Analysis Overview
SHA256
b64324cf3e3fe9e4d6dad9fc9da32b963a6d845f9e47473394ceb33eddac1fed
Threat Level: Likely malicious
The file 3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Stops running service(s)
Creates new service(s)
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
VMProtect packed file
Reads user/profile data of web browsers
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks computer location settings
Drops file in System32 directory
Launches sc.exe
Registers COM server for autorun
Loads dropped DLL
Drops file in Windows directory
Checks installed software on the system
Drops file in Program Files directory
Executes dropped EXE
Unsigned PE
Program crash
Enumerates physical storage devices
NSIS installer
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies system certificate store
Modifies registry class
Runs .reg file with regedit
Suspicious behavior: CmdExeWriteProcessMemorySpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-12 17:37
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win10v2004-20240508-en
Max time kernel
124s
Max time network
131s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 692 wrote to memory of 2488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 692 wrote to memory of 2488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 692 wrote to memory of 2488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmccbplugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmccbplugin.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2488 -ip 2488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 628
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4472,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win7-20240221-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\CheckP11.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\CheckP11.exe"
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win10v2004-20240426-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1288 wrote to memory of 4596 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1288 wrote to memory of 4596 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1288 wrote to memory of 4596 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4596 -ip 4596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win7-20240221-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 224
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win10v2004-20240508-en
Max time kernel
94s
Max time network
101s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3620 wrote to memory of 3652 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3620 wrote to memory of 3652 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3620 wrote to memory of 3652 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3652 -ip 3652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win10v2004-20240426-en
Max time kernel
144s
Max time network
152s
Command Line
Signatures
Creates new service(s)
Stops running service(s)
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wdcertm_ccb = "C:\\Windows\\system32\\WatchData\\Watchdata CCB OCL CSP v3.2\\WDCertM_CCB.exe" | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\WDCCB_32+64bit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CCBCertificate = "C:\\Program Files (x86)\\CCBComponents\\DMWZ\\CCBCertificate.exe" | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\USBKeyTools.exe = "C:\\Program Files (x86)\\CCBComponents\\HDZB\\USBKeyTools.exe" | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\D4Svr_CCB.exe = "D4Svr_CCB.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_DM_LCD_x64_silent.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Program Files\CCBComponents\WATCHDATA\registerocx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\AddCert.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_DM_LCD_32_silent.exe | N/A |
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\CCBComponents\Detector\CCBEnckey.ocx | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npHDZB2gCertCtrl.dll | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\WATCHDATA\ProviderName.ini | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\WDCCB_32+64bit.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\CCB_GMSignCom.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\plds4.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\nss3.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\Ccb_Cert_dmwz.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\Ccb_Cert_dmwz_GM.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\language\TraditionalChinese.ini | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\uninst.exe | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCIDCom.exe | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\WDCCB_32+64bit.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\InfoScan.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\CCBSignCom.