04178fed9da05b |
memory/2924-241-0x0000000075340000-0x0000000075463000-memory.dmp
C:\Program Files (x86)\CCBComponents\DMWZ\Language\English.ini
| MD5 | b041b3f97c2e4b2d94b6d70528ba832f |
| SHA1 | dc591515c9840f410a66a236afd780ad41b34355 |
| SHA256 | b8359b0cccbc3b440d7f7af67b0b0afdf66d22cdb33607e6fc975c3d6bf2ed34 |
| SHA512 | 19472670ce7a712094a0efd310d49baa52728ecdc8c5ea9a9bbb3be0ddfd9ffe63285e90f6a7d434ab378f3e5bebbc74101b9370839d7f99d3870ccc3b46cd6c |
C:\Program Files (x86)\CCBComponents\DMWZ\Language\Chinese.ini
| MD5 | f53a01d6d4aab83782a2bdb812fb8fbe |
| SHA1 | ddb61adc4541c44d486374d69c82ba48f36e03f2 |
| SHA256 | 6dc5e1703b5b8843e77ec42aaf0233d737a6702d07c99eafe2d070f7c3d46275 |
| SHA512 | 4b2dd62c5e3a903470903b0c2913ee3b97e2581acc2e33fe486d3f31fa9ba9ff78d4979d693d8f07648cb2f194e4b2e2a1939f435a9327ef7675e75933e6067d |
C:\Program Files (x86)\CCBComponents\DMWZ\setting.ini
| MD5 | e7750f1ca97ab8dce4052948bd2edd6f |
| SHA1 | a27413430b8f782ccb8ba6bcf5f11a9928e0535c |
| SHA256 | b6a40c7cd04ca11ed95495e089a69e56f799fabf0f39568f4ee7bb19ae49d769 |
| SHA512 | 5b36b9459730b19e7485ea7d882e4ca132197493d8d33616618e3646b30b782001682dcab5f02c24ca22cf2d76c97d99098b17440937c54d10bbd40a8eb39228 |
memory/2924-245-0x0000000075340000-0x0000000075463000-memory.dmp
memory/2924-244-0x0000000000140000-0x0000000000243000-memory.dmp
memory/2924-246-0x0000000000140000-0x0000000000243000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2468 wrote to memory of 3504 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2468 wrote to memory of 3504 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2468 wrote to memory of 3504 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3504 -ip 3504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win10v2004-20240426-en
Max time kernel
137s
Max time network
108s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5008 wrote to memory of 1108 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5008 wrote to memory of 1108 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5008 wrote to memory of 1108 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1108 -ip 1108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5072 wrote to memory of 940 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5072 wrote to memory of 940 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5072 wrote to memory of 940 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmccbplugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmccbplugin.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 940 -ip 940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 628
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win7-20240215-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\InstallP11.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\InstallP11.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Creates new service(s)
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\WatchSAFE_CCB_Pro_v3.4.0_User_x86.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\WatchSAFE_CCB_Pro_v3.4.0_LOW_X64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Program Files\CCBComponents\WATCHDATA\registerocx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\WatchSAFE_CCB_Pro_v3.4.0_LOW_x86.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install_LOW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\AddCert.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_DM_LCD_x64_silent.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\WatchSAFE_CCB_Pro_v3.4.0_User_X64.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}\InprocServer32 | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86}\InprocServer32\ = "C:\\Windows\\system32\\HDCCBCtrl.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48A7113A-2B2E-4ED3-9B26-5C21FABEB217}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48A7113A-2B2E-4ED3-9B26-5C21FABEB217}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1CE16C6-EE96-44D0-8866-654C5536F810}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC96F5A4-C930-4226-ADAB-59349AE585E9}\InprocServer32\ = "C:\\Program Files\\CCBComponents\\Detector\\CCBNetSignCom.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC96F5A4-C930-4226-ADAB-59349AE585E9}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32\ = "C:\\Windows\\system32\\CCBSIG~1.OCX" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32\ = "C:\\PROGRA~1\\CCBCOM~1\\Detector\\CCBSIG~1.OCX" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8B0AAA-249E-42E5-92AB-DD70ECB7A4E0}\InprocServer32\ = "C:\\PROGRA~1\\CCBCOM~1\\Detector\\CCBSIG~1.OCX" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2017CCAC-0A5A-4674-86D9-55C8FA8BFD97}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757}\InprocServer32\ = "C:\\Windows\\system32\\GetID.ocx" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\InprocServer32\ = "C:\\PROGRA~1\\CCBCOM~1\\Detector\\InfoScan.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32\ = "C:\\Windows\\system32\\GetID.ocx" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}\InprocServer32\ = "C:\\Windows\\system32\\wdccb.dll" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8B0AAA-249E-42E5-92AB-DD70ECB7A4E0}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{723CFFE0-A2C0-4517-9468-D3EE78F85A3B}\InprocServer32\ = "C:\\PROGRA~1\\CCBCOM~1\\Detector\\InfoScan.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8B0AAA-249E-42E5-92AB-DD70ECB7A4E0}\InprocServer32\ = "C:\\Windows\\system32\\CCBSIG~1.OCX" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\InprocServer32\ = "C:\\Program Files\\CCBComponents\\Detector\\CCB_GMSignCom.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1CE16C6-EE96-44D0-8866-654C5536F810}\InprocServer32\ = "C:\\Program Files\\CCBComponents\\Detector\\CCBEnckey.ocx" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48A7113A-2B2E-4ED3-9B26-5C21FABEB217}\InprocServer32\ = "C:\\Windows\\system32\\ccb_tdrmanager.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{723CFFE0-A2C0-4517-9468-D3EE78F85A3B}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7741FA74-F105-4BEC-9451-1F84F5222EB8}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32\ = "C:\\Windows\\system32\\CCBHDSNCtrl.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1CE16C6-EE96-44D0-8866-654C5536F810}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2017CCAC-0A5A-4674-86D9-55C8FA8BFD97}\InprocServer32\ = "C:\\Program Files\\CCBComponents\\Detector\\CCBSignCom.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2017CCAC-0A5A-4674-86D9-55C8FA8BFD97}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8B0AAA-249E-42E5-92AB-DD70ECB7A4E0}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC96F5A4-C930-4226-ADAB-59349AE585E9}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7741FA74-F105-4BEC-9451-1F84F5222EB8}\InprocServer32\ = "C:\\Program Files\\CCBComponents\\Detector\\CCBEnckey.ocx" | C:\Windows\system32\regsvr32.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CCBCertificate = "C:\\Program Files (x86)\\CCBComponents\\DMWZ\\CCBCertificate.exe" | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\USBKeyTools.exe = "C:\\Program Files (x86)\\CCBComponents\\HDZB\\USBKeyTools.exe" | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wdcertm_ccb = "C:\\Windows\\SysWOW64\\WatchData\\Watchdata CCB OCL CSP v3.2\\WDCertM_CCB.exe" | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\D4Svr_CCB.exe = "D4Svr_CCB.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\CCBComponents\Detector\CCBSignCom.ocx | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\WATCHDATA\logo.bmp | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\CCB_SwxCryptSimple.ocx | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\config.ini | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\plc4.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\usbccid.inf | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
| File created | C:\Program Files\CCBComponents\uninst.exe | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\WATCHDATA\ProviderName.ini | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\Ccb_Cert_TDR2G.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCID.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\res\D4C_1.gif | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\usbccid.sys | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files\CCBComponents\Detector\Ccb_Cert_TDR_GM.dll | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\Langs\TDRLang_CCB.ini | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\CCBClientChgCert.exe | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\HD_TokenV2.dll | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files\CCBComponents\Detector\CCB_GMSignCom.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CheckP11.exe.bak0 | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\WATCHDATA\recfull.ico | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\Ccb_Cert_dmwz_GM.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\HDZB\log\202405.log | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\res\Keyboard_Sel.bmp | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\res\D4T.gif | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\Langs\4100.ini | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\mfc42.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\lang\ChineseTraditional.dll | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\WATCHDATA\usbccid.cat | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
| File created | C:\Program Files\CCBComponents\WATCHDATA\ProviderName.ini | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npCCBNetSignCom.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\CCB_B2B_NetSign.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npHDZBSNCtrl.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBSM2CAROOT.cer | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\res\Hand_TDR.bmp | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npTDRImportCertCtrl.dll | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npHDZBCertCtrl.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\CCBComponents\WATCHDATA\WatchData.ico | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
| File created | C:\Program Files\CCBComponents\Detector\InfoScan.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\Ccb_Cert_TDR_GM.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\language\English.ini | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\HDZB\FileOccupiedProcess_x64.exe_Rename | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files\CCBComponents\WATCHDATA\CCBUsertool.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\lang\x64\ChineseTraditional.dll | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files\CCBComponents\Detector\Ccb_Cert_TDR2G.dll | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\CCBSignCom.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\plds4.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\softokn3.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\Ccb_Cert_dmwz.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe.bak0 | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\usbccid.cat | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npCCBEnckey.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\Detector\Ccb_Cert_TDR_GM.dll | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npHDZB2gCertCtrl.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\OSCCAInfosecNetSign.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\Ccb_Cert_dmwz2G.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\CCBComponents\WATCHDATA\log\202405.log | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install_LOW.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CheckP11.exe | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\AddCert.exe | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\ssl3.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\WATCHDATA\CCBUsertool.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\HD_Comm.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\sqlite3.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\Langs\1033.ini | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| File opened for modification | C:\Program Files\CCBComponents\WATCHDATA\log\202405.log | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\SysWOW64\D4Svr_CCB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\SysWOW64\D4Svr_CCB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\modutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\SysWOW64\D4Svr_CCB.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4AA89F02-8FA5-4CE1-993F-E4E0FC29F5F8} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E259BB9-1543-437E-A1F0-697B841E716A}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\ToolboxBitmap32\ = "C:\\PROGRA~2\\CCBCOM~1\\Detector\\InfoScan.dll, 1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0349E403-6DA9-4D60-8401-A60A3D98B311}\1.0\ = "GDCCBCtrl 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CCBNetSignCom.InfosecCCBNetSign.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BC96F5A4-C930-4226-ADAB-59349AE585E9}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B68A6EED-9D99-4565-BAFA-289CEAC0FB9C}\Insertable\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BC28C669-7606-4A2C-99C8-A6757DF92F29}\1.0\0\win32\ = "C:\\Program Files (x86)\\CCBComponents\\Detector\\OSCCAInfosecNetSign.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\ToolboxBitmap32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CCB_GMSignCom.CCB_GMSignCtl.1\CLSID\ = "{7F432EA4-52B9-442C-AFBD-E1A73AD87043}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57328AEB-35E3-4967-8AAF-BC4E82DDB2A6}\TypeLib\ = "{B2410330-4B42-48FC-9645-0C3C0955D0C5}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B68A6EED-9D99-4565-BAFA-289CEAC0FB9C}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4AA89F02-8FA5-4CE1-993F-E4E0FC29F5F8}\VersionIndependentProgID\ = "OSCCAInfosecNetSign.InfosecNetSign" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\ = "InfoScan Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{33AB374F-0297-42AA-A073-A26618FEDBA6}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E8B0AAA-249E-42E5-92AB-DD70ECB7A4E0} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_DM_LCD_x64_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BC28C669-7606-4A2C-99C8-A6757DF92F29}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86}\MiscStatus\1 | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\MiscStatus\1 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{984783CE-DDA1-4A69-95C9-3ED17EBF80E2}\ = "_DSwxCrypt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SWXCRYPT.SwxCryptCtrl.1\ = "SwxCrypt Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{959E40E2-793D-472E-9732-9536A31F3337}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GETID.GetIDCtrl.1\CLSID\ = "{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WDCCB.WDCCBCtrl\CLSID\ = "{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{984783CE-DDA1-4A69-95C9-3ED17EBF80E2}\TypeLib\ = "{6D65CBA7-22CF-40C0-AEE0-02104BF2A5AC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9249C471-F21F-47E8-9988-0F48C119E54D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA03DDFB-C718-4058-A68D-7B610550F3D7}\ = "_ICCB_GMSignCtlEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5DFD97E-664A-483F-A69B-55096D1A4E59}\TypeLib\ = "{33AB374F-0297-42AA-A073-A26618FEDBA6}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF33C2B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\Control\ | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B45B58FF-1085-48DB-8DB0-C6C4F2FB8597}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3FE2B467-9121-4610-96C7-24DD7F06861D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\ProgID | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48A7113A-2B2E-4ED3-9B26-5C21FABEB217}\AppID = "{2FF73CA3-1F46-4055-B458-3349104D9A4D}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WDCCB.WDCCBCtrl\CLSID\ = "{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}" | C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63D36960-31DC-4D7C-BC3F-E8CB9CA5CBD8}\1.0\0\win64\ = "C:\\Program Files\\CCBComponents\\Detector\\CCBSignCom.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B585722C-BFC8-4F52-A250-DE76C3CCA287} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\GetID.ocx, 1" | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86}\TypeLib\ = "{0349E403-6DA9-4d60-8401-A60A3D98B311}" | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ccb_tdrmanager.Token_CCB\CurVer | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}\TypeLib | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\MiscStatus\1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A0241EF-D5BE-40B9-A3B6-08AF87EC987F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}\MiscStatus\ = "0" | C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AEEF9BA4-6081-4768-8566-85D26E323ED8} | C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B45B58FF-1085-48DB-8DB0-C6C4F2FB8597}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B585722C-BFC8-4F52-A250-DE76C3CCA287}\ = "IInfosecNetSign" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\TypeLib\ = "{959E40E2-793D-472E-9732-9536A31F3337}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\Version\ = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BC96F5A4-C930-4226-ADAB-59349AE585E9}\VersionIndependentProgID\ = "CCBNetSignCom.InfosecCCBNetSign" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\MiscStatus\1\ = "131473" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C0E2A06-E1AE-424D-807D-F0EA1C675037}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2017CCAC-0A5A-4674-86D9-55C8FA8BFD97} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_DM_LCD_32_silent.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8582B4AF7491B3D16636EEB32D44993D7DEE6C40\Blob = 0300000001000000140000008582b4af7491b3d16636eeb32d44993d7dee6c402000000001000000bb020000308202b730820220a003020102020116300d06092a864886f70d010104050030818c310b300906035504061302434e310c300a060355040a130343434231143012060355040b130b4343425f4e657462616e6b310b300906035504081302424a311430120603550403130b43434220434120524f4f543111300f060355040713085869204368656e673123302106092a864886f70d010901161463612f7a682f636362406363622e636f6d2e636e301e170d3039303630313030303030305a170d3139303630313030303030305a30818c310b300906035504061302434e310c300a060355040a130343434231143012060355040b130b4343425f4e657462616e6b310b300906035504081302424a311430120603550403130b43434220434120524f4f543111300f060355040713085869204368656e673123302106092a864886f70d010901161463612f7a682f636362406363622e636f6d2e636e30819f300d06092a864886f70d010101050003818d0030818902818100a23f2503f132999d842fa2a865e6df59102f6e58f83414b79645bd301141ce1ad034dd3a17cfdfa3455be443c4636419c8eec65faa0271a186384b824e4ca640bec1212817dd5a9c5597a6104f1e11beb25227418bfbe2039168b99f725c077b5df50e008f6b51ed55c690e48858833ec98c0ea8ec3bf2a540e47a94bf8eb1870203010001a327302530120603551d130101ff040830060101ff020102300f0603551d0f0101ff04050303000600300d06092a864886f70d0101040500038181008e087ec187e081bd962a9cf9b8a9acc7bbec8cc0dbc193c52901c52d196b685834adb396aa72a94d098fe5ccdf956021e1167d5b26e9a9a55d46d319238127574236eb3d756e0ccd8bb1fbe68ebba895f60115609085ed2f419c32f1a8618be9e4899c2274f3f3dd18671d4bc01210839011903c8e2baa03a312769f7e39ba8a | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Root\Certificates\1FE7A4A0984F10046CE3007D24E135C0828683A1 | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1FE7A4A0984F10046CE3007D24E135C0828683A1\Blob = 0300000001000000140000001fe7a4a0984f10046ce3007d24e135c0828683a12000000001000000c7010000308201c330820166a003020102020600dbbc432b86300c06082a811ccf5501837505003035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f54301e170d3135303432353039303330315a170d3435303432353039303330315a3035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f543059301306072a8648ce3d020106082a811ccf5501822d034200047108bd2781def82a96655bb818265771a839bf32812b7cc4623b21f44d1c0e517fb15bdc3435a94d989a3476369aa105faefd53ae2bddf9263d518bfa2065c4aa360305e301f0603551d230418301680142e96d3f701920b15b70a2e691847d85eddb0354e300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604142e96d3f701920b15b70a2e691847d85eddb0354e300c06082a811ccf55018375050003490030460221008a45416d9cb81de03028c53168f89dc85dc197c6c498545f7ac708721baed189022100e8e47cc8dc138b915e3a15fd10f87d08d0c877b70ee5725af971ee31fca58666 | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\CA\Certificates\4FFD0EC66CD554F2DB6140BF9DA26CEB3AD12948 | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8582B4AF7491B3D16636EEB32D44993D7DEE6C40\Blob = 0300000001000000140000008582b4af7491b3d16636eeb32d44993d7dee6c402000000001000000bb020000308202b730820220a003020102020116300d06092a864886f70d010104050030818c310b300906035504061302434e310c300a060355040a130343434231143012060355040b130b4343425f4e657462616e6b310b300906035504081302424a311430120603550403130b43434220434120524f4f543111300f060355040713085869204368656e673123302106092a864886f70d010901161463612f7a682f636362406363622e636f6d2e636e301e170d3039303630313030303030305a170d3139303630313030303030305a30818c310b300906035504061302434e310c300a060355040a130343434231143012060355040b130b4343425f4e657462616e6b310b300906035504081302424a311430120603550403130b43434220434120524f4f543111300f060355040713085869204368656e673123302106092a864886f70d010901161463612f7a682f636362406363622e636f6d2e636e30819f300d06092a864886f70d010101050003818d0030818902818100a23f2503f132999d842fa2a865e6df59102f6e58f83414b79645bd301141ce1ad034dd3a17cfdfa3455be443c4636419c8eec65faa0271a186384b824e4ca640bec1212817dd5a9c5597a6104f1e11beb25227418bfbe2039168b99f725c077b5df50e008f6b51ed55c690e48858833ec98c0ea8ec3bf2a540e47a94bf8eb1870203010001a327302530120603551d130101ff040830060101ff020102300f0603551d0f0101ff04050303000600300d06092a864886f70d0101040500038181008e087ec187e081bd962a9cf9b8a9acc7bbec8cc0dbc193c52901c52d196b685834adb396aa72a94d098fe5ccdf956021e1167d5b26e9a9a55d46d319238127574236eb3d756e0ccd8bb1fbe68ebba895f60115609085ed2f419c32f1a8618be9e4899c2274f3f3dd18671d4bc01210839011903c8e2baa03a312769f7e39ba8a | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4FFD0EC66CD554F2DB6140BF9DA26CEB3AD12948 | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1FE7A4A0984F10046CE3007D24E135C0828683A1\Blob = 0300000001000000140000001fe7a4a0984f10046ce3007d24e135c0828683a12000000001000000c7010000308201c330820166a003020102020600dbbc432b86300c06082a811ccf5501837505003035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f54301e170d3135303432353039303330315a170d3435303432353039303330315a3035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f543059301306072a8648ce3d020106082a811ccf5501822d034200047108bd2781def82a96655bb818265771a839bf32812b7cc4623b21f44d1c0e517fb15bdc3435a94d989a3476369aa105faefd53ae2bddf9263d518bfa2065c4aa360305e301f0603551d230418301680142e96d3f701920b15b70a2e691847d85eddb0354e300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604142e96d3f701920b15b70a2e691847d85eddb0354e300c06082a811ccf55018375050003490030460221008a45416d9cb81de03028c53168f89dc85dc197c6c498545f7ac708721baed189022100e8e47cc8dc138b915e3a15fd10f87d08d0c877b70ee5725af971ee31fca58666 | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Root\Certificates\8582B4AF7491B3D16636EEB32D44993D7DEE6C40 | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8582B4AF7491B3D16636EEB32D44993D7DEE6C40 | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4FFD0EC66CD554F2DB6140BF9DA26CEB3AD12948\Blob = 0300000001000000140000004ffd0ec66cd554f2db6140bf9da26ceb3ad1294820000000010000001902000030820215308201b8a003020102020600dbbc432b89300c06082a811ccf5501837505003035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f54301e170d3135303432353039323130305a170d3335303432303039323130305a3036310b300906035504061302434e310f300d060355040a0c06434342534d323116301406035504030c0d434342534d3243414348494c443059301306072a8648ce3d020106082a811ccf5501822d03420004c70b30cfe6cf7d6d13369d3a432bed01e845f842e0c203a4c4ef5587f5f77f584e97bc72e37f9f751e60e97fa2b2889b4226751578e0f0f0dea496492ff51616a381b03081ad301f0603551d230418301680142e96d3f701920b15b70a2e691847d85eddb0354e300f0603551d130101ff040530030101ff304d0603551d1f044630443042a040a03ea43c303a310c300a06035504030c0361726c310c300a060355040b0c0361726c310f300d060355040a0c06434342534d32310b300906035504061302434e300b0603551d0f040403020106301d0603551d0e04160414872e0a1ce624719dc394fcdb3bc0ed67f27166c0300c06082a811ccf550183750500034900304602210093ac13593bb415c727b2cac2055770781ad6fa4387d23ef46e8e51476e4d5c08022100e22cb6ffb9a357d9b864413d514f3f593a30fae07c4d9db74a5be06a11156e20 | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1FE7A4A0984F10046CE3007D24E135C0828683A1 | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\4FFD0EC66CD554F2DB6140BF9DA26CEB3AD12948\Blob = 0300000001000000140000004ffd0ec66cd554f2db6140bf9da26ceb3ad1294820000000010000001902000030820215308201b8a003020102020600dbbc432b89300c06082a811ccf5501837505003035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f54301e170d3135303432353039323130305a170d3335303432303039323130305a3036310b300906035504061302434e310f300d060355040a0c06434342534d323116301406035504030c0d434342534d3243414348494c443059301306072a8648ce3d020106082a811ccf5501822d03420004c70b30cfe6cf7d6d13369d3a432bed01e845f842e0c203a4c4ef5587f5f77f584e97bc72e37f9f751e60e97fa2b2889b4226751578e0f0f0dea496492ff51616a381b03081ad301f0603551d230418301680142e96d3f701920b15b70a2e691847d85eddb0354e300f0603551d130101ff040530030101ff304d0603551d1f044630443042a040a03ea43c303a310c300a06035504030c0361726c310c300a060355040b0c0361726c310f300d060355040a0c06434342534d32310b300906035504061302434e300b0603551d0f040403020106301d0603551d0e04160414872e0a1ce624719dc394fcdb3bc0ed67f27166c0300c06082a811ccf550183750500034900304602210093ac13593bb415c727b2cac2055770781ad6fa4387d23ef46e8e51476e4d5c08022100e22cb6ffb9a357d9b864413d514f3f593a30fae07c4d9db74a5be06a11156e20 | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\syswow64\cmd.exe /C regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCBSignCom.ocx"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCBSignCom.ocx"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\syswow64\cmd.exe /C regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCBNetSignCom.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCBNetSignCom.dll"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\syswow64\cmd.exe /C regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCB_SwxCryptSimple.ocx"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCB_SwxCryptSimple.ocx"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\syswow64\cmd.exe /C regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCB_B2B_NetSign.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCB_B2B_NetSign.dll"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\syswow64\cmd.exe /C regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\OSCCAInfosecNetSign.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\OSCCAInfosecNetSign.dll"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\syswow64\cmd.exe /C regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCBSignCom.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCBSignCom.dll"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\syswow64\cmd.exe /C regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCB_GMSignCom.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCB_GMSignCom.dll"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\syswow64\cmd.exe /C regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\InfoScan.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\InfoScan.dll"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\syswow64\cmd.exe /C regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCBEnckey.ocx"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCBEnckey.ocx"
C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_DM_LCD_32_silent.exe
"C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_DM_LCD_32_silent.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe"
C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe
"C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe"
C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe
"C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C C:\Windows\system32\sc.exe STOP "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe STOP "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\cmd.exe
cmd /C C:\Windows\system32\sc.exe delete "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe delete "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C cmd /C sc.exe create HDZB_DeviceService_For_CCB_2G binPath= "C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe" type= own start= auto DisplayName= "HDZB Comm Service For CCB 2G MASS"
C:\Windows\SysWOW64\cmd.exe
cmd /C sc.exe create HDZB_DeviceService_For_CCB_2G binPath= "C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe" type= own start= auto DisplayName= "HDZB Comm Service For CCB 2G MASS"
C:\Windows\SysWOW64\sc.exe
sc.exe create HDZB_DeviceService_For_CCB_2G binPath= "C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe" type= own start= auto DisplayName= "HDZB Comm Service For CCB 2G MASS"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C cmd /C sc.exe start "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\cmd.exe
cmd /C sc.exe start "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\sc.exe
sc.exe start "HDZB_DeviceService_For_CCB_2G"
C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe
"C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe"
C:\Program Files\Mozilla Firefox\InstallP11_2G.exe
"C:\Program Files\Mozilla Firefox\InstallP11_2G.exe" /install "HDZB USBKEY 2G" "C:\Windows\system32\CCB_HDZB_2G_P11.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32.exe C:\Windows\system32\CCBHDSNCtrl.dll -s
C:\Windows\system32\regsvr32.exe
regsvr32.exe C:\Windows\system32\CCBHDSNCtrl.dll -s
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C C:\Windows\system32\sc.exe config SCardSvr start= auto
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config SCardSvr start= auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C C:\Windows\system32\sc.exe start SCardSvr
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe start SCardSvr
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -s SCardSvr
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C C:\Windows\system32\sc.exe start CertPropSvc
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe start CertPropSvc
C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe
"C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C C:\Windows\system32\net.exe STOP "HZ_CommSrv"
C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe STOP "HZ_CommSrv"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP "HZ_CommSrv"
C:\Windows\SysWOW64\cmd.exe
cmd /C "C:\Windows\system32\HZ_CommSrv.exe" /uninstall
C:\Windows\SysWOW64\cmd.exe
cmd /C "C:\Windows\system32\HZ_CommSrv.exe" /install
C:\Windows\SysWOW64\HZ_CommSrv.exe
C:\Windows\system32\HZ_CommSrv.exe /install
C:\Windows\SysWOW64\cmd.exe
cmd /C C:\Windows\system32\net.exe START "HZ_CommSrv"
C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe START "HZ_CommSrv"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 START "HZ_CommSrv"
C:\Windows\SysWOW64\HZ_CommSrv.exe
C:\Windows\SysWOW64\HZ_CommSrv.exe
C:\Program Files\Mozilla Firefox\InstallP11_HDZB.exe
"C:\Program Files\Mozilla Firefox\InstallP11_HDZB.exe" /install "HDZB USBKEY" "C:\Windows\system32\HDCCBpkcs11.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32.exe C:\Windows\system32\HDCCBCtrl.dll -s
C:\Windows\system32\regsvr32.exe
regsvr32.exe C:\Windows\system32\HDCCBCtrl.dll -s
C:\Program Files (x86)\CCBComponents\HDZB\USBKeyTools.exe
"C:\Program Files (x86)\CCBComponents\HDZB\USBKeyTools.exe"
C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\WatchSAFE_CCB_Pro_v3.4.0_LOW_x86.exe
"C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\WatchSAFE_CCB_Pro_v3.4.0_LOW_x86.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install_LOW.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install_LOW.exe"
C:\Windows\SysWOW64\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe
"C:\Windows\system32\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe" -i
C:\Windows\SysWOW64\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe
"C:\Windows\system32\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe" -i
C:\Windows\SysWOW64\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe
"C:\Windows\system32\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe" -i
C:\Windows\SysWOW64\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe
"C:\Windows\system32\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe" -i
C:\Windows\SysWOW64\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe
"C:\Windows\system32\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe" -i
C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\WatchSAFE_CCB_Pro_v3.4.0_User_x86.exe
"C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\WatchSAFE_CCB_Pro_v3.4.0_User_x86.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe"
C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe
"C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe"
C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCID.exe
"C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCID.exe"
C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCIDCom.exe
"C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCIDCom.exe"
C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe
"C:\Windows\system32\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe" -i
C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe
"C:\Windows\system32\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe" -i
C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe
"C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe"
C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe
"C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe"
C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\OnKey_Install_Silent_v1.0.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\OnKey_Install_Silent_v1.0.0.1.exe"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\WDPKCSUtil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\WDPKCSUtil.exe" -install
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /u /s C:\Windows\system32\CCBSignCom.ocx
C:\Windows\system32\regsvr32.exe
regsvr32.exe /u /s C:\Windows\system32\CCBSignCom.ocx
C:\Windows\system32\regsvr32.exe
regsvr32.exe /i /s C:\Windows\system32\CCBSignCom.ocx
C:\Windows\system32\regsvr32.exe
regsvr32.exe /u /s ccb_tdrmanager.dll
C:\Windows\system32\regsvr32.exe
regsvr32.exe /i /s C:\Windows\system32\ccb_tdrmanager.dll
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /i /s C:\Windows\system32\CCBSignCom.ocx
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /u /s ccb_tdrmanager.dll
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe" RegSecurity
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe" RegCCBRoot
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe" -A -n "CCB ROOT" -t "CT,C,C" -i "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\ccbcert.cer" -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/kfphrdoc.Admin"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe" RegCCBP11
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\modutil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\modutil.exe" -force -add "CCB-TDR-PKCS11" -libfile "C:\Windows\system32\D4CSP_CCB.dll" -dbdir "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/kfphrdoc.Admin"
C:\Windows\SysWOW64\D4Svr_CCB.exe
D4Svr_CCB.exe restart
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe" RegCCBPlugin
C:\Windows\SysWOW64\D4Svr_CCB.exe
C:\Windows\system32/D4Svr_CCB.exe kill
C:\Windows\SysWOW64\regedit.exe
regedit.exe /S C:\Windows\system32/ie_tdr.reg
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /i /s C:\Windows\system32\ccb_tdrmanager.dll
C:\Windows\SysWOW64\regedit.exe
regedit.exe /S C:\Windows\system32\CCB_AUTO_RUN.reg
C:\Windows\SysWOW64\regedit.exe
regedit.exe /S C:\Windows\system32\CCB_RootCert.reg
C:\Windows\SysWOW64\regedit.exe
regedit.exe /S C:\Windows\system32\CCB_IESECLEVER.reg
C:\Windows\SysWOW64\regedit.exe
regedit.exe /S C:\Windows\system32\Trust.reg
C:\Windows\SysWOW64\D4Svr_CCB.exe
C:\Windows\system32\D4Svr_CCB.exe
C:\Windows\SysWOW64\D4Ser_CCB.exe
C:\Windows\system32\D4Ser_CCB.exe -i -s
C:\Windows\SysWOW64\D4Ser_CCB.exe
C:\Windows\SysWOW64\D4Ser_CCB.exe
C:\Windows\SysWOW64\D4MON_CCB.exe
C:\Windows\SysWOW64\D4MON_CCB.exe
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\AddCert.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\AddCert.exe"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe" -A -n "CCB ROOT" -t "TC,TC,TC" -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/kfphrdoc.Admin" -i "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\ccbcert.cer"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe" -A -n "CCBSM2CAROOT" -t "TC,TC,TC" -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/kfphrdoc.Admin" -i "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBSM2CAROOT.cer"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe" -A -n "CCBSM2CACHILD" -t "TC,TC,TC" -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/kfphrdoc.Admin" -i "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBSM2CACHILD.cer"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBSignCom.ocx"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBSignCom.ocx"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBNetSignCom.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBNetSignCom.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCB_GMSignCom.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCB_GMSignCom.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBSignCom.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBSignCom.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Program Files\CCBComponents\Detector\InfoScan.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Program Files\CCBComponents\Detector\InfoScan.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBEnckey.ocx"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBEnckey.ocx"
C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_DM_LCD_x64_silent.exe