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\WATCHDATA\usb.inf | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\WDCCB_32+64bit.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npHDZB2gSNCtrl.dll | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBSM2CACHILD.cer | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\language\Chinese.ini | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\CCBNetSignCom.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\CCBComponents\WATCHDATA\usbccid.inf | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\WDCCB_32+64bit.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\usbccid.sys | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\AdminRepair_CCB.exe | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\WATCHDATA\usbccid.sys | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\WDCCB_32+64bit.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\Ccb_Cert_TDR_GM.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\res\Hand_TDR.bmp | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\res\DetectRepair_1028.bmp | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\res\VersionUpdate_1028.bmp | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\Langs\4100.ini | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\WATCHDATA\ChineseSimp.ini | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\WDCCB_32+64bit.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\freebl3.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\lang\x64\ChineseTraditional.dll | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\libplds4.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\CCBComponents\Detector\Ccb_Cert_hdzb_GM.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\CCBComponents\Detector\Ccb_Cert_watchdata2G_GM.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\CCBComponents\Detector\CCBNetSignCom.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\DisplayK43.gif | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\usbccid.inf | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\CCBSignCom.ocx | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\CCB_SwxCryptSimple.ocx | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\res\PasswordManage_1028.bmp | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files\CCBComponents\uninst.exe | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\CCBComponents\DMWZ\setting.ini | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_DM_LCD_x64_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\res\CertUpdate_2052.bmp | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\res\TrayMenu_BackPic_1028.bmp | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\log\202405_install.log | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\Ccb_detect_hdzb.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\Ccb_Cert_watchdata2G_GM.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\Langs\1028.ini | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\WATCHDATA\recfull.ico | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\WDCCB_32+64bit.exe | N/A |
| File created | C:\Program Files\CCBComponents\WATCHDATA\DisableUDKDevice.exe | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\WDCCB_32+64bit.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\usbccid.inf | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\res\Keyboard_Sel.bmp | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files\CCBComponents\Detector\Ccb_Cert_TDR2G.dll | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npCCBInfoScan.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\AddCert.exe | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\nspr4.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npdmccbplugin.dll | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CheckP11.exe | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\usbccid.cat | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\res\TrayMenu_BackPic_2052.bmp | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\Detector\Ccb_Cert_TDR_GM.dll | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files\CCBComponents\WATCHDATA\registerocx.exe | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\WDCCB_32+64bit.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
Executes dropped EXE
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Loads dropped DLL