"C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_DM_LCD_x64_silent.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c regsvr32 /s "C:\Windows\system32\CCBKCSPV2.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\CCBKCSPV2.dll"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c regsvr32 /s "C:\Windows\system32\CCBKCSP.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\CCBKCSP.dll"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c regsvr32 /s "C:\Windows\system32\GetID.ocx"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\GetID.ocx"
C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\WatchSAFE_CCB_Pro_v3.4.0_LOW_X64.exe
"C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\WatchSAFE_CCB_Pro_v3.4.0_LOW_X64.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install_LOW.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install_LOW.exe"
C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\WatchSAFE_CCB_Pro_v3.4.0_User_X64.exe
"C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\WatchSAFE_CCB_Pro_v3.4.0_User_X64.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe"
C:\Program Files\CCBComponents\WATCHDATA\registerocx.exe
"C:\Program Files\CCBComponents\WATCHDATA\registerocx.exe"
C:\Program Files\CCBComponents\WATCHDATA\registCCID.exe
"C:\Program Files\CCBComponents\WATCHDATA\registCCID.exe"
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\wdccb.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\System.dll
| MD5 | 00a0194c20ee912257df53bfe258ee4a |
| SHA1 | d7b4e319bc5119024690dc8230b9cc919b1b86b2 |
| SHA256 | dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3 |
| SHA512 | 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667 |
C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\UserInfo.dll
| MD5 | 1e8e11f465afdabe97f529705786b368 |
| SHA1 | ea42bed65df6618c5f5648567d81f3935e70a2a0 |
| SHA256 | 7d099352c82612ab27ddfd7310c1aa049b58128fb04ea6ea55816a40a6f6487b |
| SHA512 | 16566a8c1738e26962139aae893629098dc759e4ac87df3e8eb9819df4e0e422421836bb1e4240377e00fb2f4408ce40f40eee413d0f6dd2f3a4e27a52d49a0b |
C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\nsProcess.dll
| MD5 | 05450face243b3a7472407b999b03a72 |
| SHA1 | ffd88af2e338ae606c444390f7eaaf5f4aef2cd9 |
| SHA256 | 95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89 |
| SHA512 | f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b |
C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\nsExec.dll
| MD5 | e54eb27fb5048964e8d1ec7a1f72334b |
| SHA1 | 2b76d7aedafd724de96532b00fbc6c7c370e4609 |
| SHA256 | ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824 |
| SHA512 | c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4 |
C:\Program Files (x86)\CCBComponents\Detector\CCBSignCom.ocx
| MD5 | e4f5e04513036f0ddca8452f6b88981c |
| SHA1 | a31c11631df92f0bf4d79e90bdb5769e856d79c0 |
| SHA256 | 2b3d9e41ee6faac2964f185fc9db6da191beeb2a6e55fe551761d2c0b3d891cc |
| SHA512 | b1a491f8b25bdf51577a38b683b3d67fd652bfaf90aa9ef8332a35d33403cc889838b72a3ec1f15c424a5284ec182b22110514b58e94e8d55c8a329556153949 |
C:\Program Files (x86)\CCBComponents\Detector\MFC42.DLL
| MD5 | e86be780ab092a5f616236c5cdec5c88 |
| SHA1 | 8893b05e2fe515d93a755f67c74091c731add120 |
| SHA256 | fe06c741cf9f72b08663ff95a5ff5aa1dade854637f4ebbc2357490788405ae5 |
| SHA512 | 361e773bc208a409da92e5a5feb97736942665543a3f1da710b3909dd8000f793b3cefe8a47f4f53cff6340050b37c86da802c010a68acce6a3c9d16e26e960d |
C:\Program Files (x86)\CCBComponents\Detector\CCBNetSignCom.dll
| MD5 | 6e273d4a6e9c7d903c7bab06d236a8d5 |
| SHA1 | aa16f5fae95970c25512302f735e1ef17f207ad1 |
| SHA256 | ab9ecb56a434c27d7d7759f292107ca96247cd695886e6df7715be7645f468ab |
| SHA512 | 4e9b1f28377d6b335db37d7d84cecdf70e8ca34dd3082c1e06c3731e32c578b8073e5f25e395319a55b0a96c1c6b216600e1350129190ee1b5706853b7c6efa4 |
C:\Program Files (x86)\CCBComponents\Detector\CCB_SwxCryptSimple.ocx
| MD5 | e1201caf7fb3afdb374d3b920861a44d |
| SHA1 | 9bd5a5d32d54b50a9977da72d30081585402795f |
| SHA256 | 3b1fead7a903b7e130ff4bd13984af2c7f6709f452cb2900052a8fac92ea9208 |
| SHA512 | f4fdd73be7e08fe82fdb43b8813593053e5e4a5c62e2575a005b8b85e7d30a3bee091c66b6d9c73e5dc6b0fee81898b6c03dee4da14bcdd0ee1194ab5ca9a86d |
C:\Program Files (x86)\CCBComponents\Detector\CCB_B2B_NetSign.dll
| MD5 | 2ff34fe3f36fbfa2a294e74d697c2a08 |
| SHA1 | ed380eb82606ca061ad41e6f0adbab336a8a31db |
| SHA256 | 37cadf96f82b728536f4d3ac646d7431826118c0f3549ad1fa45a81c653e4647 |
| SHA512 | 7de686d6b906458af4e05adce4a7cea793d2e77e0f9ee7dd909f3c45fd8d47f997ea8e7677fcc3c85e1fb3cee6fa480acbcc67596b33fc90a4f69f409d7ba316 |
C:\Program Files (x86)\CCBComponents\Detector\OSCCAInfosecNetSign.dll
| MD5 | cf451316cb2250e0debd552e4dc9b727 |
| SHA1 | 66e74ad7cb8eb6b4c5986670541832922e55c5b0 |
| SHA256 | dad1c0b8aadea29930115a78caca5b0bf6bfaec8b561f0d818d396a7c521715e |
| SHA512 | 4a09a2214c83dec033c3b137e35f8557f2fc0b72e9110e7d34b85a1502037eaa7dc8daa68f7652c62d9a54adf5027fd6f9cb70e901f5f4dccf6f3f94d22f95be |
C:\Program Files (x86)\CCBComponents\Detector\CCBSignCom.dll
| MD5 | f6a368156833b41c599b20abb170c311 |
| SHA1 | 81e37a72ac80b0241316d307f0fe1fae12cb1292 |
| SHA256 | cfff2006afce81335b920cdc79f891400fb58e8bac8849a7cfc3af1395c9cff3 |
| SHA512 | 1105ec1d006ca02462f803da3b5a8fcd663f7efc4f3ff900d796f4aa1b1a0da4879d2f283c6f6c6d83207fd3bc54ebca592f8b7ddbb3090a0b42636212320537 |
C:\Program Files (x86)\CCBComponents\Detector\CCB_GMSignCom.dll
| MD5 | 5ff73145e92972b7bc676eb7e417b90f |
| SHA1 | f8fd6f624453240dce8c4d9753ddc63323a92d1a |
| SHA256 | 1ca4326bceb304111af72eb3db6a3149b49bc389bab8fae02ae8d40cbbd45f1d |
| SHA512 | 68fcae61701da5190a10ec8e04406d881a64422029a3146fa1c54558bc88e8e51150baf2db821bf01a02864afc3630bbb23b9d3e415349fc77f94f536387dd4c |
C:\Program Files (x86)\CCBComponents\Detector\InfoScan.dll
| MD5 | 5cb64d5b941ec3d20ac6d7857684c2bb |
| SHA1 | f2bfe5aaaad94eda13af0539ecc77e9bdc1f0934 |
| SHA256 | 1860b4b05a00601804c1dcaff6be842b793439415856dc15ee8a4ba919ae4e81 |
| SHA512 | 0ad989eca15e8a02c7add455ee5e302f060644c040aaab4be453df1638a64986f61a1f18e4ec82d671f0903b6d2a820a2d1ccfc34aff7f6dec823a92c18c889d |
C:\Program Files (x86)\CCBComponents\Detector\CCBEnckey.ocx
| MD5 | 62837d39d1936664809ae7adc52b5d0e |
| SHA1 | 5f79dd73ed525ae182a60a039fc3d06288e8fd44 |
| SHA256 | e53e3ce9e2185bc0a2f80f8a8d860b199a4a312bd7f3db0a147d9dc5e92d520d |
| SHA512 | ee888f9ae9e8f78195a67bb5d4404b86e7c5bff13141d179f9e34372a2323b1eec1668a917d81c9b717565fda11e161aa752485610e4b1db2865d0631c631c80 |
C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\CCB_DM_LCD_32_silent.exe
| MD5 | b02ffa6f60d9892d69e00b4b01c84390 |
| SHA1 | 358fb4e6a7be08b026490abcd5fbbfe8bf855318 |
| SHA256 | cc925736b2aba91a8190ccbe61dc27ccfdbf6f7b1ff26399a2ddcbdc6da80eea |
| SHA512 | 9e005259fc81dc2e9a6139ad7b74ff36358b389de79c404c61f4c89ab00b4032ded3cbce2701948be4d9aa184f0bc5137a0939138eb75905e4e8a10d1ab60009 |
C:\Users\Admin\AppData\Local\Temp\nsq885C.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsq885C.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\nsq885C.tmp\GetVersion.dll
| MD5 | b4cec45a9909c10a8d387c8eb72e8d0d |
| SHA1 | 609e1ff7627aa88db0adbf79897fc8c786f42be5 |
| SHA256 | aea495c63eb5aef15961c03a73213ac586830ced769f489b147e8076e59eb8c8 |
| SHA512 | 337e84ec8b5acec83091833d70ffb4828442467d82a044ec6986547d4d55c9e39a861f3d06fd76289dad81b98f44ef7fe70f449db5baa51699464a7d95cc301a |
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe
| MD5 | 4cf8946b95aaacc7397528f87f544931 |
| SHA1 | ea453cca204512982e0f60d848e434e5f069bc94 |
| SHA256 | 690eca7ebb28c4839e2971b5d268eab080c84a34eefff6a3ed1c80bd38b618b1 |
| SHA512 | f4cc9da0a33760daa331da1c5d8c73f8cdd69b5c9ad76db4a76252b4898fb1ab01a35d9aa856d07a9771e0d8da175ccb569c1f17cb7986ecc599fbd3a4408207 |
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CheckP11.exe
| MD5 | d9967301eb3c30324e05b2d53cea1622 |
| SHA1 | d1d4f19850d81c7c7cd07e81b6bfab7c924f27af |
| SHA256 | 9a925779dd06f34da1398d7d9f5209343c93e03cbcefbe0248c388af3c976c9a |
| SHA512 | 22deb414b396eb311120a774d2f47756c8b3fa6d0b4d11c961172272879d8ba315355b51da9d884d65f5ba14f12fd36387fdb50f1abaadea9223394b138c54a3 |
C:\Windows\SysWOW64\CCBKCSPV2.dll
| MD5 | 1c9bbec0fb2356025abfbe9e5ab2389e |
| SHA1 | 1afcb5b13146983c981c3e069c0af41102e4b7de |
| SHA256 | 2e51dde6b79f7cd4655b716b8560d368a4728af50c8cad4f14378937948033fd |
| SHA512 | 814b0f195978d35f7b101881033a82f0628e9d02d345b5053db0afe4bf8b7b69f14f9c7e0119a49d9c043bbade944b2a787c5297dce7c0bcc016e34908441724 |
memory/2400-237-0x0000000002320000-0x000000000232D000-memory.dmp
C:\Windows\SysWOW64\CCBKCSP.dll
| MD5 | 635c71f7a76a2917bdc642d3fe726e59 |
| SHA1 | f48ede1e746c83daa4362147b5e9bd00a3b0b012 |
| SHA256 | 2321e45539ce5d286aa8ecdbb5a402e8ee11a3d29d1ee8aed784bcb47b8df129 |
| SHA512 | 4e948e351d7ad587aab8813aa1159095687f10a4b8dc19218e5d827ceaf1d77ff946b32977560debf5e6dedf32cfd7eadc3d4197c1f5c35c3dba0f2f692ab6f7 |
memory/2400-244-0x0000000002320000-0x000000000232D000-memory.dmp
C:\Windows\SysWOW64\GetID.ocx
| MD5 | 5e46a2ab8198982de8b4a432e9b1ffa5 |
| SHA1 | 4605855364ce1f5cca174b0a721be8f4ad539816 |
| SHA256 | d128f2f8863db79ca5ad1f18ecb07c56b9f194ca5d9c049e0e53fa4916f83a93 |
| SHA512 | 6981db8de870c1f13c87155d97ac650b7d1805c03d66d9d567d1561e1ee5cd001f3d7251fb7361eea4a92e65373f52816218cab023e92977746ff094ff55b0b5 |
memory/2400-252-0x0000000002320000-0x0000000002385000-memory.dmp
memory/4716-261-0x0000000002B70000-0x0000000002C7D000-memory.dmp
memory/2400-269-0x0000000003600000-0x000000000363A000-memory.dmp
C:\Windows\SysWOW64\TerminateProcess_dmwz.dll
| MD5 | b8923aa4efbb7be1b46dae19947be9d8 |
| SHA1 | 13f411716c5c0020c1d7873ca06e2d0aa93898fe |
| SHA256 | 6448b4fac741623589cd16a8a26b97e17bb4fa37216138ec0ce34946b5e6fb27 |
| SHA512 | a775ea0e55e1b215b3cb9294a6edfdfc52a00624b07f2763fe34ff7d4f48b2bd6c091dee979a0909b05a16897db17e7d88dee320a67d0e7b002d664ae5b5abb4 |
memory/4432-388-0x00000000005F0000-0x00000000006F3000-memory.dmp
memory/4432-389-0x00000000005F0000-0x00000000006F3000-memory.dmp
memory/4432-393-0x0000000073AB0000-0x0000000073BD3000-memory.dmp
memory/4432-395-0x0000000073AB0000-0x0000000073BD3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsrA4CC.tmp\ExecCmd.dll
| MD5 | b9380b0bea8854fd9f93cc1fda0dfeac |
| SHA1 | edb8d58074e098f7b5f0d158abedc7fc53638618 |
| SHA256 | 1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244 |
| SHA512 | 45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c |
C:\Windows\SysWOW64\CCBHDSNCtrl.dll
| MD5 | 97779c11a1aa46a2f44f7073a836bb60 |
| SHA1 | 34efb0c9dc6769e0a1f64b907e70d8da17558876 |
| SHA256 | 54d9f3e46023a033c36f68712bbcb40141204c002b566cb96ba6387f274ce235 |
| SHA512 | 8f306a2f68084275413d94751a025cb16ae0ae4ce9fee07141dd2f0cdaeac020b420fbd9777f663369275eb7d8a546611af2a15d074cccd5cac72b4fb6f2bd5d |
C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_TokenV2.dll
| MD5 | dc5da3352e24d99089cc861b3212e6a8 |
| SHA1 | 98b6e565338ce920564dd38a4e8d67a168b2a793 |
| SHA256 | 35d871fe7504d7ac1e68ba6350888d4e951f6dddb3f886deea8dc0a7415bb39e |
| SHA512 | 154b3261f49ad7c35dc2f8ad779f35cdb76aacb87e3133a74b24e21cad3c284ac565b212acc0b70c96d454a3a9cd0acee82964649ac51785b920ad2f3c24be55 |
memory/3572-456-0x00000000022C0000-0x00000000022F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsrA4CC.tmp\ThreadTimer.dll
| MD5 | 697f61a904654e9363e28c5223182994 |
| SHA1 | df916f7098e3f89a5cf100529ba3480feba71ce9 |
| SHA256 | 5ffc3354029e6c6ed0a7db4690fe74d453980a3f21dc8cf0fb94cb5bbd421ac1 |
| SHA512 | 3bfd89810bccb0d8b389988201f65b8823f138f763a1cc0cbeebdeee5a086c5c8dfb18e2a4d664648224bb96dce0ce7b6936ccc63b10f6f56fc1a4247a0d0eb4 |
memory/3572-498-0x0000000003180000-0x0000000003198000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsrA4CC.tmp\hzSrv.dll
| MD5 | 5ca5705fd76fcc5ea7877d5321a97481 |
| SHA1 | cf04d06e91e443c4161ac56b4d9a621453153be0 |
| SHA256 | a3bd8e3648e169ee6452f270c03b89d9d5bb31de02e1698d8dffa3189d8ad64a |
| SHA512 | c9c2a0574fb8fa39636bea5293246f1837678da64de3719102063b1eed8b2dfb58451414a07e534e471dc00393c0e39305a23242d2b26d321a7c7c60d4e5a536 |
C:\Users\Admin\AppData\Local\Temp\nsrA4CC.tmp\InstDrv.dll
| MD5 | e33c90099612f1769abae7da48953731 |
| SHA1 | e111dfa793910b7a4c4c0a845415f4de839f5f41 |
| SHA256 | e513f09fa603941cf40bd76e458069966a616b3e125b772f85259ea2a9fbd937 |
| SHA512 | 1fa472a40c3bc05e2e970a7621ae0d40d5d86e6c75d28807d6780330a735254653c777f73aff5ae60af8e2030df3bd535bfa2ec0e9ddeb5b18303b3124169d8a |
memory/2052-629-0x00000000021B0000-0x00000000021E1000-memory.dmp
C:\Windows\SysWOW64\HDCCBCtrl.dll
| MD5 | 0e49352d1ac82de73e6525579aadb9cb |
| SHA1 | fe2e412ce56acaf0e7c2b76eb6fa72b693c07d1d |
| SHA256 | 08f65f93c965bc79599f71e80f1f27daf3a48121681a7b1cbfdaafc9cb98742b |
| SHA512 | cb98d561c7c8d1016216f69c2ef9c8c0cc78b767a093b2fbabfceadcaac3d3a973e77683a83afb993a07e648575c903a3c48f95de84fe31790c2548b4526fc57 |
C:\Program Files (x86)\CCBComponents\HDZB\HD_LibUI.dll
| MD5 | c19e66f34b5aedcd5df3e4f89699fcb6 |
| SHA1 | b525a354ab26530d5adba6c2321d25c5c63935d3 |
| SHA256 | 7f524fe8d0c5db3b2a28c76614217aa1a525847b108a794b5f51776c4084a642 |
| SHA512 | c4a55f79dbf2dc42a07ca523fc1208a09fc637fe3deab4ed80ef90c657a4b32140ac6218a8c2beb988ba026e1d691c8c1576add4bf5545059252d38dc4df872b |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\SetupTraditional.ini
| MD5 | 552c83aded1c98d5d0de09e90475bf05 |
| SHA1 | d559e17cbbce1a36b9417cfff808fac60aecb86f |
| SHA256 | 05235ce44a76532d2c46affb2acea1898856025be673c15bfecc35fbe823b90b |
| SHA512 | 1d06a8e956638c007f1e2bfa16e4aa67c48cfd4da61847379f0c4255c469f81f43ff6dc47a662425121d2f89ac1d880f576d7c6c2300f7725d084e567c394380 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install_LOW.exe
| MD5 | eb50768663388b36a233cbee5003dfd6 |
| SHA1 | 07b988a5745ea835ed2ce291b7bf4e1fc3d78ffa |
| SHA256 | a3b73f830ea30bcc983baacc3f632aca6b05c091b06606909a34ee979b1ad726 |
| SHA512 | b98c2f6d969cc00a67e387e520043b4e86a188f68e5cc57200faa229d276958fc33ed10ba45b156ebaa564c98ab655efc48e3f2e7d09890a382478a04c773b9f |
C:\Windows\SysWOW64\WatchData\Watchdata CCB CSP v3.2\WDCertM_CCB.exe
| MD5 | 31fe2dda40fa1024715f61998560c2f7 |
| SHA1 | 3e8b64b380bee8920504ad5b4774e403ab85f92a |
| SHA256 | f3a916ebae046aec1a97f983b8fc9f1c047e5a636ab3d92fbb80758220210b03 |
| SHA512 | f580f0bea759d5c0ba0b641c8d5c8a5252786a26bfeec12130aafc4d0d2c8694abf803cff707fef526dfb47483130d75863ec96cd0e8e54bb8edeb0705e6ddf9 |
C:\Windows\SysWOW64\WatchData\Watchdata CCB CSP v3.2\WatchSafe.ini
| MD5 | 33f6aeba3cea94e6e5280834635abf23 |
| SHA1 | 19782c05440d37a908c85f648460cf0bd4622922 |
| SHA256 | f50e9b6b77c1fc3aa7aabe4796b189419797ac3e42e0b9c8e7fc1b09c4518c52 |
| SHA512 | c2612796a3189c7565ade5102c433c646ad93c31d4a82285e1dc98692bd34dbeb57d84452f98320ac8f8e337b402ecb3fba5a721e9e76f888e1e37edb35a5b36 |
memory/7148-790-0x0000000000400000-0x0000000000421000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\csp3.0\wdsafe3.dll
| MD5 | d160f725f8ba5f8e571152bc57ee639f |
| SHA1 | 963ebcb6adbbd76b3adc64f24474b1fa90a3be70 |
| SHA256 | 998771a77263d3815a5aef87ccfbd8da5bcb92c8f8145d125b7c3179b3be1a5e |
| SHA512 | be990ed35782d25cf9aaf11ea3c0178a3fbb65c398190510b739123d7741bcb551510d64794a259cd7ad14b92967f64d2b875a124f04482c92c2ec9ea29639fc |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\csp3.0\wdsafe3.sig
| MD5 | 481c38d86ed96d779f65b2842ba74988 |
| SHA1 | ce353f49d3a812a2601167a5524b7c5e55d27dcf |
| SHA256 | cda309074e4c88cf86d66aa9284687b22cee353e207ece07650367976425c9d4 |
| SHA512 | 2f5ba7f0363fc5d6ade15b4662b2f6f748ca4bd303a28f9c08acaab4170357ec5880ee46a3f98f232a50d0db282269d3ad13aec8270fa3077db965e07dc5427d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe
| MD5 | 77bf69bc4f2465c6d992d95d992f55b0 |
| SHA1 | aa207c0fc600c8052a91a22f6d66e936ed45dddd |
| SHA256 | b34a40d7df9784d2f874345280fc0492d879af56542a5c0dc23d4efad8bf778c |
| SHA512 | a32b190610c98335e650d6e965679d5cf9a08902f83a80afc63b54a21f9d4a7b94306a178a7c6f848f2f186a1959e26c936b6c90ceffbd20e218cc5e0c0fa8ce |
C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WatchSafe.ini
| MD5 | b9b8597bb64d80b64b4c44c19037aa22 |
| SHA1 | f95b8e6403c3aa31591a94d0cc25bb4c23b748fb |
| SHA256 | b5c0b4b61d90e2e918e683fd3bae0bff1d4f608276270546a303ab17aed69ed4 |
| SHA512 | 85c5af5bad4c9972ef8a33c15c551d22d8e541f1b6f2801ce304bc654e0a57e200873c71d944261855bb001822ac8b33db2356aa00f419174c0d44d7a4332475 |
C:\Program Files (x86)\CCBComponents\WATCHDATA\WatchData.ico
| MD5 | aac3f4d2b048cfbe2f2dea60949fa39f |
| SHA1 | c77ea346bb8cb71d04ecaee1b29157bde558bc91 |
| SHA256 | 7ca2856303b20d318588b19e1e5fe1b95c9c513227aeb05dc9c0c9422994720b |
| SHA512 | b10972c745a66e13a17804a40d7fdaf9a2aef2157e0da20bb612c8d377372cfd1329385e6fb52232973ecb772967baf5e8f2733196b07a8452d033d072e00715 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\SetupTraditional.ini
| MD5 | 7aa8e5b3e2199d9fab62825f1665a2d7 |
| SHA1 | f11bcaa03a3f27265c1b5a2d92f24649f38e7228 |
| SHA256 | 8565c67a925a506083601d6dbe9873e72713d68d78bdb525215e5dbc2febe561 |
| SHA512 | 3c2f06b483f0b7e6eb50d2b9448843070b699757ab40f750fa9bbc62752e94bac2a19779a32a10974e5df60b00b139809b98b08bbf5b6b4ff21517d1962f521f |
memory/5932-968-0x0000000000400000-0x0000000000421000-memory.dmp
memory/6036-971-0x0000000001030000-0x0000000001095000-memory.dmp
memory/4432-970-0x00000000005F0000-0x00000000006F3000-memory.dmp
memory/6036-969-0x0000000001030000-0x0000000001095000-memory.dmp
memory/4432-972-0x0000000073AB0000-0x0000000073BD3000-memory.dmp
memory/6332-975-0x0000000010000000-0x0000000010097000-memory.dmp
memory/6332-976-0x0000000010000000-0x0000000010097000-memory.dmp
memory/6332-977-0x0000000002220000-0x0000000002285000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsaF9F2.tmp\UserInfo.dll
| MD5 | d16e06c5de8fb8213a0464568ed9852f |
| SHA1 | d063690dc0d2c824f714acb5c4bcede3aa193f03 |
| SHA256 | 728472ba312ae8af7f30d758ab473e0772477a68fcd1d2d547dafe6d8800d531 |
| SHA512 | 60502bb65d91a1a895f38bd0f070738152af58ffa4ac80bac3954aa8aad9fda9666e773988cbd00ce4741d2454bf5f2e0474ce8ea18cfe863ec4c36d09d1e27a |
memory/6332-978-0x0000000002220000-0x0000000002285000-memory.dmp
memory/6332-992-0x00000000007D0000-0x00000000007E2000-memory.dmp
memory/6332-994-0x0000000002400000-0x0000000002449000-memory.dmp
memory/6332-993-0x0000000002390000-0x00000000023C0000-memory.dmp
memory/6332-996-0x0000000002450000-0x0000000002488000-memory.dmp
memory/6332-997-0x00000000023D0000-0x00000000023DE000-memory.dmp
memory/6332-999-0x0000000002630000-0x0000000002655000-memory.dmp
C:\Program Files (x86)\CCBComponents\Tendyron\usbccid.inf
| MD5 | 847d52826e564cc823a53133e97edebc |
| SHA1 | 435403d41cb143efffce801afa6a0778ebc1db1f |
| SHA256 | 92adf715e8af162170b04bbb238dde9917f5b205800f816c99d23f24203511c2 |
| SHA512 | c4082503e7af896d7b0afb425c24ba672fd7836405d379c0340248a34f8922bdc0e1e2bffd918f3f5a854e3d7fdbce3df7f234f76c3663a12611f549af2114bb |
C:\Program Files (x86)\CCBComponents\Tendyron\usbccid.sys
| MD5 | 2825e0e294686a26506690059e1f437a |
| SHA1 | 57abc95625625addb90d860210dbd3747ac8f881 |
| SHA256 | 58fa57da9077312142237dc8adb5371b291255e9806ce76db09380d767bc4114 |
| SHA512 | bc876a4a464ae96d924452fe5cbbad727d746872cdc6eeb086087e192c45941f405225ff07f4bb529ee25921653fbe7707356e57f87ebf00804873aec83cce98 |
C:\Program Files (x86)\CCBComponents\Tendyron\usbccid.CAT
| MD5 | d76c27d0c43ae2ade72a737ee93d24bc |
| SHA1 | bc2ef1308c09d7931b402a93223dc48b260a1dcf |
| SHA256 | 16d27ecd64c18a63005ffc21023b1b426f12d634e4d6d153cdc0668eb8873d2d |
| SHA512 | cbbc153b55b00fb42615195d34011935705dcfc00dd37246a8bc45c74fbae1e0e78ad28b684c666226c95814a10dd0b6a769e1f854de96a4dc86f153662b5191 |
memory/6768-1007-0x0000000002FF0000-0x0000000002FFC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsaF9F2.tmp\Plugin_CCB.dll
| MD5 | f4c0c8694f0c394cb968c9e738861021 |
| SHA1 | 966fa8510a22ded30c489e7fa04cf5e08c6efa11 |
| SHA256 | 0bf9ac04357a76ada9df58df97fa7744b7b262700585f709a10ed52f123ce62c |
| SHA512 | 1a900c738d125a84904afc8aca579026375eebb0d77c2441572741e10823d7404a2f0d78b99cfef9203293e8945ddef4074a242623a31ccd6a3edbaf94ea2603 |
C:\Users\Admin\AppData\Local\Temp\nsaF9F2.tmp\KillProcDLL.dll
| MD5 | 83142eac84475f4ca889c73f10d9c179 |
| SHA1 | dbe43c0de8ef881466bd74861b2e5b17598b5ce8 |
| SHA256 | ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729 |
| SHA512 | 1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1 |
memory/5764-1121-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kfphrdoc.Admin\key3.db
| MD5 | fcd2d9425744c4bf0419a93b1900f6aa |
| SHA1 | b1966fe864842b8b5f0236f5db4ae7926b446e66 |
| SHA256 | 190183ba634666ca9a2ff57778e0f38b43ae047c74ea0c06992f70b2f04cc2c4 |
| SHA512 | 8586ff1b2130c268ec90f04453fff86f59788ff11b87b2e7cdd7dc53ed7f7633f1eb3d7d67a1044f533f6a98ba7b188ac381049635b672d06cf0813506027819 |
memory/5764-1124-0x0000000000400000-0x000000000041F000-memory.dmp
memory/6912-1130-0x0000000000400000-0x000000000041E000-memory.dmp
memory/6912-1147-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsaF9F2.tmp\System.dll
| MD5 | 959ea64598b9a3e494c00e8fa793be7e |
| SHA1 | 40f284a3b92c2f04b1038def79579d4b3d066ee0 |
| SHA256 | 03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b |
| SHA512 | 5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64 |
memory/6036-1217-0x0000000001030000-0x0000000001095000-memory.dmp
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\AddCert.exe
| MD5 | 9b4fca25ae6fac237bcf48ace83ec63b |
| SHA1 | 9d44cda8a4682a5c216b3c5d8081aca97ae25be0 |
| SHA256 | f9895f52d7b3509684d3fbc609ecb1e030aa3e8154e4bf2810336412d03e1218 |
| SHA512 | 95bbac3547dccf9e5fe98d1a2e6aae364734f764c7faf975e7cffe1cb48509a8ee87d3c7708cb879d2536ded14b26e7a40d316db49860bb6545930963a644a7e |
memory/2588-1237-0x0000000000400000-0x000000000041F000-memory.dmp
memory/6332-1236-0x0000000010000000-0x0000000010097000-memory.dmp
memory/2588-1246-0x0000000000400000-0x000000000041F000-memory.dmp
memory/6332-1247-0x0000000002220000-0x0000000002285000-memory.dmp
memory/4428-1248-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4428-1257-0x0000000000400000-0x000000000041F000-memory.dmp
memory/7148-1258-0x0000000000400000-0x000000000041F000-memory.dmp
memory/7148-1267-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\SetupTraditional.ini
| MD5 | df89b147eff430b25fd29d9735a73c22 |
| SHA1 | 3cb55f7d964e43c5080b21e3f620cabe8541750a |
| SHA256 | 2630c816a50ffa8c7d5ab59e297f09e45d87e90d103be17732512a01418616ed |
| SHA512 | 7055eb54514a5820c669ed20555bc397cd30fc14fdbbb0543eef8206ef02ead939c423d282b36de2906f6b3647fee9df096603e44eef7d490bfdeb8807a32edd |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install_LOW.exe
| MD5 | 9c75b44eb5a81f0b8359e1cda16a0d81 |
| SHA1 | 34561ed8c00cc3c178699c9fb78dfa152624792c |
| SHA256 | 47fd9bd08532cf62336ff168197d88333beab92e3463b9ca7c5fc527e0726092 |
| SHA512 | 8216714d2defefd4e1d7f17cf676db5bf7fa45153027a15b4a7f7fa4475a6ea514bef5cb297b1e4a29bc02b6929344041de81f7056fd50ce5fd676b0aafe7ea4 |
C:\Program Files\CCBComponents\WATCHDATA\log\202405.log
| MD5 | 2d8d670a80ef417b1d9f05a8599b91a7 |
| SHA1 | c84b96c76f3dbe9c46f198ced77f57265be77bae |
| SHA256 | 4a87f8a5a738b1252aa80691254b2eb6821e245c0a42311929d6764a0695a2d9 |
| SHA512 | 4f2cc3aa78ef26eb0762f7c486c50f6604f4bac9f355e93aeae539d47ede7b5d69e4710efaebb7625c4f2f2bf1e55a58fabe26cc68162e93ddcdecbb4831964f |
C:\Windows\System32\WatchData\Watchdata CCB CSP v3.2\WatchSafe.ini
| MD5 | 05b0f8c0874cff35ee6824872928468f |
| SHA1 | bc50634f4cb697270a07e3d6cc694b579976a551 |
| SHA256 | 96c2819c1e63f938bbda95475e4bb2ad7fd38656e4b2d8ad5f1387f30555fe67 |
| SHA512 | cb684cca103760803701754f0e9613167bec7cb496348c7419bc3766afaaa88c584fb2e564dc647b164de603e1ec7f97839a5935afd706c3a930e8a60e149a1e |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\csp3.0\WDCertM_CCB.exe
| MD5 | 7d9c141ef506fb465e5d042ec0e26eb6 |
| SHA1 | c40c7ca9c82fc7610497e50c3156bb9e6d0d2563 |
| SHA256 | ca116e5d1463f113c54b9ee6b9b4b573ca575b5e17a646fb7a6e3c2b70f8d6a7 |
| SHA512 | 756f46a8d036ae931efc32d098f4973f94a81821e1646e3b62042636a042f3358c36d3cd99f970c75bab9449c69d3cd93e8464c56db027f371e5507f9f639c97 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\Tools\ProviderName.ini
| MD5 | f3b35b9486acd9d76fddc54589ffe5eb |
| SHA1 | cbe3da1ab9703ecf00698624543bed37600bf94b |
| SHA256 | 4f9c258bf25ab3f212edf15ab434d12569c22be756f6607972cebb341cde7d17 |
| SHA512 | 19e2f839d47c6fede6a02fcc227331f1f300c69d90c236d8643a4d55155538c903d70f1d66e1f4f0347af4c3f7130868f33bb78925090b5af6aa947ab5eaa2e7 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\Tools\clrcert.exe
| MD5 | 089721cac74a7db470357d9558f752c2 |
| SHA1 | 710845a2e9ea0295767be480bb672353acc73457 |
| SHA256 | c8856ba292d6130d5af7492f66cd414fd247c05c25d1c351743ea29b6c23fe0c |
| SHA512 | e2d5e8838de6e0dadd1c6fbec9efaefcb427b9819387e8a1853b627891f812623b8ed22aa6d44d4b9dd63504ea3a78b36b7ed7d8731275f9c49e3cccf6ef5635 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\Tools\RegTrustedSite.exe
| MD5 | 709fa6df514b729c53da0f43d6503f53 |
| SHA1 | b2e78b60a7411890d3cb6e9b02fcf78af91d99af |
| SHA256 | 519b526508eda8eafee55e7e85f437fd4e4764b6fe40a38756476152e0047d9d |
| SHA512 | 7904dc34d28d76295f3a0ccdefef4fd9349495c6af2bc340284229c0d4e1fdfde80c51ffbf3f00e65de8c3f13c7cd9f91f070ba2df4ee2249bfd408f6ca2ba26 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\vc90\mfc90.dll
| MD5 | 60b030677185841817fa38bda0da6473 |
| SHA1 | ae45372b4ce19c773d627f9df829fc16702fe840 |
| SHA256 | 2a527eef7d5cbc295e5b3ceef5c5e1c34bf9fba51335102b44d73b67f5dbbe86 |
| SHA512 | ce1a560e372e2e35e092a7c6f823cace40d38a96246a27e5025172d418164471b0cba0319c8e83a6ff4d693f9d9250cc9d279154acf0ae9d5f9a81cc2c4f9bf0 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\vc90\mfc90u.dll
| MD5 | 52bbd0e905e886413a9e6fbdde8612d8 |
| SHA1 | 8cf55a4e9b3d73611ab87800b0eeedcb3427c7a0 |
| SHA256 | 05edbe012dac7de6cf398af14dd6007dd83b63a3e4f930972b12a1ebd75c0d41 |
| SHA512 | 6d541026785008dcfaa962c242928af2206afe6ed8802e30ba881a583e1f63e6744fe50d3d5a4e2f19aea81e908ec9a9e13f7070ad5207843553f3f231a704cc |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\vc90\msvcr90.dll
| MD5 | 23b134891c08c7f04c1747f6bcec06ea |
| SHA1 | 26a77ccf0e62faa436255e47a0c3c8a818733193 |
| SHA256 | e11ce4b90db815359b2d76f95f623fc26924c5a254f0540224fa6feb623817e5 |
| SHA512 | 30c89f058b3b9ddd39ed7a3e3c470c2df08940dbc3ea0cf72cf271fa76ee19d956ee503a3fa2839458fbd2a61658ff3aa7f8326e6eccae9c11ac78b4c2b84c14 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\csp3.0\wdsafe3.dll
| MD5 | 95eaf288c6b8ced73c3af0f11a78e797 |
| SHA1 | ecf52d55677a07997eacd91519215459b32d6580 |
| SHA256 | fe53bc050b745626d887c76ddcda46dacbcd5f86fb6131d61b76c13742baa0cd |
| SHA512 | 2780fd36654094f8bfebd39c05460f6e4b8caa02447549864aaef94e5b96de938fc2c53945150916f719489f645ef9ac057e045ca56a9a584aaef7fef3af4722 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\Tools\logo.bmp
| MD5 | abfc877656d7927875ecad734ea9be6c |
| SHA1 | e10fd120801ebd31a4802c9f21ac7001d3baedf3 |
| SHA256 | 1d725d74338347304e6c2f84e80b576a1cb2b119d32302ac879f35b1ea5af8fa |
| SHA512 | 89baa5d5ec0e5d25dc36f67ae1763863f6bc87ddd899582f7be382708a6906938dc1b665b97be8f554d1a216642be8186c6bb5381ac46f41f1d335396ce487d4 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\Tools\recfull.ico
| MD5 | 00abf9f5ab51bcc95ed4f3f35a05453f |
| SHA1 | d78e6d409da0510723159badd0dd4b3f7c66905a |
| SHA256 | 0d7411adc9b51229ae2fe918086bebb10b8054a23aed185d11eff279ddf7f405 |
| SHA512 | cfe9ffcf9adaaf9cfae27ed42aa1499b5a3005d8d914b58ec0374af2de3fd2d551b9423f239fa9feac2b5161f4b50fa1db68526ae63299deba7fd2ed509f861f |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\vc90\Microsoft.VC90.CRT.manifest
| MD5 | e194d0211efacefe4b45a1fff7b0ee68 |
| SHA1 | df29e3e3bd04779616fd3e84734d8a329e44dd20 |
| SHA256 | 58fc4416331672c7b7a413ce071c01ddfdf91ed1c0604ce014250b38dfc78787 |
| SHA512 | c4310c1cab0db0e0f5aed4cbcbf1d7643d3b4be2df6a753f520f741aa73f50ced3b7681bd8c59f971f1c5ff5e240287da65c47043526402c74bbf1b167cc665e |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\vc90\Microsoft.VC90.MFC.manifest
| MD5 | a4f947a900e60561c05f12ecc0ac9b8e |
| SHA1 | 89965aacff28dadde79e09063b3421c1befff041 |
| SHA256 | e85ea26d156723557653b22c10adaefdfa0d9615049541a74cdb968f146a5ace |
| SHA512 | 38c54a752b53c60e7fe2a7c66f81757e3f047fd37339ac2b25c83b6a61320ce646c407c2ad90eb68e91702dbffd0dd3c9a39fddc2ba1df6c187a525e013b7d32 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\csp3.0\wdsafe3.sig
| MD5 | 6094a43708a73c15f42bd86be9ddc630 |
| SHA1 | 8fe16cbdfbec7bcb3c72218f2ede77704fe55711 |
| SHA256 | 8155052dae9c57a525eb2802128a2b6fb4c0e078009bc5762620ca13f9a83b30 |
| SHA512 | 885d56f5990bb6ca58599454739bc52a54a36accbf9fa7c7ea2a423e6bcce198dc0ae6d005d345654f54bf29567871c283731446535da513651c43c1e4cca3d2 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\Tools\DisplayKey.gif
| MD5 | b5cc4051adf7489a983c0655c27bc9f3 |
| SHA1 | f52d0a0e0e2dfedcab73a6328b8e413b4285a512 |
| SHA256 | ad86465eb3baca8d9457fe1bd15d76572a6c625a384d4f7b0ff542776245cbcb |
| SHA512 | 0d3c9778e5a87b1c01ec4898fe446222ca608f50ca04f689f7bcd5ca75d3449912fb5d9b4c99a1e332699c82bf0ba3590bb1a8f05e2bac1b408130182fecc320 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\Tools\DisplayKeyA18.gif
| MD5 | 8ae5a38dde3366113b5a099afc5c4acc |
| SHA1 | 342efca15e9dff99c9824314b9e6cc4d4a48a95d |
| SHA256 | e69e87c9ef9a44ed8fa9bfcb1202a86bb32f0edcdc181eb88934740197645b17 |
| SHA512 | 3a993babea78ec3a57539902edc8e5b92c365050e67fed70180765749bfa628d3eb8cfea3f5f69dc212386c15ad82fd3e10bc1ebfe68cf2387f2a59e4eddc048 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\Tools\DisplayKeyA7-3.gif
| MD5 | 31fbd8899e7f643ebf4c4ceb83891370 |
| SHA1 | caa9b2e2e8899cd9991470591c7b4e9a43cc689c |
| SHA256 | 74852a53ccd6c5f5d43ad2fca653f6c90aee3325dd519b139e8b586890c750d1 |
| SHA512 | f9caf2ca398b6a8a78e9b33f16389c1a429bab15497549b220fd848e2b88aba60bdb8cdab9c938825e37ff82f42ec21b4e5309f4350468f3ae0404b2ff9ef838 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe
| MD5 | 4d08993a5c750d23aa86d857e2a8c69b |
| SHA1 | 301ee29d1f36e6ccd61353e160641dcaabbb8746 |
| SHA256 | 3287f9d987e555e1daf5b2822c46bb6eb22c6276d1fb57b9320bfda531577dac |
| SHA512 | 8505ee21f5b0f40d3538e699fa401563bfa4f4a479febc8af4e1fd30adc8d596a2e77cec8b6d2af8ab235425bdefbcec7d0016d197cdf39e3fa6b267a3c23744 |
C:\Windows\System32\WatchData\Watchdata CCB OCL CSP v3.2\WatchSafe.ini
| MD5 | 437a6c0afda9b657dbb78c5f5ffd5309 |
| SHA1 | f52eba92e149b33545d8eb2871fcb6d13875014a |
| SHA256 | 369f90e05201ca7bc9b06e5f5065217242c60431e45ae761727a147ca17cdefb |
| SHA512 | eba5ed76c7b359ab48c069846740e26cfcb9a35abfa3594962d4204bd2479594f4c1303ca6f9fc767f23afcde0498cb91244c46a6a99dfc67f426d228080855b |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\SetupTraditional.ini
| MD5 | 746207c70c7529818806fccda0c96287 |
| SHA1 | fc9cd32fdda60dcd67006fc755e4cba9d981c58b |
| SHA256 | 357d4804d3802d6857de7fff9f31f65419e028f622274cccc9e6dafbc10e9024 |
| SHA512 | cc55dfc25bd72fc6ad84465ae1362b7813658bf021d17c046ba164525818f6edd79540b14d9e3cdf0a0be2b530d85cff0db1dc769821ea06e439cfa63cdcd731 |
C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\nsDialogs.dll
| MD5 | ab73c0c2a23f913eabdc4cb24b75cbad |
| SHA1 | 6569d2863d54c88dcf57c843fc310f6d9571a41e |
| SHA256 | 3d0060c5c9400a487dbefe4ac132dd96b07d3a4ba3badab46a7410a667c93457 |
| SHA512 | 99d287b5152944f64edc7ce8f3ebcd294699e54a5b42ac7a88e27dff8a68278a5429f4d299802ee7ddbe290f1e3b6a372a5f3bb4ecb1a3c32e384bca3ccdb2b8 |
C:\Users\Admin\AppData\Local\Temp\nsz4577.tmp\AnimGif.dll
| MD5 | 11e94fedb34f46458f9dc773a91f2770 |
| SHA1 | 791cf30880c74df9d6f7c1e637e4fdf5fa88b38a |
| SHA256 | 54ccdcb42fb3e63b7a55e8c0e7d12182a0338ea38b106b793ca048000a189ab5 |
| SHA512 | 57dd38bebdd7d8fbc4b3daeecabc5c2617d4f5b2f6ad2396a702f1da362bc72deacfea2dd1550b0e00269188676324e1b7dd6ed372211c8bf664af824ac8d950 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win10v2004-20240426-en
Max time kernel
130s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4196 wrote to memory of 4380 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4196 wrote to memory of 4380 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4196 wrote to memory of 4380 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 224
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3552 wrote to memory of 2760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3552 wrote to memory of 2760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3552 wrote to memory of 2760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2760 -ip 2760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win7-20240419-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmccbplugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmccbplugin.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 248
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
160s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4616 wrote to memory of 4464 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4616 wrote to memory of 4464 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4616 wrote to memory of 4464 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmccbplugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmccbplugin.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4464 -ip 4464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 628
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win7-20240215-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CCBCertificate = "C:\\Program Files (x86)\\CCBComponents\\DMWZ\\CCBCertificate.exe" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\usbccid.inf | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\DMWZ\log\202405.log | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\uninst.exe | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\DMWZ\setting.ini | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CheckP11.exe | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\setting.ini | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\InstallerCCID.exe | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\language\English.ini | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\language\TraditionalChinese.ini | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npdmwritecert.dll | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\usbccid.cat | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\usbccid.sys | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\language\Chinese.ini | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npdmccbplugin.dll | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\ = "_DGetIDEvents" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\TypeLib\ = "{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757}\InprocServer32\ = "C:\\Windows\\SysWow64\\GetID.ocx" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Control | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\ | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\TypeLib\ = "{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\ = "_DGetIDEvents" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757}\ = "GetID Property Page" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\ = "GetID Control" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\GetID.ocx, 1" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Control\ | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Version | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\GetID.ocx" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\TypeLib\ = "{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib\ = "{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GETID.GetIDCtrl.1\CLSID | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32\ = "C:\\Windows\\SysWow64\\GetID.ocx" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\ToolboxBitmap32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\ | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib\ = "{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GETID.GetIDCtrl.1 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\FLAGS\ = "2" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GETID.GetIDCtrl.1\CLSID\ = "{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\MiscStatus\1\ = "132241" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\ = "GetID ActiveX Control module" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{22240571-121F-4E26-B34C-56AF75F6446B} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\ProgID | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\MiscStatus\ = "0" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\ = "_DGetID" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GETID.GetIDCtrl.1\ = "GetID Control" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\ = "_DGetID" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\MiscStatus | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe"
C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe
"C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsd14F9.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nsd14F9.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
\Users\Admin\AppData\Local\Temp\nsd14F9.tmp\GetVersion.dll
| MD5 | b4cec45a9909c10a8d387c8eb72e8d0d |
| SHA1 | 609e1ff7627aa88db0adbf79897fc8c786f42be5 |
| SHA256 | aea495c63eb5aef15961c03a73213ac586830ced769f489b147e8076e59eb8c8 |
| SHA512 | 337e84ec8b5acec83091833d70ffb4828442467d82a044ec6986547d4d55c9e39a861f3d06fd76289dad81b98f44ef7fe70f449db5baa51699464a7d95cc301a |
\Windows\SysWOW64\CCBKCSPV2.dll
| MD5 | 1c9bbec0fb2356025abfbe9e5ab2389e |
| SHA1 | 1afcb5b13146983c981c3e069c0af41102e4b7de |
| SHA256 | 2e51dde6b79f7cd4655b716b8560d368a4728af50c8cad4f14378937948033fd |
| SHA512 | 814b0f195978d35f7b101881033a82f0628e9d02d345b5053db0afe4bf8b7b69f14f9c7e0119a49d9c043bbade944b2a787c5297dce7c0bcc016e34908441724 |
memory/2212-52-0x0000000000510000-0x000000000051D000-memory.dmp
\Windows\SysWOW64\CCBKCSP.dll
| MD5 | 635c71f7a76a2917bdc642d3fe726e59 |
| SHA1 | f48ede1e746c83daa4362147b5e9bd00a3b0b012 |
| SHA256 | 2321e45539ce5d286aa8ecdbb5a402e8ee11a3d29d1ee8aed784bcb47b8df129 |
| SHA512 | 4e948e351d7ad587aab8813aa1159095687f10a4b8dc19218e5d827ceaf1d77ff946b32977560debf5e6dedf32cfd7eadc3d4197c1f5c35c3dba0f2f692ab6f7 |
memory/2212-56-0x0000000000510000-0x000000000051D000-memory.dmp
\Windows\SysWOW64\GetID.ocx
| MD5 | 5e46a2ab8198982de8b4a432e9b1ffa5 |
| SHA1 | 4605855364ce1f5cca174b0a721be8f4ad539816 |
| SHA256 | d128f2f8863db79ca5ad1f18ecb07c56b9f194ca5d9c049e0e53fa4916f83a93 |
| SHA512 | 6981db8de870c1f13c87155d97ac650b7d1805c03d66d9d567d1561e1ee5cd001f3d7251fb7361eea4a92e65373f52816218cab023e92977746ff094ff55b0b5 |
memory/2212-60-0x0000000001F00000-0x0000000001F65000-memory.dmp
\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe
| MD5 | 4cf8946b95aaacc7397528f87f544931 |
| SHA1 | ea453cca204512982e0f60d848e434e5f069bc94 |
| SHA256 | 690eca7ebb28c4839e2971b5d268eab080c84a34eefff6a3ed1c80bd38b618b1 |
| SHA512 | f4cc9da0a33760daa331da1c5d8c73f8cdd69b5c9ad76db4a76252b4898fb1ab01a35d9aa856d07a9771e0d8da175ccb569c1f17cb7986ecc599fbd3a4408207 |
\Windows\SysWOW64\TerminateProcess_dmwz.dll
| MD5 | b8923aa4efbb7be1b46dae19947be9d8 |