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC96F5A4-C930-4226-ADAB-59349AE585E9}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2017CCAC-0A5A-4674-86D9-55C8FA8BFD97}\InprocServer32\ = "C:\\Program Files\\CCBComponents\\Detector\\CCBSignCom.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48A7113A-2B2E-4ED3-9B26-5C21FABEB217}\InprocServer32\ = "C:\\Windows\\system32\\ccb_tdrmanager.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86}\InprocServer32\ = "C:\\Windows\\system32\\HDCCBCtrl.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC96F5A4-C930-4226-ADAB-59349AE585E9}\InprocServer32\ = "C:\\Windows\\system32\\CCBNetSignCom.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2017CCAC-0A5A-4674-86D9-55C8FA8BFD97}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}\InprocServer32\ = "C:\\Windows\\system32\\wdccb.dll" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2017CCAC-0A5A-4674-86D9-55C8FA8BFD97}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1CE16C6-EE96-44D0-8866-654C5536F810}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32\ = "C:\\Windows\\system32\\GetID.ocx" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}\InprocServer32 | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32\ = "C:\\Windows\\system32\\CCBSIG~1.OCX" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{723CFFE0-A2C0-4517-9468-D3EE78F85A3B}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\InprocServer32\ = "C:\\PROGRA~1\\CCBCOM~1\\Detector\\InfoScan.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7741FA74-F105-4BEC-9451-1F84F5222EB8}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32\ = "C:\\Windows\\system32\\CCBSIG~1.OCX" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48A7113A-2B2E-4ED3-9B26-5C21FABEB217}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8B0AAA-249E-42E5-92AB-DD70ECB7A4E0}\InprocServer32\ = "C:\\Windows\\system32\\CCBSIG~1.OCX" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC96F5A4-C930-4226-ADAB-59349AE585E9}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757}\InprocServer32\ = "C:\\Windows\\system32\\GetID.ocx" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32\ = "C:\\Windows\\system32\\CCBHDSNCtrl.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1CE16C6-EE96-44D0-8866-654C5536F810}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48A7113A-2B2E-4ED3-9B26-5C21FABEB217}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7741FA74-F105-4BEC-9451-1F84F5222EB8}\InprocServer32\ = "C:\\Program Files\\CCBComponents\\Detector\\CCBEnckey.ocx" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1CE16C6-EE96-44D0-8866-654C5536F810}\InprocServer32\ = "C:\\Program Files\\CCBComponents\\Detector\\CCBEnckey.ocx" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8B0AAA-249E-42E5-92AB-DD70ECB7A4E0}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8B0AAA-249E-42E5-92AB-DD70ECB7A4E0}\InprocServer32\ = "C:\\Windows\\system32\\CCBSIG~1.OCX" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8B0AAA-249E-42E5-92AB-DD70ECB7A4E0}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\InprocServer32\ = "C:\\Windows\\system32\\CCB_GMSignCom.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{723CFFE0-A2C0-4517-9468-D3EE78F85A3B}\InprocServer32\ = "C:\\PROGRA~1\\CCBCOM~1\\Detector\\InfoScan.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8B0AAA-249E-42E5-92AB-DD70ECB7A4E0}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\SysWOW64\D4Svr_CCB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\SysWOW64\D4Svr_CCB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\SysWOW64\D4Svr_CCB.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48A7113A-2B2E-4ED3-9B26-5C21FABEB217}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1A41E8A-1444-43AD-A194-664816D6EF23}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WDCCB.WDCCBCtrl.1\CLSID\ = "{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A79ECA9F-B118-4809-B6E0-25012FFCF7EC}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\CCBComponents\\Detector" | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\CCB_GMSignCom.dll, 102" | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KEYCODE.KeyCodeCtrl.1\CLSID\ = "{B1CE16C6-EE96-44D0-8866-654C5536F810}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1CE16C6-EE96-44D0-8866-654C5536F810}\Control | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Version | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}\Version\ = "1.0" | C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\Control | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{984783CE-DDA1-4A69-95C9-3ED17EBF80E2} | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SWXCRYPT.SwxCryptCtrl.1\Insertable\ | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\MiscStatus\1\ = "131473" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CCBSIGNCOM.CCBSignComCtrl.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WDCCB.WDCCBCtrl.1 | C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WDCCB.WDCCBCtrl\CLSID\ = "{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}" | C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\Control | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CDA9092-5173-48DF-A108-2BE97D6D9FC2}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2410330-4B42-48FC-9645-0C3C0955D0C5}\1.0\0\win64\ = "C:\\Windows\\system32\\CCBNetSignCom.