| SHA1 | 13f411716c5c0020c1d7873ca06e2d0aa93898fe |
| SHA256 | 6448b4fac741623589cd16a8a26b97e17bb4fa37216138ec0ce34946b5e6fb27 |
| SHA512 | a775ea0e55e1b215b3cb9294a6edfdfc52a00624b07f2763fe34ff7d4f48b2bd6c091dee979a0909b05a16897db17e7d88dee320a67d0e7b002d664ae5b5abb4 |
memory/2212-70-0x00000000037C0000-0x00000000037FA000-memory.dmp
\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe
| MD5 | e0bde08c8be884457141256a21bbb8f1 |
| SHA1 | 1069d31ff832614a24e74ac70725857f18fb5232 |
| SHA256 | 63d72f7643282e2271d194c84f96bcc8db8f1885def02d6b908fadf5906d380a |
| SHA512 | 1a9334172383620410f8aff12c57795ca9ff93d53b1e72c97d5567bf862dadef95cd3ee4ae79f05b579142148a197422877fb6f445b69e5dc1f3a0a74bfa2241 |
memory/2640-182-0x00000000001B0000-0x00000000002B3000-memory.dmp
memory/2212-181-0x00000000037C0000-0x00000000038C3000-memory.dmp
memory/2640-183-0x00000000001B0000-0x00000000002B3000-memory.dmp
C:\Program Files (x86)\CCBComponents\DMWZ\Language\English.ini
| MD5 | b041b3f97c2e4b2d94b6d70528ba832f |
| SHA1 | dc591515c9840f410a66a236afd780ad41b34355 |
| SHA256 | b8359b0cccbc3b440d7f7af67b0b0afdf66d22cdb33607e6fc975c3d6bf2ed34 |
| SHA512 | 19472670ce7a712094a0efd310d49baa52728ecdc8c5ea9a9bbb3be0ddfd9ffe63285e90f6a7d434ab378f3e5bebbc74101b9370839d7f99d3870ccc3b46cd6c |
C:\Program Files (x86)\CCBComponents\DMWZ\Language\Chinese.ini
| MD5 | f53a01d6d4aab83782a2bdb812fb8fbe |
| SHA1 | ddb61adc4541c44d486374d69c82ba48f36e03f2 |
| SHA256 | 6dc5e1703b5b8843e77ec42aaf0233d737a6702d07c99eafe2d070f7c3d46275 |
| SHA512 | 4b2dd62c5e3a903470903b0c2913ee3b97e2581acc2e33fe486d3f31fa9ba9ff78d4979d693d8f07648cb2f194e4b2e2a1939f435a9327ef7675e75933e6067d |
C:\Program Files (x86)\CCBComponents\DMWZ\setting.ini
| MD5 | e7750f1ca97ab8dce4052948bd2edd6f |
| SHA1 | a27413430b8f782ccb8ba6bcf5f11a9928e0535c |
| SHA256 | b6a40c7cd04ca11ed95495e089a69e56f799fabf0f39568f4ee7bb19ae49d769 |
| SHA512 | 5b36b9459730b19e7485ea7d882e4ca132197493d8d33616618e3646b30b782001682dcab5f02c24ca22cf2d76c97d99098b17440937c54d10bbd40a8eb39228 |
C:\Windows\SysWOW64\CCBDMBDI.dll
| MD5 | f193cf67af971f235f316af24f200d86 |
| SHA1 | 3b22b8a07d0e4348a14a5b4a8288740e1780f5de |
| SHA256 | 20c1c1f9bfc08e8068a259f99fadecad71084d252aa7a2fe7d23f69a1588bbd0 |
| SHA512 | 84db1b26898d696ad4741126c9856d740ef8d43c85f390a981029973c8adbfca47d432b8dcddfc0ba5c40dd93d810263d517feaa1b8924936a04178fed9da05b |
memory/2640-193-0x0000000074950000-0x0000000074A73000-memory.dmp
memory/2640-194-0x0000000074950000-0x0000000074A73000-memory.dmp
memory/2640-197-0x00000000001B0000-0x00000000002B3000-memory.dmp
memory/2640-198-0x0000000074950000-0x0000000074A73000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win7-20240508-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1916 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmwritecert.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmwritecert.dll,#1
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4048 wrote to memory of 2248 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4048 wrote to memory of 2248 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4048 wrote to memory of 2248 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmwritecert.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmwritecert.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2248 -ip 2248
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 652
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2696 wrote to memory of 1564 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2696 wrote to memory of 1564 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2696 wrote to memory of 1564 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmwritecert.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmwritecert.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1564 -ip 1564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 652
Network
| Country | Destination | Domain | Proto |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win7-20240221-en
Max time kernel
117s
Max time network
124s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1664 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1664 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1664 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1664 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1664 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1664 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1664 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmccbplugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmccbplugin.dll,#1
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win7-20240508-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\CheckP11.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\CheckP11.exe"
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\CheckP11.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\CheckP11.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win7-20240508-en
Max time kernel
144s
Max time network
121s
Command Line
Signatures
Creates new service(s)
Stops running service(s)
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2017CCAC-0A5A-4674-86D9-55C8FA8BFD97}\InprocServer32\ = "C:\\Program Files\\CCBComponents\\Detector\\CCBSignCom.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32\ = "C:\\Windows\\system32\\GetID.ocx" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48A7113A-2B2E-4ED3-9B26-5C21FABEB217}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48A7113A-2B2E-4ED3-9B26-5C21FABEB217}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8B0AAA-249E-42E5-92AB-DD70ECB7A4E0}\InprocServer32\ = "C:\\PROGRA~1\\CCBCOM~1\\Detector\\CCBSIG~1.OCX" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\InprocServer32\ = "C:\\Program Files\\CCBComponents\\Detector\\CCB_GMSignCom.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7741FA74-F105-4BEC-9451-1F84F5222EB8}\InprocServer32\ = "C:\\Program Files\\CCBComponents\\Detector\\CCBEnckey.ocx" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1CE16C6-EE96-44D0-8866-654C5536F810}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC96F5A4-C930-4226-ADAB-59349AE585E9}\InprocServer32\ = "C:\\Program Files\\CCBComponents\\Detector\\CCBNetSignCom.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7741FA74-F105-4BEC-9451-1F84F5222EB8}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}\InprocServer32\ = "C:\\Windows\\system32\\wdccb.dll" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86}\InprocServer32\ = "C:\\Windows\\system32\\HDCCBCtrl.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{723CFFE0-A2C0-4517-9468-D3EE78F85A3B}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\InprocServer32\ = "C:\\PROGRA~1\\CCBCOM~1\\Detector\\InfoScan.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1CE16C6-EE96-44D0-8866-654C5536F810}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}\InprocServer32 | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48A7113A-2B2E-4ED3-9B26-5C21FABEB217}\InprocServer32\ = "C:\\Windows\\system32\\ccb_tdrmanager.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC96F5A4-C930-4226-ADAB-59349AE585E9}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC96F5A4-C930-4226-ADAB-59349AE585E9}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2017CCAC-0A5A-4674-86D9-55C8FA8BFD97}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2017CCAC-0A5A-4674-86D9-55C8FA8BFD97}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{723CFFE0-A2C0-4517-9468-D3EE78F85A3B}\InprocServer32\ = "C:\\PROGRA~1\\CCBCOM~1\\Detector\\InfoScan.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32\ = "C:\\Windows\\system32\\CCBHDSNCtrl.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8B0AAA-249E-42E5-92AB-DD70ECB7A4E0}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8B0AAA-249E-42E5-92AB-DD70ECB7A4E0}\InprocServer32\ = "C:\\Windows\\system32\\CCBSIG~1.OCX" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32\ = "C:\\Windows\\system32\\CCBSIG~1.OCX" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8B0AAA-249E-42E5-92AB-DD70ECB7A4E0}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32\ = "C:\\PROGRA~1\\CCBCOM~1\\Detector\\CCBSIG~1.OCX" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1CE16C6-EE96-44D0-8866-654C5536F810}\InprocServer32\ = "C:\\Program Files\\CCBComponents\\Detector\\CCBEnckey.ocx" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757}\InprocServer32\ = "C:\\Windows\\system32\\GetID.ocx" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wdcertm_ccb = "C:\\Windows\\SysWOW64\\WatchData\\Watchdata CCB OCL CSP v3.2\\WDCertM_CCB.exe" | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\D4Svr_CCB.exe = "D4Svr_CCB.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CCBCertificate = "C:\\Program Files (x86)\\CCBComponents\\DMWZ\\CCBCertificate.exe" | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\USBKeyTools.exe = "C:\\Program Files (x86)\\CCBComponents\\HDZB\\USBKeyTools.exe" | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\CCBComponents\Detector\OSCCAInfosecNetSign.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\CCBComponents\Detector\CCBNetSignCom.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\language\English.ini | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\WATCHDATA\WD_Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\Ccb_detect_hdzb.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\CCBComponents\WATCHDATA\log\202405.log | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install_LOW.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\InstallP11_HDZB.exe | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\AddCert.exe | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npdmccbplugin.dll | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\HDZB\FileOccupiedProcess_x64.exe_Rename | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\Detector\Ccb_Cert_TDR_GM.dll | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| File created | C:\Program Files\CCBComponents\Detector\config.ini | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\CCBComponents\WATCHDATA\CCBUsertool.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\CCB_B2B_NetSign.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBSM2CACHILD.cer | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\CCBComponents\Detector\Ccb_Cert_hdzb_GM.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\CCBComponents\WATCHDATA\log\202405.log | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\Langs\2052.ini | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\Langs\4100.ini | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\FileOccupiedProcess.exe | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\lang\x64\ChineseTraditional.dll | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCIDCom.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\WATCHDATA\ProviderName.ini | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\sqlite3.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\ssl3.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBSM2CAROOT.cer | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\Ccb_Cert_dmwz_GM.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\WATCHDATA\CCBUsertool.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\Ccb_Cert_watchdata.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\WATCHDATA\install_low.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install_LOW.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CheckP11.exe | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\CCBComponents\Detector\InfoScan.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\uninst.exe | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\Detector\Ccb_Cert_TDR2G.dll | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| File created | C:\Program Files\CCBComponents\WATCHDATA\registCCID.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
| File created | C:\Program Files\CCBComponents\WATCHDATA\recfull.ico | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\lang\ChineseTraditional.dll | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\WATCHDATA\usb.inf | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\Langs\5124.ini | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\Ccb_Cert_TDR2G.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\WATCHDATA\WatchData.ico | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\Ccb_Cert_watchdata2G_GM.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npCCBNetSignCom.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\InstallerCCID.exe | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\cert\ccbcert.cer | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\HD_ClientChangeCert.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\WATCHDATA\usbccid.cat | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\usbccid.cat | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\lang\x64\English.dll | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npTDRSNctrl.dll | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| File created | C:\Program Files\CCBComponents\DMWZ\language\Chinese.ini | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_DM_LCD_x64_silent.exe | N/A |
| File created | C:\Program Files\CCBComponents\WATCHDATA\usbccid.inf | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\setting.ini | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\DisplayK54.gif | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files\CCBComponents\Detector\CCB_GMSignCom.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\Ccb_Cert_TDR_GM.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npHDZB2gSNCtrl.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\Ccb_Cert_hdzb_GM.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\usbccid.sys | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\OnKey_Install_Silent_v1.0.0.1.exe | N/A |
| File opened for modification | C:\Program Files\CCBComponents\WATCHDATA\install_low.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install_LOW.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\nssckbi.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\DisplayK43.gif | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\softokn3.dll | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CCBNetSignCom.InfosecCCBNetSign\CurVer\ = "CCBNetSignCom.InfosecCCBNetSign.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BC96F5A4-C930-4226-ADAB-59349AE585E9}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63D36960-31DC-4D7C-BC3F-E8CB9CA5CBD8}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86}\TypeLib\ = "{0349E403-6DA9-4d60-8401-A60A3D98B311}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\Control | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B68A6EED-9D99-4565-BAFA-289CEAC0FB9C}\MiscStatus\1\ = "132241" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B7F63FD-BDD9-44DC-AFF3-8E4263B6644B}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BC28C669-7606-4A2C-99C8-A6757DF92F29} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3E259BB9-1543-437E-A1F0-697B841E716A}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86} | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0349E403-6DA9-4D60-8401-A60A3D98B311}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4016A333-2167-4833-8228-499E2F7F1F69}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A0241EF-D5BE-40B9-A3B6-08AF87EC987F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27F16E17-284E-410D-80B5-32C2B32E2330}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B7F63FD-BDD9-44DC-AFF3-8E4263B6644B}\VersionIndependentProgID\ = "NetSign.InfoSecNetSign" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CCBSignCom.SignCom.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{98729C57-FC65-44AC-BE3B-CDCCD551FE03}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\wdccb.dll" | C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1A41E8A-1444-43AD-A194-664816D6EF23} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4016A333-2167-4833-8228-499E2F7F1F69} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57328AEB-35E3-4967-8AAF-BC4E82DDB2A6}\ = "IInfosecCCBNetSign" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C0E2A06-E1AE-424D-807D-F0EA1C675037} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CCBSignCom.SignCom\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\Control | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B44DDA5F-CBD4-428E-A82A-041C0634A603}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CCBNetSignCom.InfosecCCBNetSign.1\CLSID\ = "{BC96F5A4-C930-4226-ADAB-59349AE585E9}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{723CFFE0-A2C0-4517-9468-D3EE78F85A3B}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0349E403-6DA9-4D60-8401-A60A3D98B311}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\HDCCBCtrl.dll" | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B45B58FF-1085-48DB-8DB0-C6C4F2FB8597}\1.0\FLAGS | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\MiscStatus\1\ = "131473" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2017CCAC-0A5A-4674-86D9-55C8FA8BFD97}\ProgID\ = "CCBSignCom.SignCom.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BC28C669-7606-4A2C-99C8-A6757DF92F29}\1.0\ = "OSCCAInfosecNetSign 1.0 ÀàÐÍ¿â" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\VersionIndependentProgID\ = "GDCCBCtrl.SNCtrl" | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\ToolboxBitmap32\ = "C:\\Windows\\system32\\GetID.ocx, 1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B44DDA5F-CBD4-428E-A82A-041C0634A603}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27F16E17-284E-410D-80B5-32C2B32E2330}\ = "_DSwxCryptEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF33C2B}\TypeLib\ = "{0349E403-6DA9-4D60-8401-A60A3D98B311}" | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{98729C57-FC65-44AC-BE3B-CDCCD551FE03}\1.0\0\win32 | C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57328AEB-35E3-4967-8AAF-BC4E82DDB2A6}\TypeLib\ = "{B2410330-4B42-48FC-9645-0C3C0955D0C5}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B7F63FD-BDD9-44DC-AFF3-8E4263B6644B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1CE16C6-EE96-44D0-8866-654C5536F810}\MiscStatus\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AEEF9BA4-6081-4768-8566-85D26E323ED8}\TypeLib\ = "{98729C57-FC65-44AC-BE3B-CDCCD551FE03}" | C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CC16B67A-B2BA-4D0C-9F3A-24F200680629}\TypeLib\ = "{E1A41E8A-1444-43AD-A194-664816D6EF23}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CCBSIGNCOM.CCBSignComCtrl.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD45B150-DE36-486C-8590-F3BA84989601}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9249C471-F21F-47E8-9988-0F48C119E54D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CCB_GMSignCom.CCB_GMSignCtl.1\CLSID\ = "{7F432EA4-52B9-442C-AFBD-E1A73AD87043}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4016A333-2167-4833-8228-499E2F7F1F69}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BC96F5A4-C930-4226-ADAB-59349AE585E9}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC96F5A4-C930-4226-ADAB-59349AE585E9}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\INFOSCAN.InfoScanCtrl.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1CE16C6-EE96-44D0-8866-654C5536F810}\ToolboxBitmap32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86}\TypeLib | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FFA12F84-D089-4CE1-BCDE-6F7F1383C3FE}\ProxyStubClsid32 | C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4016A333-2167-4833-8228-499E2F7F1F69}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48A7113A-2B2E-4ED3-9B26-5C21FABEB217}\VersionIndependentProgID\ = "ccb_tdrmanager.Token_CCB" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\4FFD0EC66CD554F2DB6140BF9DA26CEB3AD12948\Blob = 0300000001000000140000004ffd0ec66cd554f2db6140bf9da26ceb3ad1294820000000010000001902000030820215308201b8a003020102020600dbbc432b89300c06082a811ccf5501837505003035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f54301e170d3135303432353039323130305a170d3335303432303039323130305a3036310b300906035504061302434e310f300d060355040a0c06434342534d323116301406035504030c0d434342534d3243414348494c443059301306072a8648ce3d020106082a811ccf5501822d03420004c70b30cfe6cf7d6d13369d3a432bed01e845f842e0c203a4c4ef5587f5f77f584e97bc72e37f9f751e60e97fa2b2889b4226751578e0f0f0dea496492ff51616a381b03081ad301f0603551d230418301680142e96d3f701920b15b70a2e691847d85eddb0354e300f0603551d130101ff040530030101ff304d0603551d1f044630443042a040a03ea43c303a310c300a06035504030c0361726c310c300a060355040b0c0361726c310f300d060355040a0c06434342534d32310b300906035504061302434e300b0603551d0f040403020106301d0603551d0e04160414872e0a1ce624719dc394fcdb3bc0ed67f27166c0300c06082a811ccf550183750500034900304602210093ac13593bb415c727b2cac2055770781ad6fa4387d23ef46e8e51476e4d5c08022100e22cb6ffb9a357d9b864413d514f3f593a30fae07c4d9db74a5be06a11156e20 | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8582B4AF7491B3D16636EEB32D44993D7DEE6C40 | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8582B4AF7491B3D16636EEB32D44993D7DEE6C40\Blob = 0300000001000000140000008582b4af7491b3d16636eeb32d44993d7dee6c402000000001000000bb020000308202b730820220a003020102020116300d06092a864886f70d010104050030818c310b300906035504061302434e310c300a060355040a130343434231143012060355040b130b4343425f4e657462616e6b310b300906035504081302424a311430120603550403130b43434220434120524f4f543111300f060355040713085869204368656e673123302106092a864886f70d010901161463612f7a682f636362406363622e636f6d2e636e301e170d3039303630313030303030305a170d3139303630313030303030305a30818c310b300906035504061302434e310c300a060355040a130343434231143012060355040b130b4343425f4e657462616e6b310b300906035504081302424a311430120603550403130b43434220434120524f4f543111300f060355040713085869204368656e673123302106092a864886f70d010901161463612f7a682f636362406363622e636f6d2e636e30819f300d06092a864886f70d010101050003818d0030818902818100a23f2503f132999d842fa2a865e6df59102f6e58f83414b79645bd301141ce1ad034dd3a17cfdfa3455be443c4636419c8eec65faa0271a186384b824e4ca640bec1212817dd5a9c5597a6104f1e11beb25227418bfbe2039168b99f725c077b5df50e008f6b51ed55c690e48858833ec98c0ea8ec3bf2a540e47a94bf8eb1870203010001a327302530120603551d130101ff040830060101ff020102300f0603551d0f0101ff04050303000600300d06092a864886f70d0101040500038181008e087ec187e081bd962a9cf9b8a9acc7bbec8cc0dbc193c52901c52d196b685834adb396aa72a94d098fe5ccdf956021e1167d5b26e9a9a55d46d319238127574236eb3d756e0ccd8bb1fbe68ebba895f60115609085ed2f419c32f1a8618be9e4899c2274f3f3dd18671d4bc01210839011903c8e2baa03a312769f7e39ba8a | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4FFD0EC66CD554F2DB6140BF9DA26CEB3AD12948 | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Root\Certificates\8582B4AF7491B3D16636EEB32D44993D7DEE6C40 | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Root\Certificates\1FE7A4A0984F10046CE3007D24E135C0828683A1 | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1FE7A4A0984F10046CE3007D24E135C0828683A1\Blob = 0300000001000000140000001fe7a4a0984f10046ce3007d24e135c0828683a12000000001000000c7010000308201c330820166a003020102020600dbbc432b86300c06082a811ccf5501837505003035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f54301e170d3135303432353039303330315a170d3435303432353039303330315a3035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f543059301306072a8648ce3d020106082a811ccf5501822d034200047108bd2781def82a96655bb818265771a839bf32812b7cc4623b21f44d1c0e517fb15bdc3435a94d989a3476369aa105faefd53ae2bddf9263d518bfa2065c4aa360305e301f0603551d230418301680142e96d3f701920b15b70a2e691847d85eddb0354e300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604142e96d3f701920b15b70a2e691847d85eddb0354e300c06082a811ccf55018375050003490030460221008a45416d9cb81de03028c53168f89dc85dc197c6c498545f7ac708721baed189022100e8e47cc8dc138b915e3a15fd10f87d08d0c877b70ee5725af971ee31fca58666 | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4FFD0EC66CD554F2DB6140BF9DA26CEB3AD12948\Blob = 0300000001000000140000004ffd0ec66cd554f2db6140bf9da26ceb3ad1294820000000010000001902000030820215308201b8a003020102020600dbbc432b89300c06082a811ccf5501837505003035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f54301e170d3135303432353039323130305a170d3335303432303039323130305a3036310b300906035504061302434e310f300d060355040a0c06434342534d323116301406035504030c0d434342534d3243414348494c443059301306072a8648ce3d020106082a811ccf5501822d03420004c70b30cfe6cf7d6d13369d3a432bed01e845f842e0c203a4c4ef5587f5f77f584e97bc72e37f9f751e60e97fa2b2889b4226751578e0f0f0dea496492ff51616a381b03081ad301f0603551d230418301680142e96d3f701920b15b70a2e691847d85eddb0354e300f0603551d130101ff040530030101ff304d0603551d1f044630443042a040a03ea43c303a310c300a06035504030c0361726c310c300a060355040b0c0361726c310f300d060355040a0c06434342534d32310b300906035504061302434e300b0603551d0f040403020106301d0603551d0e04160414872e0a1ce624719dc394fcdb3bc0ed67f27166c0300c06082a811ccf550183750500034900304602210093ac13593bb415c727b2cac2055770781ad6fa4387d23ef46e8e51476e4d5c08022100e22cb6ffb9a357d9b864413d514f3f593a30fae07c4d9db74a5be06a11156e20 | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1FE7A4A0984F10046CE3007D24E135C0828683A1 | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1FE7A4A0984F10046CE3007D24E135C0828683A1\Blob = 0300000001000000140000001fe7a4a0984f10046ce3007d24e135c0828683a12000000001000000c7010000308201c330820166a003020102020600dbbc432b86300c06082a811ccf5501837505003035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f54301e170d3135303432353039303330315a170d3435303432353039303330315a3035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f543059301306072a8648ce3d020106082a811ccf5501822d034200047108bd2781def82a96655bb818265771a839bf32812b7cc4623b21f44d1c0e517fb15bdc3435a94d989a3476369aa105faefd53ae2bddf9263d518bfa2065c4aa360305e301f0603551d230418301680142e96d3f701920b15b70a2e691847d85eddb0354e300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604142e96d3f701920b15b70a2e691847d85eddb0354e300c06082a811ccf55018375050003490030460221008a45416d9cb81de03028c53168f89dc85dc197c6c498545f7ac708721baed189022100e8e47cc8dc138b915e3a15fd10f87d08d0c877b70ee5725af971ee31fca58666 | C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8582B4AF7491B3D16636EEB32D44993D7DEE6C40\Blob = 0300000001000000140000008582b4af7491b3d16636eeb32d44993d7dee6c402000000001000000bb020000308202b730820220a003020102020116300d06092a864886f70d010104050030818c310b300906035504061302434e310c300a060355040a130343434231143012060355040b130b4343425f4e657462616e6b310b300906035504081302424a311430120603550403130b43434220434120524f4f543111300f060355040713085869204368656e673123302106092a864886f70d010901161463612f7a682f636362406363622e636f6d2e636e301e170d3039303630313030303030305a170d3139303630313030303030305a30818c310b300906035504061302434e310c300a060355040a130343434231143012060355040b130b4343425f4e657462616e6b310b300906035504081302424a311430120603550403130b43434220434120524f4f543111300f060355040713085869204368656e673123302106092a864886f70d010901161463612f7a682f636362406363622e636f6d2e636e30819f300d06092a864886f70d010101050003818d0030818902818100a23f2503f132999d842fa2a865e6df59102f6e58f83414b79645bd301141ce1ad034dd3a17cfdfa3455be443c4636419c8eec65faa0271a186384b824e4ca640bec1212817dd5a9c5597a6104f1e11beb25227418bfbe2039168b99f725c077b5df50e008f6b51ed55c690e48858833ec98c0ea8ec3bf2a540e47a94bf8eb1870203010001a327302530120603551d130101ff040830060101ff020102300f0603551d0f0101ff04050303000600300d06092a864886f70d0101040500038181008e087ec187e081bd962a9cf9b8a9acc7bbec8cc0dbc193c52901c52d196b685834adb396aa72a94d098fe5ccdf956021e1167d5b26e9a9a55d46d319238127574236eb3d756e0ccd8bb1fbe68ebba895f60115609085ed2f419c32f1a8618be9e4899c2274f3f3dd18671d4bc01210839011903c8e2baa03a312769f7e39ba8a | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\CA\Certificates\4FFD0EC66CD554F2DB6140BF9DA26CEB3AD12948 | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118.exe"
C:\Windows\syswow64\cmd.exe
C:\Windows\syswow64\cmd.exe /C regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCBSignCom.ocx"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCBSignCom.ocx"
C:\Windows\syswow64\cmd.exe
C:\Windows\syswow64\cmd.exe /C regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCBNetSignCom.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCBNetSignCom.dll"
C:\Windows\syswow64\cmd.exe
C:\Windows\syswow64\cmd.exe /C regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCB_SwxCryptSimple.ocx"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCB_SwxCryptSimple.ocx"
C:\Windows\syswow64\cmd.exe
C:\Windows\syswow64\cmd.exe /C regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCB_B2B_NetSign.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCB_B2B_NetSign.dll"
C:\Windows\syswow64\cmd.exe
C:\Windows\syswow64\cmd.exe /C regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\OSCCAInfosecNetSign.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\OSCCAInfosecNetSign.dll"
C:\Windows\syswow64\cmd.exe
C:\Windows\syswow64\cmd.exe /C regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCBSignCom.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCBSignCom.dll"
C:\Windows\syswow64\cmd.exe
C:\Windows\syswow64\cmd.exe /C regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCB_GMSignCom.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCB_GMSignCom.dll"
C:\Windows\syswow64\cmd.exe
C:\Windows\syswow64\cmd.exe /C regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\InfoScan.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\InfoScan.dll"
C:\Windows\syswow64\cmd.exe
C:\Windows\syswow64\cmd.exe /C regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCBEnckey.ocx"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\CCBComponents\Detector\CCBEnckey.ocx"
C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_DM_LCD_32_silent.exe
"C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_DM_LCD_32_silent.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe"
C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe
"C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe"
C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe
"C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C C:\Windows\system32\sc.exe STOP "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe STOP "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\cmd.exe
cmd /C C:\Windows\system32\sc.exe delete "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe delete "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C cmd /C sc.exe create HDZB_DeviceService_For_CCB_2G binPath= "C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe" type= own start= auto DisplayName= "HDZB Comm Service For CCB 2G MASS"
C:\Windows\SysWOW64\cmd.exe
cmd /C sc.exe create HDZB_DeviceService_For_CCB_2G binPath= "C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe" type= own start= auto DisplayName= "HDZB Comm Service For CCB 2G MASS"
C:\Windows\SysWOW64\sc.exe
sc.exe create HDZB_DeviceService_For_CCB_2G binPath= "C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe" type= own start= auto DisplayName= "HDZB Comm Service For CCB 2G MASS"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C cmd /C sc.exe start "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\cmd.exe
cmd /C sc.exe start "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\sc.exe
sc.exe start "HDZB_DeviceService_For_CCB_2G"
C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe
"C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe"
C:\Program Files\Mozilla Firefox\InstallP11_2G.exe
"C:\Program Files\Mozilla Firefox\InstallP11_2G.exe" /install "HDZB USBKEY 2G" "C:\Windows\system32\CCB_HDZB_2G_P11.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32.exe C:\Windows\system32\CCBHDSNCtrl.dll -s
C:\Windows\system32\regsvr32.exe
regsvr32.exe C:\Windows\system32\CCBHDSNCtrl.dll -s
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C C:\Windows\system32\sc.exe config SCardSvr start= auto
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config SCardSvr start= auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C C:\Windows\system32\sc.exe start SCardSvr
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe start SCardSvr
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C C:\Windows\system32\sc.exe start CertPropSvc
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe start CertPropSvc
C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe
"C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C C:\Windows\system32\net.exe STOP "HZ_CommSrv"
C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe STOP "HZ_CommSrv"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP "HZ_CommSrv"
C:\Windows\SysWOW64\cmd.exe
cmd /C "C:\Windows\system32\HZ_CommSrv.exe" /uninstall
C:\Windows\SysWOW64\cmd.exe
cmd /C "C:\Windows\system32\HZ_CommSrv.exe" /install
C:\Windows\SysWOW64\HZ_CommSrv.exe
C:\Windows\system32\HZ_CommSrv.exe /install
C:\Windows\SysWOW64\cmd.exe
cmd /C C:\Windows\system32\net.exe START "HZ_CommSrv"
C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe START "HZ_CommSrv"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 START "HZ_CommSrv"
C:\Windows\SysWOW64\HZ_CommSrv.exe
C:\Windows\SysWOW64\HZ_CommSrv.exe
C:\Program Files\Mozilla Firefox\InstallP11_HDZB.exe
"C:\Program Files\Mozilla Firefox\InstallP11_HDZB.exe" /install "HDZB USBKEY" "C:\Windows\system32\HDCCBpkcs11.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32.exe C:\Windows\system32\HDCCBCtrl.dll -s
C:\Windows\system32\regsvr32.exe
regsvr32.exe C:\Windows\system32\HDCCBCtrl.dll -s
C:\Program Files (x86)\CCBComponents\HDZB\USBKeyTools.exe
"C:\Program Files (x86)\CCBComponents\HDZB\USBKeyTools.exe"
C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\WatchSAFE_CCB_Pro_v3.4.0_LOW_x86.exe
"C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\WatchSAFE_CCB_Pro_v3.4.0_LOW_x86.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install_LOW.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install_LOW.exe"
C:\Windows\SysWOW64\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe
"C:\Windows\system32\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe" -i
C:\Windows\SysWOW64\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe
"C:\Windows\system32\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe" -i
C:\Windows\SysWOW64\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe
"C:\Windows\system32\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe" -i
C:\Windows\SysWOW64\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe
"C:\Windows\system32\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe" -i
C:\Windows\SysWOW64\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe
"C:\Windows\system32\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe" -i
C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\WatchSAFE_CCB_Pro_v3.4.0_User_x86.exe
"C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\WatchSAFE_CCB_Pro_v3.4.0_User_x86.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe"
C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe
"C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe"
C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCID.exe
"C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCID.exe"
C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCIDCom.exe
"C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCIDCom.exe"
C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe
"C:\Windows\system32\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe" -i
C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe
"C:\Windows\system32\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe" -i
C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe
"C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe"
C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe
"C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe"
C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\OnKey_Install_Silent_v1.0.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\OnKey_Install_Silent_v1.0.0.1.exe"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\WDPKCSUtil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\WDPKCSUtil.exe" -install
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /u /s C:\Windows\system32\CCBSignCom.ocx
C:\Windows\system32\regsvr32.exe
regsvr32.exe /u /s C:\Windows\system32\CCBSignCom.ocx
C:\Windows\system32\regsvr32.exe
regsvr32.exe /i /s C:\Windows\system32\CCBSignCom.ocx
C:\Windows\system32\regsvr32.exe
regsvr32.exe /u /s ccb_tdrmanager.dll
C:\Windows\system32\regsvr32.exe
regsvr32.exe /i /s C:\Windows\system32\ccb_tdrmanager.dll
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /i /s C:\Windows\system32\CCBSignCom.ocx
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /u /s ccb_tdrmanager.dll
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe" RegSecurity
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe" RegCCBRoot
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe" -A -n "CCB ROOT" -t "CT,C,C" -i "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\ccbcert.cer" -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/uu0g08su.Admin"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe" RegCCBP11
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\modutil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\modutil.exe" -force -add "CCB-TDR-PKCS11" -libfile "C:\Windows\system32\D4CSP_CCB.dll" -dbdir "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/uu0g08su.Admin"
C:\Windows\SysWOW64\D4Svr_CCB.exe
D4Svr_CCB.exe restart
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe" RegCCBPlugin
C:\Windows\SysWOW64\D4Svr_CCB.exe
C:\Windows\system32/D4Svr_CCB.exe kill
C:\Windows\SysWOW64\regedit.exe
regedit.exe /S C:\Windows\system32/ie_tdr.reg
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /i /s C:\Windows\system32\ccb_tdrmanager.dll
C:\Windows\SysWOW64\regedit.exe
regedit.exe /S C:\Windows\system32\CCB_AUTO_RUN.reg
C:\Windows\SysWOW64\regedit.exe
regedit.exe /S C:\Windows\system32\CCB_RootCert.reg
C:\Windows\SysWOW64\regedit.exe
regedit.exe /S C:\Windows\system32\CCB_IESECLEVER.reg
C:\Windows\SysWOW64\regedit.exe
regedit.exe /S C:\Windows\system32\Trust.reg
C:\Windows\SysWOW64\D4Svr_CCB.exe
C:\Windows\system32\D4Svr_CCB.exe
C:\Windows\SysWOW64\D4Ser_CCB.exe
C:\Windows\system32\D4Ser_CCB.exe -i -s
C:\Windows\SysWOW64\D4Ser_CCB.exe
C:\Windows\SysWOW64\D4Ser_CCB.exe
C:\Windows\SysWOW64\D4MON_CCB.exe
C:\Windows\SysWOW64\D4MON_CCB.exe