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757}\InprocServer32\ = "C:\\Windows\\system32\\GetID.ocx" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\TypeLib\ = "{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}" | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AEEF9BA4-6081-4768-8566-85D26E323ED8}\TypeLib\ = "{98729C57-FC65-44AC-BE3B-CDCCD551FE03}" | C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{959E40E2-793D-472E-9732-9536A31F3337}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{959E40E2-793D-472E-9732-9536A31F3337}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3} | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B} | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4016A333-2167-4833-8228-499E2F7F1F69}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}\ProgID\ = "WDCCB.WDCCBCtrl.1" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4016A333-2167-4833-8228-499E2F7F1F69}\TypeLib | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\MiscStatus\ = "0" | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SWXCRYPT.SwxCryptCtrl.1\CLSID | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1CE16C6-EE96-44D0-8866-654C5536F810}\MiscStatus\1 | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\CLSID | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CCBNetSignCom.InfosecCCBNetSign.1 | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA03DDFB-C718-4058-A68D-7B610550F3D7}\ = "_ICCB_GMSignCtlEvents" | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{33AB374F-0297-42AA-A073-A26618FEDBA6}\1.0\HELPDIR\ | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Control | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{2FF73CA3-1F46-4055-B458-3349104D9A4D}\ = "ccb_tdrmanager" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86}\Control | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF33C2B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63D36960-31DC-4D7C-BC3F-E8CB9CA5CBD8}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\INFOSCAN.InfoScanCtrl.1\CLSID\ = "{1F14548F-6975-40F1-AE24-6E2D1D449B2F}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5DFD97E-664A-483F-A69B-55096D1A4E59} | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0349E403-6DA9-4D60-8401-A60A3D98B311}\1.0\0\win64\ = "C:\\Windows\\system32\\HDCCBCtrl.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48A7113A-2B2E-4ED3-9B26-5C21FABEB217} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A0241EF-D5BE-40B9-A3B6-08AF87EC987F}\ = "_IInfosecCCBNetSignEvents" | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\ProgID | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CCBDetector\DefaultICon11\ = "C:\\Program Files (x86)\\CCBComponents\\Detector\\CCBDetector.exe,1" | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\MiscStatus\1 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ccb_tdrmanager.Token_CCB\CLSID\ = "{48A7113A-2B2E-4ED3-9B26-5C21FABEB217}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63D36960-31DC-4D7C-BC3F-E8CB9CA5CBD8}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\TypeLib\ = "{959E40E2-793D-472E-9732-9536A31F3337}" | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ccb_tdrmanager.Token_CCB.1\CLSID\ = "{48A7113A-2B2E-4ED3-9B26-5C21FABEB217}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Programmable | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4016A333-2167-4833-8228-499E2F7F1F69}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1A41E8A-1444-43AD-A194-664816D6EF23}\1.0\HELPDIR | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A0241EF-D5BE-40B9-A3B6-08AF87EC987F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3FE2B467-9121-4610-96C7-24DD7F06861D} | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{537F36DC-4C2A-456D-A87F-00ED6F804908}\ = "_IInfoSecNetSignEvents" | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF33C2B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\1FE7A4A0984F10046CE3007D24E135C0828683A1 | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\10C88517844DD2AD24497FD5D35369E4F9873F1A | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\4FFD0EC66CD554F2DB6140BF9DA26CEB3AD12948 | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1FE7A4A0984F10046CE3007D24E135C0828683A1 | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8582B4AF7491B3D16636EEB32D44993D7DEE6C40\Blob = 0300000001000000140000008582b4af7491b3d16636eeb32d44993d7dee6c402000000001000000bb020000308202b730820220a003020102020116300d06092a864886f70d010104050030818c310b300906035504061302434e310c300a060355040a130343434231143012060355040b130b4343425f4e657462616e6b310b300906035504081302424a311430120603550403130b43434220434120524f4f543111300f060355040713085869204368656e673123302106092a864886f70d010901161463612f7a682f636362406363622e636f6d2e636e301e170d3039303630313030303030305a170d3139303630313030303030305a30818c310b300906035504061302434e310c300a060355040a130343434231143012060355040b130b4343425f4e657462616e6b310b300906035504081302424a311430120603550403130b43434220434120524f4f543111300f060355040713085869204368656e673123302106092a864886f70d010901161463612f7a682f636362406363622e636f6d2e636e30819f300d06092a864886f70d010101050003818d0030818902818100a23f2503f132999d842fa2a865e6df59102f6e58f83414b79645bd301141ce1ad034dd3a17cfdfa3455be443c4636419c8eec65faa0271a186384b824e4ca640bec1212817dd5a9c5597a6104f1e11beb25227418bfbe2039168b99f725c077b5df50e008f6b51ed55c690e48858833ec98c0ea8ec3bf2a540e47a94bf8eb1870203010001a327302530120603551d130101ff040830060101ff020102300f0603551d0f0101ff04050303000600300d06092a864886f70d0101040500038181008e087ec187e081bd962a9cf9b8a9acc7bbec8cc0dbc193c52901c52d196b685834adb396aa72a94d098fe5ccdf956021e1167d5b26e9a9a55d46d319238127574236eb3d756e0ccd8bb1fbe68ebba895f60115609085ed2f419c32f1a8618be9e4899c2274f3f3dd18671d4bc01210839011903c8e2baa03a312769f7e39ba8a | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8582B4AF7491B3D16636EEB32D44993D7DEE6C40 | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1FE7A4A0984F10046CE3007D24E135C0828683A1\Blob = 0300000001000000140000001fe7a4a0984f10046ce3007d24e135c0828683a12000000001000000c7010000308201c330820166a003020102020600dbbc432b86300c06082a811ccf5501837505003035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f54301e170d3135303432353039303330315a170d3435303432353039303330315a3035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f543059301306072a8648ce3d020106082a811ccf5501822d034200047108bd2781def82a96655bb818265771a839bf32812b7cc4623b21f44d1c0e517fb15bdc3435a94d989a3476369aa105faefd53ae2bddf9263d518bfa2065c4aa360305e301f0603551d230418301680142e96d3f701920b15b70a2e691847d85eddb0354e300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604142e96d3f701920b15b70a2e691847d85eddb0354e300c06082a811ccf55018375050003490030460221008a45416d9cb81de03028c53168f89dc85dc197c6c498545f7ac708721baed189022100e8e47cc8dc138b915e3a15fd10f87d08d0c877b70ee5725af971ee31fca58666 | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\8582B4AF7491B3D16636EEB32D44993D7DEE6C40 | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1FE7A4A0984F10046CE3007D24E135C0828683A1\Blob = 0300000001000000140000001fe7a4a0984f10046ce3007d24e135c0828683a12000000001000000c7010000308201c330820166a003020102020600dbbc432b86300c06082a811ccf5501837505003035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f54301e170d3135303432353039303330315a170d3435303432353039303330315a3035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f543059301306072a8648ce3d020106082a811ccf5501822d034200047108bd2781def82a96655bb818265771a839bf32812b7cc4623b21f44d1c0e517fb15bdc3435a94d989a3476369aa105faefd53ae2bddf9263d518bfa2065c4aa360305e301f0603551d230418301680142e96d3f701920b15b70a2e691847d85eddb0354e300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604142e96d3f701920b15b70a2e691847d85eddb0354e300c06082a811ccf55018375050003490030460221008a45416d9cb81de03028c53168f89dc85dc197c6c498545f7ac708721baed189022100e8e47cc8dc138b915e3a15fd10f87d08d0c877b70ee5725af971ee31fca58666 | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\4FFD0EC66CD554F2DB6140BF9DA26CEB3AD12948\Blob = 0300000001000000140000004ffd0ec66cd554f2db6140bf9da26ceb3ad1294820000000010000001902000030820215308201b8a003020102020600dbbc432b89300c06082a811ccf5501837505003035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f54301e170d3135303432353039323130305a170d3335303432303039323130305a3036310b300906035504061302434e310f300d060355040a0c06434342534d323116301406035504030c0d434342534d3243414348494c443059301306072a8648ce3d020106082a811ccf5501822d03420004c70b30cfe6cf7d6d13369d3a432bed01e845f842e0c203a4c4ef5587f5f77f584e97bc72e37f9f751e60e97fa2b2889b4226751578e0f0f0dea496492ff51616a381b03081ad301f0603551d230418301680142e96d3f701920b15b70a2e691847d85eddb0354e300f0603551d130101ff040530030101ff304d0603551d1f044630443042a040a03ea43c303a310c300a06035504030c0361726c310c300a060355040b0c0361726c310f300d060355040a0c06434342534d32310b300906035504061302434e300b0603551d0f040403020106301d0603551d0e04160414872e0a1ce624719dc394fcdb3bc0ed67f27166c0300c06082a811ccf550183750500034900304602210093ac13593bb415c727b2cac2055770781ad6fa4387d23ef46e8e51476e4d5c08022100e22cb6ffb9a357d9b864413d514f3f593a30fae07c4d9db74a5be06a11156e20 | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8582B4AF7491B3D16636EEB32D44993D7DEE6C40\Blob = 0300000001000000140000008582b4af7491b3d16636eeb32d44993d7dee6c402000000001000000bb020000308202b730820220a003020102020116300d06092a864886f70d010104050030818c310b300906035504061302434e310c300a060355040a130343434231143012060355040b130b4343425f4e657462616e6b310b300906035504081302424a311430120603550403130b43434220434120524f4f543111300f060355040713085869204368656e673123302106092a864886f70d010901161463612f7a682f636362406363622e636f6d2e636e301e170d3039303630313030303030305a170d3139303630313030303030305a30818c310b300906035504061302434e310c300a060355040a130343434231143012060355040b130b4343425f4e657462616e6b310b300906035504081302424a311430120603550403130b43434220434120524f4f543111300f060355040713085869204368656e673123302106092a864886f70d010901161463612f7a682f636362406363622e636f6d2e636e30819f300d06092a864886f70d010101050003818d0030818902818100a23f2503f132999d842fa2a865e6df59102f6e58f83414b79645bd301141ce1ad034dd3a17cfdfa3455be443c4636419c8eec65faa0271a186384b824e4ca640bec1212817dd5a9c5597a6104f1e11beb25227418bfbe2039168b99f725c077b5df50e008f6b51ed55c690e48858833ec98c0ea8ec3bf2a540e47a94bf8eb1870203010001a327302530120603551d130101ff040830060101ff020102300f0603551d0f0101ff04050303000600300d06092a864886f70d0101040500038181008e087ec187e081bd962a9cf9b8a9acc7bbec8cc0dbc193c52901c52d196b685834adb396aa72a94d098fe5ccdf956021e1167d5b26e9a9a55d46d319238127574236eb3d756e0ccd8bb1fbe68ebba895f60115609085ed2f419c32f1a8618be9e4899c2274f3f3dd18671d4bc01210839011903c8e2baa03a312769f7e39ba8a | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\4FFD0EC66CD554F2DB6140BF9DA26CEB3AD12948\Blob = 0300000001000000140000004ffd0ec66cd554f2db6140bf9da26ceb3ad1294820000000010000001902000030820215308201b8a003020102020600dbbc432b89300c06082a811ccf5501837505003035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f54301e170d3135303432353039323130305a170d3335303432303039323130305a3036310b300906035504061302434e310f300d060355040a0c06434342534d323116301406035504030c0d434342534d3243414348494c443059301306072a8648ce3d020106082a811ccf5501822d03420004c70b30cfe6cf7d6d13369d3a432bed01e845f842e0c203a4c4ef5587f5f77f584e97bc72e37f9f751e60e97fa2b2889b4226751578e0f0f0dea496492ff51616a381b03081ad301f0603551d230418301680142e96d3f701920b15b70a2e691847d85eddb0354e300f0603551d130101ff040530030101ff304d0603551d1f044630443042a040a03ea43c303a310c300a06035504030c0361726c310c300a060355040b0c0361726c310f300d060355040a0c06434342534d32310b300906035504061302434e300b0603551d0f040403020106301d0603551d0e04160414872e0a1ce624719dc394fcdb3bc0ed67f27166c0300c06082a811ccf550183750500034900304602210093ac13593bb415c727b2cac2055770781ad6fa4387d23ef46e8e51476e4d5c08022100e22cb6ffb9a357d9b864413d514f3f593a30fae07c4d9db74a5be06a11156e20 | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\10C88517844DD2AD24497FD5D35369E4F9873F1A | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\10C88517844DD2AD24497FD5D35369E4F9873F1A\Blob = 03000000010000001400000010c88517844dd2ad24497fd5d35369e4f9873f1a200000000100000048030000308203443082022ca003020102020600a3331aa57b300d06092a864886f70d01010b05003032310b300906035504061302434e310c300a060355040a0c034343423115301306035504030c0c4343425253414341524f4f54301e170d3135313031373131333130385a170d3338303131373131333130385a3032310b300906035504061302434e310c300a060355040a0c034343423115301306035504030c0c4343425253414341524f4f5430820122300d06092a864886f70d01010105000382010f003082010a0282010100c211c0db81d7e4ca7600f06ee8dfd294f80beacf9a957230bf481c99eccd5a00fe0df8b25368e56f7a8f472469a6ba677b4bb0b6318024ea0c73fca6ff9d98ecf41d401e6027f0c208fff4ff316a3c88745ca457d040b419f482e14650f2a589c9793e06c6d993dff64839321b2fbb8c2abf687cd607b6fb4f3bcaaa85d4a11028c6fafef60afff91ea871351e5b5027d1a705ae2acb687bb0c41797deb470339472b5a0c14800a6f9d2f03b391e0d539d012930d277567a6dc3de80cb49815a9132f7bce249affb521fc4e2264048aa2e26f039b2a7106aea9a2754d3aedb20050e4b30a4d02fece3a75ef33f77765a46692eac8123c87550d959f0fc8f6b250203010001a360305e301f0603551d23041830168014295e7487d5004a13cf5eee03414db5bcae0ef6db300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e04160414295e7487d5004a13cf5eee03414db5bcae0ef6db300d06092a864886f70d01010b05000382010100b32e9655553ab411c295f22708845afe806d48ae80516d9c474e354db48ca59765a69486877d448dfd5f8bd3308d8fedc0d20af2ff2734ef41f07e31a53567ac626856c4d98e7c5c7216e23b71b783b19b5776d50cb28ecc2c1a16059a824712cebda36909f1ba6e44697f58679b2e1a1fc28a9b99ed46dede56482bbbdf1b35da79152083c9fc4a21c456b95aa65992c3160c8fb2e4403463169862067cf4650defd117dfbea1a051b083ab3062216a69deed3129f3d8eef23528edeabc708bbdb951abb1b75b24cad73410b06e194516b9641852f1ef6db6ae560cb4428189eb5421edcbfa543e3c91d5a011e0af2618aacf46ecc24d0a437551ac82f832fd | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\10C88517844DD2AD24497FD5D35369E4F9873F1A\Blob = 04000000010000001000000031cfed1a683bce177a1d9809000de0b6140000000100000014000000295e7487d5004a13cf5eee03414db5bcae0ef6db03000000010000001400000010c88517844dd2ad24497fd5d35369e4f9873f1a0f0000000100000020000000650349a12af1392e37617c02d34f7fc997605d8c4375a686d3bddb03ec18eb49190000000100000010000000f440f1336e5542f4d416cddf706efda9200000000100000048030000308203443082022ca003020102020600a3331aa57b300d06092a864886f70d01010b05003032310b300906035504061302434e310c300a060355040a0c034343423115301306035504030c0c4343425253414341524f4f54301e170d3135313031373131333130385a170d3338303131373131333130385a3032310b300906035504061302434e310c300a060355040a0c034343423115301306035504030c0c4343425253414341524f4f5430820122300d06092a864886f70d01010105000382010f003082010a0282010100c211c0db81d7e4ca7600f06ee8dfd294f80beacf9a957230bf481c99eccd5a00fe0df8b25368e56f7a8f472469a6ba677b4bb0b6318024ea0c73fca6ff9d98ecf41d401e6027f0c208fff4ff316a3c88745ca457d040b419f482e14650f2a589c9793e06c6d993dff64839321b2fbb8c2abf687cd607b6fb4f3bcaaa85d4a11028c6fafef60afff91ea871351e5b5027d1a705ae2acb687bb0c41797deb470339472b5a0c14800a6f9d2f03b391e0d539d012930d277567a6dc3de80cb49815a9132f7bce249affb521fc4e2264048aa2e26f039b2a7106aea9a2754d3aedb20050e4b30a4d02fece3a75ef33f77765a46692eac8123c87550d959f0fc8f6b250203010001a360305e301f0603551d23041830168014295e7487d5004a13cf5eee03414db5bcae0ef6db300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e04160414295e7487d5004a13cf5eee03414db5bcae0ef6db300d06092a864886f70d01010b05000382010100b32e9655553ab411c295f22708845afe806d48ae80516d9c474e354db48ca59765a69486877d448dfd5f8bd3308d8fedc0d20af2ff2734ef41f07e31a53567ac626856c4d98e7c5c7216e23b71b783b19b5776d50cb28ecc2c1a16059a824712cebda36909f1ba6e44697f58679b2e1a1fc28a9b99ed46dede56482bbbdf1b35da79152083c9fc4a21c456b95aa65992c3160c8fb2e4403463169862067cf4650defd117dfbea1a051b083ab3062216a69deed3129f3d8eef23528edeabc708bbdb951abb1b75b24cad73410b06e194516b9641852f1ef6db6ae560cb4428189eb5421edcbfa543e3c91d5a011e0af2618aacf46ecc24d0a437551ac82f832fd | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\4FFD0EC66CD554F2DB6140BF9DA26CEB3AD12948 | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\HDZB\USBKeyTools.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\WDPKCSUtil.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Windows\system32\CCBSignCom.ocx"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\CCBSignCom.ocx"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Windows\system32\CCBNetSignCom.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\CCBNetSignCom.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBSignCom.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBSignCom.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Windows\system32\CCB_GMSignCom.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\CCB_GMSignCom.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Program Files\CCBComponents\Detector\InfoScan.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Program Files\CCBComponents\Detector\InfoScan.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBEnckey.ocx"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBEnckey.ocx"
C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_DM_LCD_32_silent.exe
"C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_DM_LCD_32_silent.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe"
C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe
"C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe"
C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_DM_LCD_x64_silent.exe
"C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_DM_LCD_x64_silent.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c regsvr32 /s "C:\Windows\system32\CCBKCSPV2.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\CCBKCSPV2.dll"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c regsvr32 /s "C:\Windows\system32\CCBKCSP.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\CCBKCSP.dll"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c regsvr32 /s "C:\Windows\system32\GetID.ocx"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\GetID.ocx"
C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe
"C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C C:\Windows\system32\sc.exe STOP "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe STOP "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\cmd.exe
cmd /C C:\Windows\system32\sc.exe delete "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe delete "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C cmd /C sc.exe create HDZB_DeviceService_For_CCB_2G binPath= "C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe" type= own start= auto DisplayName= "HDZB Comm Service For CCB 2G MASS"
C:\Windows\SysWOW64\cmd.exe
cmd /C sc.exe create HDZB_DeviceService_For_CCB_2G binPath= "C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe" type= own start= auto DisplayName= "HDZB Comm Service For CCB 2G MASS"
C:\Windows\SysWOW64\sc.exe
sc.exe create HDZB_DeviceService_For_CCB_2G binPath= "C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe" type= own start= auto DisplayName= "HDZB Comm Service For CCB 2G MASS"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C cmd /C sc.exe start "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\cmd.exe
cmd /C sc.exe start "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\sc.exe
sc.exe start "HDZB_DeviceService_For_CCB_2G"
C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe
"C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe"
C:\Program Files\Mozilla Firefox