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\AddCert.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\AddCert.exe"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe" -A -n "CCB ROOT" -t "TC,TC,TC" -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/uu0g08su.Admin" -i "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\ccbcert.cer"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe" -A -n "CCBSM2CAROOT" -t "TC,TC,TC" -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/uu0g08su.Admin" -i "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBSM2CAROOT.cer"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe" -A -n "CCBSM2CACHILD" -t "TC,TC,TC" -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/uu0g08su.Admin" -i "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBSM2CACHILD.cer"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBSignCom.ocx"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBSignCom.ocx"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBNetSignCom.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBNetSignCom.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCB_GMSignCom.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCB_GMSignCom.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBSignCom.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBSignCom.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Program Files\CCBComponents\Detector\InfoScan.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Program Files\CCBComponents\Detector\InfoScan.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBEnckey.ocx"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBEnckey.ocx"
C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_DM_LCD_x64_silent.exe
"C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_DM_LCD_x64_silent.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c regsvr32 /s "C:\Windows\system32\CCBKCSPV2.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\CCBKCSPV2.dll"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c regsvr32 /s "C:\Windows\system32\CCBKCSP.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\CCBKCSP.dll"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c regsvr32 /s "C:\Windows\system32\GetID.ocx"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\GetID.ocx"
C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\WatchSAFE_CCB_Pro_v3.4.0_LOW_X64.exe
"C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\WatchSAFE_CCB_Pro_v3.4.0_LOW_X64.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install_LOW.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install_LOW.exe"
C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\WatchSAFE_CCB_Pro_v3.4.0_User_X64.exe
"C:\Users\Admin\AppData\Local\Temp\nsd198B.tmp\WatchSAFE_CCB_Pro_v3.4.0_User_X64.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe"
C:\Program Files\CCBComponents\WATCHDATA\registerocx.exe
"C:\Program Files\CCBComponents\WATCHDATA\registerocx.exe"
C:\Program Files\CCBComponents\WATCHDATA\registCCID.exe
"C:\Program Files\CCBComponents\WATCHDATA\registCCID.exe"
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\wdccb.dll
Network
Files
\Users\Admin\AppData\Local\Temp\nsd198B.tmp\System.dll
| MD5 | 00a0194c20ee912257df53bfe258ee4a |
| SHA1 | d7b4e319bc5119024690dc8230b9cc919b1b86b2 |
| SHA256 | dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3 |
| SHA512 | 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667 |
\Users\Admin\AppData\Local\Temp\nsd198B.tmp\UserInfo.dll
| MD5 | 1e8e11f465afdabe97f529705786b368 |
| SHA1 | ea42bed65df6618c5f5648567d81f3935e70a2a0 |
| SHA256 | 7d099352c82612ab27ddfd7310c1aa049b58128fb04ea6ea55816a40a6f6487b |
| SHA512 | 16566a8c1738e26962139aae893629098dc759e4ac87df3e8eb9819df4e0e422421836bb1e4240377e00fb2f4408ce40f40eee413d0f6dd2f3a4e27a52d49a0b |
\Users\Admin\AppData\Local\Temp\nsd198B.tmp\nsProcess.dll
| MD5 | 05450face243b3a7472407b999b03a72 |
| SHA1 | ffd88af2e338ae606c444390f7eaaf5f4aef2cd9 |
| SHA256 | 95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89 |
| SHA512 | f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b |
\Users\Admin\AppData\Local\Temp\nsd198B.tmp\nsExec.dll
| MD5 | e54eb27fb5048964e8d1ec7a1f72334b |
| SHA1 | 2b76d7aedafd724de96532b00fbc6c7c370e4609 |
| SHA256 | ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824 |
| SHA512 | c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4 |
C:\Program Files (x86)\CCBComponents\Detector\CCBSignCom.ocx
| MD5 | e4f5e04513036f0ddca8452f6b88981c |
| SHA1 | a31c11631df92f0bf4d79e90bdb5769e856d79c0 |
| SHA256 | 2b3d9e41ee6faac2964f185fc9db6da191beeb2a6e55fe551761d2c0b3d891cc |
| SHA512 | b1a491f8b25bdf51577a38b683b3d67fd652bfaf90aa9ef8332a35d33403cc889838b72a3ec1f15c424a5284ec182b22110514b58e94e8d55c8a329556153949 |
C:\Program Files (x86)\CCBComponents\Detector\MFC42.DLL
| MD5 | e86be780ab092a5f616236c5cdec5c88 |
| SHA1 | 8893b05e2fe515d93a755f67c74091c731add120 |
| SHA256 | fe06c741cf9f72b08663ff95a5ff5aa1dade854637f4ebbc2357490788405ae5 |
| SHA512 | 361e773bc208a409da92e5a5feb97736942665543a3f1da710b3909dd8000f793b3cefe8a47f4f53cff6340050b37c86da802c010a68acce6a3c9d16e26e960d |
C:\Program Files (x86)\CCBComponents\Detector\CCBNetSignCom.dll
| MD5 | 6e273d4a6e9c7d903c7bab06d236a8d5 |
| SHA1 | aa16f5fae95970c25512302f735e1ef17f207ad1 |
| SHA256 | ab9ecb56a434c27d7d7759f292107ca96247cd695886e6df7715be7645f468ab |
| SHA512 | 4e9b1f28377d6b335db37d7d84cecdf70e8ca34dd3082c1e06c3731e32c578b8073e5f25e395319a55b0a96c1c6b216600e1350129190ee1b5706853b7c6efa4 |
\Program Files (x86)\CCBComponents\Detector\CCB_SwxCryptSimple.ocx
| MD5 | e1201caf7fb3afdb374d3b920861a44d |
| SHA1 | 9bd5a5d32d54b50a9977da72d30081585402795f |
| SHA256 | 3b1fead7a903b7e130ff4bd13984af2c7f6709f452cb2900052a8fac92ea9208 |
| SHA512 | f4fdd73be7e08fe82fdb43b8813593053e5e4a5c62e2575a005b8b85e7d30a3bee091c66b6d9c73e5dc6b0fee81898b6c03dee4da14bcdd0ee1194ab5ca9a86d |
C:\Program Files (x86)\CCBComponents\Detector\CCB_B2B_NetSign.dll
| MD5 | 2ff34fe3f36fbfa2a294e74d697c2a08 |
| SHA1 | ed380eb82606ca061ad41e6f0adbab336a8a31db |
| SHA256 | 37cadf96f82b728536f4d3ac646d7431826118c0f3549ad1fa45a81c653e4647 |
| SHA512 | 7de686d6b906458af4e05adce4a7cea793d2e77e0f9ee7dd909f3c45fd8d47f997ea8e7677fcc3c85e1fb3cee6fa480acbcc67596b33fc90a4f69f409d7ba316 |
C:\Program Files (x86)\CCBComponents\Detector\OSCCAInfosecNetSign.dll
| MD5 | cf451316cb2250e0debd552e4dc9b727 |
| SHA1 | 66e74ad7cb8eb6b4c5986670541832922e55c5b0 |
| SHA256 | dad1c0b8aadea29930115a78caca5b0bf6bfaec8b561f0d818d396a7c521715e |
| SHA512 | 4a09a2214c83dec033c3b137e35f8557f2fc0b72e9110e7d34b85a1502037eaa7dc8daa68f7652c62d9a54adf5027fd6f9cb70e901f5f4dccf6f3f94d22f95be |
C:\Program Files (x86)\CCBComponents\Detector\CCBSignCom.dll
| MD5 | f6a368156833b41c599b20abb170c311 |
| SHA1 | 81e37a72ac80b0241316d307f0fe1fae12cb1292 |
| SHA256 | cfff2006afce81335b920cdc79f891400fb58e8bac8849a7cfc3af1395c9cff3 |
| SHA512 | 1105ec1d006ca02462f803da3b5a8fcd663f7efc4f3ff900d796f4aa1b1a0da4879d2f283c6f6c6d83207fd3bc54ebca592f8b7ddbb3090a0b42636212320537 |
\Program Files (x86)\CCBComponents\Detector\CCB_GMSignCom.dll
| MD5 | 5ff73145e92972b7bc676eb7e417b90f |
| SHA1 | f8fd6f624453240dce8c4d9753ddc63323a92d1a |
| SHA256 | 1ca4326bceb304111af72eb3db6a3149b49bc389bab8fae02ae8d40cbbd45f1d |
| SHA512 | 68fcae61701da5190a10ec8e04406d881a64422029a3146fa1c54558bc88e8e51150baf2db821bf01a02864afc3630bbb23b9d3e415349fc77f94f536387dd4c |
C:\Program Files (x86)\CCBComponents\Detector\InfoScan.dll
| MD5 | 5cb64d5b941ec3d20ac6d7857684c2bb |
| SHA1 | f2bfe5aaaad94eda13af0539ecc77e9bdc1f0934 |
| SHA256 | 1860b4b05a00601804c1dcaff6be842b793439415856dc15ee8a4ba919ae4e81 |
| SHA512 | 0ad989eca15e8a02c7add455ee5e302f060644c040aaab4be453df1638a64986f61a1f18e4ec82d671f0903b6d2a820a2d1ccfc34aff7f6dec823a92c18c889d |
memory/1804-101-0x0000000002320000-0x000000000241E000-memory.dmp
C:\Program Files (x86)\CCBComponents\Detector\CCBEnckey.ocx
| MD5 | 62837d39d1936664809ae7adc52b5d0e |
| SHA1 | 5f79dd73ed525ae182a60a039fc3d06288e8fd44 |
| SHA256 | e53e3ce9e2185bc0a2f80f8a8d860b199a4a312bd7f3db0a147d9dc5e92d520d |
| SHA512 | ee888f9ae9e8f78195a67bb5d4404b86e7c5bff13141d179f9e34372a2323b1eec1668a917d81c9b717565fda11e161aa752485610e4b1db2865d0631c631c80 |
\Users\Admin\AppData\Local\Temp\nsd198B.tmp\CCB_DM_LCD_32_silent.exe
| MD5 | b02ffa6f60d9892d69e00b4b01c84390 |
| SHA1 | 358fb4e6a7be08b026490abcd5fbbfe8bf855318 |
| SHA256 | cc925736b2aba91a8190ccbe61dc27ccfdbf6f7b1ff26399a2ddcbdc6da80eea |
| SHA512 | 9e005259fc81dc2e9a6139ad7b74ff36358b389de79c404c61f4c89ab00b4032ded3cbce2701948be4d9aa184f0bc5137a0939138eb75905e4e8a10d1ab60009 |
\Users\Admin\AppData\Local\Temp\nso5978.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nso5978.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
\Users\Admin\AppData\Local\Temp\nso5978.tmp\GetVersion.dll
| MD5 | b4cec45a9909c10a8d387c8eb72e8d0d |
| SHA1 | 609e1ff7627aa88db0adbf79897fc8c786f42be5 |
| SHA256 | aea495c63eb5aef15961c03a73213ac586830ced769f489b147e8076e59eb8c8 |
| SHA512 | 337e84ec8b5acec83091833d70ffb4828442467d82a044ec6986547d4d55c9e39a861f3d06fd76289dad81b98f44ef7fe70f449db5baa51699464a7d95cc301a |
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe
| MD5 | 4cf8946b95aaacc7397528f87f544931 |
| SHA1 | ea453cca204512982e0f60d848e434e5f069bc94 |
| SHA256 | 690eca7ebb28c4839e2971b5d268eab080c84a34eefff6a3ed1c80bd38b618b1 |
| SHA512 | f4cc9da0a33760daa331da1c5d8c73f8cdd69b5c9ad76db4a76252b4898fb1ab01a35d9aa856d07a9771e0d8da175ccb569c1f17cb7986ecc599fbd3a4408207 |
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CheckP11.exe
| MD5 | d9967301eb3c30324e05b2d53cea1622 |
| SHA1 | d1d4f19850d81c7c7cd07e81b6bfab7c924f27af |
| SHA256 | 9a925779dd06f34da1398d7d9f5209343c93e03cbcefbe0248c388af3c976c9a |
| SHA512 | 22deb414b396eb311120a774d2f47756c8b3fa6d0b4d11c961172272879d8ba315355b51da9d884d65f5ba14f12fd36387fdb50f1abaadea9223394b138c54a3 |
\Windows\SysWOW64\CCBKCSPV2.dll
| MD5 | 1c9bbec0fb2356025abfbe9e5ab2389e |
| SHA1 | 1afcb5b13146983c981c3e069c0af41102e4b7de |
| SHA256 | 2e51dde6b79f7cd4655b716b8560d368a4728af50c8cad4f14378937948033fd |
| SHA512 | 814b0f195978d35f7b101881033a82f0628e9d02d345b5053db0afe4bf8b7b69f14f9c7e0119a49d9c043bbade944b2a787c5297dce7c0bcc016e34908441724 |
memory/2452-213-0x0000000000300000-0x000000000030D000-memory.dmp
\Windows\SysWOW64\CCBKCSP.dll
| MD5 | 635c71f7a76a2917bdc642d3fe726e59 |
| SHA1 | f48ede1e746c83daa4362147b5e9bd00a3b0b012 |
| SHA256 | 2321e45539ce5d286aa8ecdbb5a402e8ee11a3d29d1ee8aed784bcb47b8df129 |
| SHA512 | 4e948e351d7ad587aab8813aa1159095687f10a4b8dc19218e5d827ceaf1d77ff946b32977560debf5e6dedf32cfd7eadc3d4197c1f5c35c3dba0f2f692ab6f7 |
memory/2452-217-0x0000000000300000-0x000000000030D000-memory.dmp
\Windows\SysWOW64\GetID.ocx
| MD5 | 5e46a2ab8198982de8b4a432e9b1ffa5 |
| SHA1 | 4605855364ce1f5cca174b0a721be8f4ad539816 |
| SHA256 | d128f2f8863db79ca5ad1f18ecb07c56b9f194ca5d9c049e0e53fa4916f83a93 |
| SHA512 | 6981db8de870c1f13c87155d97ac650b7d1805c03d66d9d567d1561e1ee5cd001f3d7251fb7361eea4a92e65373f52816218cab023e92977746ff094ff55b0b5 |
memory/2452-221-0x00000000004B0000-0x0000000000515000-memory.dmp
\Program Files (x86)\CCBComponents\Plugins\CARoot\libplc4.dll
| MD5 | 3f272e5e11ee246c749be22e032d8ecc |
| SHA1 | 59ee06cd5a4f7eebb155f7afbececa31f028fcc0 |
| SHA256 | c8703b949959875ef89048e28bc5dc0d852ea2e4b71f0561a751d478c514ea39 |
| SHA512 | 1f1c70ff62cf3d1eea05493e32065d5093c0123591cc0862a18ed4b12d2fedbe8ca5625bb2910b71e6f54728322e4e0f0472ff1523fd0c87039a81ed89364eca |
\Program Files (x86)\CCBComponents\Plugins\CARoot\nspr4.dll
| MD5 | fe0d7456cb53476e4cce3c75ec03bbb9 |
| SHA1 | db27b7aba5aae04dde9e7c571c72fb16de2d2554 |
| SHA256 | dc066b51cb93562d3981bbd0dd8f824f191de66a311a2c181161074752c268fa |
| SHA512 | acac6690673e7d3e1c55efed8f9b888e32d4ba03597233af3d897e2fd36853e1a42697c2a5109fbb188e8b4d024eec1f9844cadc29b3001f269ad0b7416ee33e |
\Program Files (x86)\CCBComponents\Plugins\CARoot\libplds4.dll
| MD5 | 49998f7c68e5ef9024ddfa95fc7f4861 |
| SHA1 | daea1862a3263d793df136d6d19e7cb5430ad0b7 |
| SHA256 | b420d5c6bd86f8fb14ce459340aea8b2ce1c1e382e56f7a1ab2b13b401b5a282 |
| SHA512 | 0ea4cf2329029b2c8df8d50d1a5af28b493f85f04dac1d163065d74c265f7261580a8673b3b730def725564d3a7c4eb8f0c0bb2c7ac1d5703739bea92b390387 |
\Program Files (x86)\CCBComponents\Plugins\CARoot\libnspr4.dll
| MD5 | b23f114ea3c7d763f27c26e5836c3b57 |
| SHA1 | afa5720eb883c7c4dce115701ccaaa59a09fb9eb |
| SHA256 | 8e3476f28c540d4dee38890cbc05834866930b8a08b3034f8ada5528321f8890 |
| SHA512 | 3640e7f94b327e4ab9b0e205c1c35807b851342caa352febc2ebeba128a7a7f755f08fb2df6cd166a65d7b4183bab11299d7af9bb8050149b81189c7f87705e1 |
\Program Files (x86)\CCBComponents\Plugins\CARoot\nssutil3.dll
| MD5 | 0b45d4cd1ed4f840e8419e3523442f07 |
| SHA1 | d99617ab9b24b9b87481a2a00a6d72ce639e5611 |
| SHA256 | 313885db0aa185cd91eb516d9649276382c41bbf7dcafe30f87c80c9a3c0743e |
| SHA512 | cff35acaed89b3a44e62f73ae5c6ac97cac9d505a6b8d8eb9c7d62298b227844a3fd99bd9cd03087b682a3c2a6e83175670faaadfa5b5e1e4dc87c18fa2ee6e0 |
\Program Files (x86)\CCBComponents\Plugins\CARoot\nss3.dll
| MD5 | 2ba192cdd158267b0a62a514220ec21e |
| SHA1 | bffcaba4f7a3cda6d426c3bc94f3e4fc0b4e8f14 |
| SHA256 | fcba9dc618fb63804e977ddba96103c05e5a5f8bef9b2e78f48247b9463dd2b6 |
| SHA512 | 3fbc5e7b126dee0aefe5cf36d64699357f6cf88ea3b4748063d969e4484c4d868a204462670d566c879781b0446ef49f50466c4a7f774f535cd49bc1d053f9c0 |
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\softokn3.dll
| MD5 | 3035410f2883f38209b13aaabcdd5e88 |
| SHA1 | 73c21c31c60f098ec3aea6abec1eba344276133b |
| SHA256 | 8328e22fccdf4c2d12d3553bad8080197c103f9d0f491f1c107564b087922d56 |
| SHA512 | 757bb14c62a6c56d71b58fdb59a0cae8085bf1c3ed0b1f2827f91c27abf28ae65a24fd67e82995e14de5add0f91874a90df261636260ba54b1bb0e68047ce13f |
memory/2232-246-0x0000000002A20000-0x0000000002B2D000-memory.dmp
memory/2452-253-0x0000000001F10000-0x0000000001F4A000-memory.dmp
C:\Windows\SysWOW64\TerminateProcess_dmwz.dll
| MD5 | b8923aa4efbb7be1b46dae19947be9d8 |
| SHA1 | 13f411716c5c0020c1d7873ca06e2d0aa93898fe |
| SHA256 | 6448b4fac741623589cd16a8a26b97e17bb4fa37216138ec0ce34946b5e6fb27 |
| SHA512 | a775ea0e55e1b215b3cb9294a6edfdfc52a00624b07f2763fe34ff7d4f48b2bd6c091dee979a0909b05a16897db17e7d88dee320a67d0e7b002d664ae5b5abb4 |
C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe
| MD5 | e0bde08c8be884457141256a21bbb8f1 |
| SHA1 | 1069d31ff832614a24e74ac70725857f18fb5232 |
| SHA256 | 63d72f7643282e2271d194c84f96bcc8db8f1885def02d6b908fadf5906d380a |
| SHA512 | 1a9334172383620410f8aff12c57795ca9ff93d53b1e72c97d5567bf862dadef95cd3ee4ae79f05b579142148a197422877fb6f445b69e5dc1f3a0a74bfa2241 |
memory/2784-348-0x0000000000E90000-0x0000000000F93000-memory.dmp
memory/2784-349-0x0000000000E90000-0x0000000000F93000-memory.dmp
memory/2784-353-0x0000000073F60000-0x0000000074083000-memory.dmp
memory/2784-354-0x0000000073F60000-0x0000000074083000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsd74A4.tmp\ExecCmd.dll
| MD5 | b9380b0bea8854fd9f93cc1fda0dfeac |
| SHA1 | edb8d58074e098f7b5f0d158abedc7fc53638618 |
| SHA256 | 1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244 |
| SHA512 | 45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c |
memory/2552-411-0x0000000000480000-0x00000000004B1000-memory.dmp
C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_TokenV2.dll
| MD5 | dc5da3352e24d99089cc861b3212e6a8 |
| SHA1 | 98b6e565338ce920564dd38a4e8d67a168b2a793 |
| SHA256 | 35d871fe7504d7ac1e68ba6350888d4e951f6dddb3f886deea8dc0a7415bb39e |
| SHA512 | 154b3261f49ad7c35dc2f8ad779f35cdb76aacb87e3133a74b24e21cad3c284ac565b212acc0b70c96d454a3a9cd0acee82964649ac51785b920ad2f3c24be55 |
memory/2552-448-0x0000000000500000-0x0000000000518000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsd74A4.tmp\hzSrv.dll
| MD5 | 5ca5705fd76fcc5ea7877d5321a97481 |
| SHA1 | cf04d06e91e443c4161ac56b4d9a621453153be0 |
| SHA256 | a3bd8e3648e169ee6452f270c03b89d9d5bb31de02e1698d8dffa3189d8ad64a |
| SHA512 | c9c2a0574fb8fa39636bea5293246f1837678da64de3719102063b1eed8b2dfb58451414a07e534e471dc00393c0e39305a23242d2b26d321a7c7c60d4e5a536 |
C:\Users\Admin\AppData\Local\Temp\nsd74A4.tmp\ThreadTimer.dll
| MD5 | 697f61a904654e9363e28c5223182994 |
| SHA1 | df916f7098e3f89a5cf100529ba3480feba71ce9 |
| SHA256 | 5ffc3354029e6c6ed0a7db4690fe74d453980a3f21dc8cf0fb94cb5bbd421ac1 |
| SHA512 | 3bfd89810bccb0d8b389988201f65b8823f138f763a1cc0cbeebdeee5a086c5c8dfb18e2a4d664648224bb96dce0ce7b6936ccc63b10f6f56fc1a4247a0d0eb4 |
C:\Users\Admin\AppData\Local\Temp\nsd74A4.tmp\InstDrv.dll
| MD5 | e33c90099612f1769abae7da48953731 |
| SHA1 | e111dfa793910b7a4c4c0a845415f4de839f5f41 |
| SHA256 | e513f09fa603941cf40bd76e458069966a616b3e125b772f85259ea2a9fbd937 |
| SHA512 | 1fa472a40c3bc05e2e970a7621ae0d40d5d86e6c75d28807d6780330a735254653c777f73aff5ae60af8e2030df3bd535bfa2ec0e9ddeb5b18303b3124169d8a |
memory/912-565-0x0000000001CD0000-0x0000000001D01000-memory.dmp
C:\Program Files\Mozilla Firefox\InstallP11_HDZB.exe
| MD5 | 2ee763536226ae317cabc8750fca6d2a |
| SHA1 | 25e644b246e810eb76abbce0ddd7a311ccc86599 |
| SHA256 | a5470f7f96567abda014d4507ecfb5ae682b5c6de3c3ee7d0ac1469f661fb2a3 |
| SHA512 | 9d31e0519c4d0e0167e779a35c225ebcdbc2441c49c5e1d946ace8a245b002fd1b1d717f963224ef4015cfa9c76eeb45bed3ce0dfa1c2ab2d14d6af8e59990ca |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\SetupTraditional.ini
| MD5 | 552c83aded1c98d5d0de09e90475bf05 |
| SHA1 | d559e17cbbce1a36b9417cfff808fac60aecb86f |
| SHA256 | 05235ce44a76532d2c46affb2acea1898856025be673c15bfecc35fbe823b90b |
| SHA512 | 1d06a8e956638c007f1e2bfa16e4aa67c48cfd4da61847379f0c4255c469f81f43ff6dc47a662425121d2f89ac1d880f576d7c6c2300f7725d084e567c394380 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install_LOW.exe
| MD5 | eb50768663388b36a233cbee5003dfd6 |
| SHA1 | 07b988a5745ea835ed2ce291b7bf4e1fc3d78ffa |
| SHA256 | a3b73f830ea30bcc983baacc3f632aca6b05c091b06606909a34ee979b1ad726 |
| SHA512 | b98c2f6d969cc00a67e387e520043b4e86a188f68e5cc57200faa229d276958fc33ed10ba45b156ebaa564c98ab655efc48e3f2e7d09890a382478a04c773b9f |
C:\Windows\SysWOW64\WatchData\Watchdata CCB CSP v3.2\WDCertM_CCB.exe
| MD5 | 31fe2dda40fa1024715f61998560c2f7 |
| SHA1 | 3e8b64b380bee8920504ad5b4774e403ab85f92a |
| SHA256 | f3a916ebae046aec1a97f983b8fc9f1c047e5a636ab3d92fbb80758220210b03 |
| SHA512 | f580f0bea759d5c0ba0b641c8d5c8a5252786a26bfeec12130aafc4d0d2c8694abf803cff707fef526dfb47483130d75863ec96cd0e8e54bb8edeb0705e6ddf9 |
C:\Windows\SysWOW64\WatchData\Watchdata CCB CSP v3.2\WatchSafe.ini
| MD5 | 8ff4659db9e333091ef36f717791733d |
| SHA1 | 1a0d22b65f8e27d2da85050ae49f2d4c3af79257 |
| SHA256 | 9d0703beabe518bce268e8b494d0677008dfd3bfe88306d624702ac081bacdb5 |
| SHA512 | 5d09c25f2433150b68a3e939df5d3b511a318e8d3194a4024398cf098389c59c500441ddf3a7ed6344a5a5385e1f92ac156ac688324877871dcee20fc3d71fb7 |
memory/2740-712-0x0000000000400000-0x0000000000421000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\csp3.0\wdsafe3.dll
| MD5 | d160f725f8ba5f8e571152bc57ee639f |
| SHA1 | 963ebcb6adbbd76b3adc64f24474b1fa90a3be70 |
| SHA256 | 998771a77263d3815a5aef87ccfbd8da5bcb92c8f8145d125b7c3179b3be1a5e |
| SHA512 | be990ed35782d25cf9aaf11ea3c0178a3fbb65c398190510b739123d7741bcb551510d64794a259cd7ad14b92967f64d2b875a124f04482c92c2ec9ea29639fc |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\csp3.0\wdsafe3.sig
| MD5 | 481c38d86ed96d779f65b2842ba74988 |
| SHA1 | ce353f49d3a812a2601167a5524b7c5e55d27dcf |
| SHA256 | cda309074e4c88cf86d66aa9284687b22cee353e207ece07650367976425c9d4 |
| SHA512 | 2f5ba7f0363fc5d6ade15b4662b2f6f748ca4bd303a28f9c08acaab4170357ec5880ee46a3f98f232a50d0db282269d3ad13aec8270fa3077db965e07dc5427d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\WD_Install.exe
| MD5 | 77bf69bc4f2465c6d992d95d992f55b0 |
| SHA1 | aa207c0fc600c8052a91a22f6d66e936ed45dddd |
| SHA256 | b34a40d7df9784d2f874345280fc0492d879af56542a5c0dc23d4efad8bf778c |
| SHA512 | a32b190610c98335e650d6e965679d5cf9a08902f83a80afc63b54a21f9d4a7b94306a178a7c6f848f2f186a1959e26c936b6c90ceffbd20e218cc5e0c0fa8ce |
C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WatchSafe.ini
| MD5 | d2f681f69cad29d9143f38b9dbe5a185 |
| SHA1 | ad18924f60597ee4fe241449dbbd194c432aa900 |
| SHA256 | c185b6900d886c1f5bfdad21de262779011b4e334210b6d1a671a215536ac5ee |
| SHA512 | cfee639561ef42aef60a55ee03d490be8120341c27a8ed52878d2d9933bc92ca6bd1e352cda9d9a03c4d8f355c94af9b95a1f9719f7a140ee62f95ed2228704d |
C:\Program Files (x86)\CCBComponents\WATCHDATA\WatchData.ico
| MD5 | aac3f4d2b048cfbe2f2dea60949fa39f |
| SHA1 | c77ea346bb8cb71d04ecaee1b29157bde558bc91 |
| SHA256 | 7ca2856303b20d318588b19e1e5fe1b95c9c513227aeb05dc9c0c9422994720b |
| SHA512 | b10972c745a66e13a17804a40d7fdaf9a2aef2157e0da20bb612c8d377372cfd1329385e6fb52232973ecb772967baf5e8f2733196b07a8452d033d072e00715 |
C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCID.exe
| MD5 | 71158d58d06ecb96a7545718c1277e4b |
| SHA1 | f867c19c67b457f0aedf36999d8362db6260c7fe |
| SHA256 | 005445ea0e4812397fa2dd662ffcf213df9d1cfe76225aa6618268c42f15df0b |
| SHA512 | c9cd6d6e96989ee2d968f091407a4d7d6fc89f23f0cd55322129e2b7ef396c7dbc49f23dcfd069a3b0302a7db3f62c962a65c660042d6aaaa85a7fbfe1c2cd5c |
C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe
| MD5 | dcc5f09ea4d286545f8d6eefb05249ce |
| SHA1 | 38b4d09b4ac702d688bb40158c7ca7d46a51b0ed |
| SHA256 | 1a6eb9dd1f334870edadc5c0b6242e265a54082e8f0ba0a43f85fc5816859f1a |
| SHA512 | 68c1e19a46c98b127a7384b99358d08bae7a7934a8e4ea5a8fe1df0a2dc7fa7323c5e437fe9a4b155332b6d336429c5b78d3d17e439fb662dec6069393a332a5 |
C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCIDCom.exe
| MD5 | 54040ca0b9990110725492895c05a304 |
| SHA1 | 3acb15d8ca088e26a596fbba8a58c9102a2ce761 |
| SHA256 | 88201467a60914be9a96a8cc254c5c8786bfa1c49643ffcdcc8253217b7071d8 |
| SHA512 | 96193ea93fe918f0e010cd56988661c0fb27fa2c25bd99c1de132335e69aeac02c2ec72b126237056fd8d08715a73c848319439dccf56ea6caecc2b56e703254 |
C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe
| MD5 | c9e7541d0f49d92f5b7b7aaef6bf8f87 |
| SHA1 | 722848ee3cef87cf65c02a5cb11f38ac1e5c3063 |
| SHA256 | fd9b2217711295e19a8dc027e3c81f37eeee9779b676021cff515c91d0b131ef |
| SHA512 | b55743e0d90ba1101610bf1c1f1be4460b3bafb2e08e17554151ebc724f779cd124f293d9345a4572ccb37d4626c43efb4322a43b88daf4cbdaee3ed34cde5f4 |
memory/2488-898-0x0000000000400000-0x0000000000421000-memory.dmp
memory/2784-899-0x0000000000E90000-0x0000000000F93000-memory.dmp
memory/1140-900-0x0000000000430000-0x0000000000495000-memory.dmp
memory/1140-902-0x0000000000430000-0x0000000000495000-memory.dmp
memory/2784-901-0x0000000073F60000-0x0000000074083000-memory.dmp
memory/1080-913-0x0000000010000000-0x0000000010097000-memory.dmp
memory/1080-917-0x0000000010000000-0x0000000010097000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsyCE68.tmp\UserInfo.dll
| MD5 | d16e06c5de8fb8213a0464568ed9852f |
| SHA1 | d063690dc0d2c824f714acb5c4bcede3aa193f03 |
| SHA256 | 728472ba312ae8af7f30d758ab473e0772477a68fcd1d2d547dafe6d8800d531 |
| SHA512 | 60502bb65d91a1a895f38bd0f070738152af58ffa4ac80bac3954aa8aad9fda9666e773988cbd00ce4741d2454bf5f2e0474ce8ea18cfe863ec4c36d09d1e27a |
memory/1080-918-0x0000000001E60000-0x0000000001EC5000-memory.dmp
memory/1080-923-0x0000000001E60000-0x0000000001EC5000-memory.dmp
memory/1080-921-0x0000000001ED0000-0x0000000001F19000-memory.dmp
C:\Program Files (x86)\CCBComponents\Tendyron\usbccid.sys
| MD5 | 2825e0e294686a26506690059e1f437a |
| SHA1 | 57abc95625625addb90d860210dbd3747ac8f881 |
| SHA256 | 58fa57da9077312142237dc8adb5371b291255e9806ce76db09380d767bc4114 |
| SHA512 | bc876a4a464ae96d924452fe5cbbad727d746872cdc6eeb086087e192c45941f405225ff07f4bb529ee25921653fbe7707356e57f87ebf00804873aec83cce98 |
C:\Program Files (x86)\CCBComponents\Tendyron\usbccid.inf
| MD5 | 847d52826e564cc823a53133e97edebc |
| SHA1 | 435403d41cb143efffce801afa6a0778ebc1db1f |
| SHA256 | 92adf715e8af162170b04bbb238dde9917f5b205800f816c99d23f24203511c2 |
| SHA512 | c4082503e7af896d7b0afb425c24ba672fd7836405d379c0340248a34f8922bdc0e1e2bffd918f3f5a854e3d7fdbce3df7f234f76c3663a12611f549af2114bb |
C:\Program Files (x86)\CCBComponents\Tendyron\usbccid.CAT
| MD5 | d76c27d0c43ae2ade72a737ee93d24bc |
| SHA1 | bc2ef1308c09d7931b402a93223dc48b260a1dcf |
| SHA256 | 16d27ecd64c18a63005ffc21023b1b426f12d634e4d6d153cdc0668eb8873d2d |
| SHA512 | cbbc153b55b00fb42615195d34011935705dcfc00dd37246a8bc45c74fbae1e0e78ad28b684c666226c95814a10dd0b6a769e1f854de96a4dc86f153662b5191 |
memory/1080-920-0x00000000003C0000-0x00000000003F0000-memory.dmp
memory/1080-919-0x00000000002A0000-0x00000000002B2000-memory.dmp
memory/2808-931-0x0000000000350000-0x000000000035C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsyCE68.tmp\KillProcDLL.dll
| MD5 | 83142eac84475f4ca889c73f10d9c179 |
| SHA1 | dbe43c0de8ef881466bd74861b2e5b17598b5ce8 |
| SHA256 | ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729 |
| SHA512 | 1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1 |
C:\Users\Admin\AppData\Local\Temp\nsyCE68.tmp\Plugin_CCB.dll
| MD5 | f4c0c8694f0c394cb968c9e738861021 |
| SHA1 | 966fa8510a22ded30c489e7fa04cf5e08c6efa11 |
| SHA256 | 0bf9ac04357a76ada9df58df97fa7744b7b262700585f709a10ed52f123ce62c |
| SHA512 | 1a900c738d125a84904afc8aca579026375eebb0d77c2441572741e10823d7404a2f0d78b99cfef9203293e8945ddef4074a242623a31ccd6a3edbaf94ea2603 |
memory/1080-944-0x0000000002360000-0x0000000002398000-memory.dmp
memory/1080-945-0x0000000001F20000-0x0000000001F2E000-memory.dmp
memory/1080-946-0x00000000025C0000-0x00000000025E5000-memory.dmp
memory/1080-947-0x0000000002770000-0x0000000002807000-memory.dmp
memory/1080-949-0x0000000002770000-0x00000000027D5000-memory.dmp
memory/1080-948-0x00000000026F0000-0x0000000002728000-memory.dmp
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe
| MD5 | 53a6dfff5f2cdd7b9426ef27ef9748b2 |
| SHA1 | 926d1cdfe223f9c2354841ed736208ae1b22226a |
| SHA256 | 50dda67c93bb2ba28776000a8f510ab74c325f9779ed5d52d8a7c6a47f08c71d |
| SHA512 | 3b431bdcd24dbf89752a6c52aa377bf4b9cb30825df653bb61172f48a9b3b78b99d190bc5611ce583fd958d4f395311c691cd9aacc51b9b39f6ebd8b35928c30 |
memory/1316-1044-0x0000000000250000-0x000000000026F000-memory.dmp
memory/2360-1045-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.Admin\key3.db
| MD5 | 27f263740703265f478d49e5baab12d8 |
| SHA1 | ad4bb3730c155a91ad6f6029ded34759b9f5df5f |
| SHA256 | cb719e022c53df9f184f343209d61fffcdf3a75d41a42da507b3004f6c13741f |
| SHA512 | dc41a1905c40857030cfc7fb05e3f11d57409b2c96f7ccd4ca98cc0fd491df28f48fe9d6cc7971e3cfb09a164d12c2460f457894a3e97bcd5c4cd2865b393631 |
memory/2360-1050-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2692-1058-0x0000000000350000-0x000000000036E000-memory.dmp
memory/2572-1059-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2572-1077-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1140-1126-0x0000000000430000-0x0000000000495000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsyCE68.tmp\System.dll
| MD5 | 959ea64598b9a3e494c00e8fa793be7e |
| SHA1 | 40f284a3b92c2f04b1038def79579d4b3d066ee0 |
| SHA256 | 03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b |
| SHA512 | 5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64 |
C:\Windows\SysWOW64\D4Ser_CCB.exe
| MD5 | 8dd8e10782dbf5325cd37e2c783e6187 |
| SHA1 | b9a2017e9c2d5f027c52331c43e357dbfe7f4d69 |
| SHA256 | fcb77d0e9275ba7f29e68327c560e35c67d8b797448297aa839db5c724cb67cb |
| SHA512 | 025b91d7a43cab6aec5abe2f81f5968585f32b5372c02244b4ad0eacef3942cce2e0a63c2ce75273fe91fdffd146ea690155600e0cd286c346ddf4125f9d25f1 |
memory/1080-1154-0x0000000010000000-0x0000000010097000-memory.dmp
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\AddCert.exe
| MD5 | 9b4fca25ae6fac237bcf48ace83ec63b |
| SHA1 | 9d44cda8a4682a5c216b3c5d8081aca97ae25be0 |
| SHA256 | f9895f52d7b3509684d3fbc609ecb1e030aa3e8154e4bf2810336412d03e1218 |
| SHA512 | 95bbac3547dccf9e5fe98d1a2e6aae364734f764c7faf975e7cffe1cb48509a8ee87d3c7708cb879d2536ded14b26e7a40d316db49860bb6545930963a644a7e |
memory/1080-1160-0x0000000001E60000-0x0000000001EC5000-memory.dmp
memory/704-1171-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1080-1172-0x0000000002360000-0x0000000002398000-memory.dmp
memory/3032-1183-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1080-1186-0x0000000002770000-0x00000000027D5000-memory.dmp
memory/1080-1185-0x00000000026F0000-0x0000000002728000-memory.dmp
memory/1080-1184-0x0000000002770000-0x0000000002807000-memory.dmp
memory/800-1197-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\SetupTraditional.ini
| MD5 | df89b147eff430b25fd29d9735a73c22 |
| SHA1 | 3cb55f7d964e43c5080b21e3f620cabe8541750a |
| SHA256 | 2630c816a50ffa8c7d5ab59e297f09e45d87e90d103be17732512a01418616ed |
| SHA512 | 7055eb54514a5820c669ed20555bc397cd30fc14fdbbb0543eef8206ef02ead939c423d282b36de2906f6b3647fee9df096603e44eef7d490bfdeb8807a32edd |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\csp3.0\WatchSafe.ini
| MD5 | 33f6aeba3cea94e6e5280834635abf23 |
| SHA1 | 19782c05440d37a908c85f648460cf0bd4622922 |
| SHA256 | f50e9b6b77c1fc3aa7aabe4796b189419797ac3e42e0b9c8e7fc1b09c4518c52 |
| SHA512 | c2612796a3189c7565ade5102c433c646ad93c31d4a82285e1dc98692bd34dbeb57d84452f98320ac8f8e337b402ecb3fba5a721e9e76f888e1e37edb35a5b36 |
C:\Windows\System32\WatchData\Watchdata CCB CSP v3.2\WatchSafe.ini
| MD5 | 05b0f8c0874cff35ee6824872928468f |
| SHA1 | bc50634f4cb697270a07e3d6cc694b579976a551 |
| SHA256 | 96c2819c1e63f938bbda95475e4bb2ad7fd38656e4b2d8ad5f1387f30555fe67 |
| SHA512 | cb684cca103760803701754f0e9613167bec7cb496348c7419bc3766afaaa88c584fb2e564dc647b164de603e1ec7f97839a5935afd706c3a930e8a60e149a1e |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\Tools\ProviderName.ini
| MD5 | f3b35b9486acd9d76fddc54589ffe5eb |
| SHA1 | cbe3da1ab9703ecf00698624543bed37600bf94b |
| SHA256 | 4f9c258bf25ab3f212edf15ab434d12569c22be756f6607972cebb341cde7d17 |
| SHA512 | 19e2f839d47c6fede6a02fcc227331f1f300c69d90c236d8643a4d55155538c903d70f1d66e1f4f0347af4c3f7130868f33bb78925090b5af6aa947ab5eaa2e7 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\Tools\WatchSafe.ini
| MD5 | d25d7c5f0c92a7d0d29b01343b0c9c45 |
| SHA1 | e8260423fc84e57daf43cc4a9b21bc25f7d1a21a |
| SHA256 | 205c60b4c572c0ca5b495f295dad2e6bff6d2093e0657dfdbc4658b098b5bac3 |
| SHA512 | 03e31288a0a66788ab6ae3a1401402e35d3044f5a76bb174679c89c0c8770fe284b32320fc4b0c570717435099b7d17d4dfae5366f3a89dae2a5206eaaf3c449 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\Tools\RegTrustedSite.exe
| MD5 | 709fa6df514b729c53da0f43d6503f53 |
| SHA1 | b2e78b60a7411890d3cb6e9b02fcf78af91d99af |
| SHA256 | 519b526508eda8eafee55e7e85f437fd4e4764b6fe40a38756476152e0047d9d |
| SHA512 | 7904dc34d28d76295f3a0ccdefef4fd9349495c6af2bc340284229c0d4e1fdfde80c51ffbf3f00e65de8c3f13c7cd9f91f070ba2df4ee2249bfd408f6ca2ba26 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\Tools\clrcert.exe
| MD5 | 089721cac74a7db470357d9558f752c2 |
| SHA1 | 710845a2e9ea0295767be480bb672353acc73457 |
| SHA256 | c8856ba292d6130d5af7492f66cd414fd247c05c25d1c351743ea29b6c23fe0c |
| SHA512 | e2d5e8838de6e0dadd1c6fbec9efaefcb427b9819387e8a1853b627891f812623b8ed22aa6d44d4b9dd63504ea3a78b36b7ed7d8731275f9c49e3cccf6ef5635 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\vc90\mfc90.dll
| MD5 | 60b030677185841817fa38bda0da6473 |
| SHA1 | ae45372b4ce19c773d627f9df829fc16702fe840 |
| SHA256 | 2a527eef7d5cbc295e5b3ceef5c5e1c34bf9fba51335102b44d73b67f5dbbe86 |
| SHA512 | ce1a560e372e2e35e092a7c6f823cace40d38a96246a27e5025172d418164471b0cba0319c8e83a6ff4d693f9d9250cc9d279154acf0ae9d5f9a81cc2c4f9bf0 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\vc90\mfc90u.dll
| MD5 | 52bbd0e905e886413a9e6fbdde8612d8 |
| SHA1 | 8cf55a4e9b3d73611ab87800b0eeedcb3427c7a0 |
| SHA256 | 05edbe012dac7de6cf398af14dd6007dd83b63a3e4f930972b12a1ebd75c0d41 |
| SHA512 | 6d541026785008dcfaa962c242928af2206afe6ed8802e30ba881a583e1f63e6744fe50d3d5a4e2f19aea81e908ec9a9e13f7070ad5207843553f3f231a704cc |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\vc90\msvcr90.dll
| MD5 | 23b134891c08c7f04c1747f6bcec06ea |
| SHA1 | 26a77ccf0e62faa436255e47a0c3c8a818733193 |
| SHA256 | e11ce4b90db815359b2d76f95f623fc26924c5a254f0540224fa6feb623817e5 |
| SHA512 | 30c89f058b3b9ddd39ed7a3e3c470c2df08940dbc3ea0cf72cf271fa76ee19d956ee503a3fa2839458fbd2a61658ff3aa7f8326e6eccae9c11ac78b4c2b84c14 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\csp3.0\wdsafe3.dll
| MD5 | 95eaf288c6b8ced73c3af0f11a78e797 |
| SHA1 | ecf52d55677a07997eacd91519215459b32d6580 |
| SHA256 | fe53bc050b745626d887c76ddcda46dacbcd5f86fb6131d61b76c13742baa0cd |
| SHA512 | 2780fd36654094f8bfebd39c05460f6e4b8caa02447549864aaef94e5b96de938fc2c53945150916f719489f645ef9ac057e045ca56a9a584aaef7fef3af4722 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\Tools\recfull.ico
| MD5 | 00abf9f5ab51bcc95ed4f3f35a05453f |
| SHA1 | d78e6d409da0510723159badd0dd4b3f7c66905a |
| SHA256 | 0d7411adc9b51229ae2fe918086bebb10b8054a23aed185d11eff279ddf7f405 |
| SHA512 | cfe9ffcf9adaaf9cfae27ed42aa1499b5a3005d8d914b58ec0374af2de3fd2d551b9423f239fa9feac2b5161f4b50fa1db68526ae63299deba7fd2ed509f861f |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\vc90\Microsoft.VC90.CRT.manifest
| MD5 | e194d0211efacefe4b45a1fff7b0ee68 |
| SHA1 | df29e3e3bd04779616fd3e84734d8a329e44dd20 |
| SHA256 | 58fc4416331672c7b7a413ce071c01ddfdf91ed1c0604ce014250b38dfc78787 |
| SHA512 | c4310c1cab0db0e0f5aed4cbcbf1d7643d3b4be2df6a753f520f741aa73f50ced3b7681bd8c59f971f1c5ff5e240287da65c47043526402c74bbf1b167cc665e |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\Tools\DisplayKeyA18.gif
| MD5 | 8ae5a38dde3366113b5a099afc5c4acc |
| SHA1 | 342efca15e9dff99c9824314b9e6cc4d4a48a95d |
| SHA256 | e69e87c9ef9a44ed8fa9bfcb1202a86bb32f0edcdc181eb88934740197645b17 |
| SHA512 | 3a993babea78ec3a57539902edc8e5b92c365050e67fed70180765749bfa628d3eb8cfea3f5f69dc212386c15ad82fd3e10bc1ebfe68cf2387f2a59e4eddc048 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\vc90\Microsoft.VC90.MFC.manifest
| MD5 | a4f947a900e60561c05f12ecc0ac9b8e |
| SHA1 | 89965aacff28dadde79e09063b3421c1befff041 |
| SHA256 | e85ea26d156723557653b22c10adaefdfa0d9615049541a74cdb968f146a5ace |
| SHA512 | 38c54a752b53c60e7fe2a7c66f81757e3f047fd37339ac2b25c83b6a61320ce646c407c2ad90eb68e91702dbffd0dd3c9a39fddc2ba1df6c187a525e013b7d32 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\Tools\logo.bmp
| MD5 | abfc877656d7927875ecad734ea9be6c |
| SHA1 | e10fd120801ebd31a4802c9f21ac7001d3baedf3 |
| SHA256 | 1d725d74338347304e6c2f84e80b576a1cb2b119d32302ac879f35b1ea5af8fa |
| SHA512 | 89baa5d5ec0e5d25dc36f67ae1763863f6bc87ddd899582f7be382708a6906938dc1b665b97be8f554d1a216642be8186c6bb5381ac46f41f1d335396ce487d4 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\Tools\DisplayKey.gif
| MD5 | b5cc4051adf7489a983c0655c27bc9f3 |
| SHA1 | f52d0a0e0e2dfedcab73a6328b8e413b4285a512 |
| SHA256 | ad86465eb3baca8d9457fe1bd15d76572a6c625a384d4f7b0ff542776245cbcb |
| SHA512 | 0d3c9778e5a87b1c01ec4898fe446222ca608f50ca04f689f7bcd5ca75d3449912fb5d9b4c99a1e332699c82bf0ba3590bb1a8f05e2bac1b408130182fecc320 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\csp3.0\wdsafe3.sig
| MD5 | 6094a43708a73c15f42bd86be9ddc630 |
| SHA1 | 8fe16cbdfbec7bcb3c72218f2ede77704fe55711 |
| SHA256 | 8155052dae9c57a525eb2802128a2b6fb4c0e078009bc5762620ca13f9a83b30 |
| SHA512 | 885d56f5990bb6ca58599454739bc52a54a36accbf9fa7c7ea2a423e6bcce198dc0ae6d005d345654f54bf29567871c283731446535da513651c43c1e4cca3d2 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WatchSafe 3 User_ND Setup\Tools\DisplayKeyA7-3.gif
| MD5 | 31fbd8899e7f643ebf4c4ceb83891370 |
| SHA1 | caa9b2e2e8899cd9991470591c7b4e9a43cc689c |
| SHA256 | 74852a53ccd6c5f5d43ad2fca653f6c90aee3325dd519b139e8b586890c750d1 |
| SHA512 | f9caf2ca398b6a8a78e9b33f16389c1a429bab15497549b220fd848e2b88aba60bdb8cdab9c938825e37ff82f42ec21b4e5309f4350468f3ae0404b2ff9ef838 |
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win7-20240215-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 224
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win7-20240221-en
Max time kernel
122s
Max time network
129s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1280 wrote to memory of 2780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1280 wrote to memory of 2780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1280 wrote to memory of 2780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1280 wrote to memory of 2780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1280 wrote to memory of 2780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1280 wrote to memory of 2780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1280 wrote to memory of 2780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\CCBDMBDI.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\CCBDMBDI.dll,#1
Network
Files
memory/2780-0-0x0000000074CA0000-0x0000000074DC3000-memory.dmp
memory/2780-2-0x0000000074CA0000-0x0000000074DC3000-memory.dmp
memory/2780-1-0x00000000748F0000-0x0000000074A13000-memory.dmp
memory/2780-3-0x00000000748F0000-0x0000000074A13000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win7-20240221-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AnimGif.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AnimGif.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 224
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win7-20240508-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 220
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\CheckP11.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\CheckP11.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 50.192.11.51.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 224
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2320 wrote to memory of 1196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2320 wrote to memory of 1196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2320 wrote to memory of 1196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2320 wrote to memory of 1196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2320 wrote to memory of 1196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2320 wrote to memory of 1196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2320 wrote to memory of 1196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmwritecert.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmwritecert.dll,#1
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win7-20240221-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\CheckP11.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\CheckP11.exe"
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win10v2004-20240426-en
Max time kernel
132s
Max time network
103s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\InstallP11.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\InstallP11.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-12 14:09
Reported
2024-05-12 14:12
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\InstallP11.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\InstallP11.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |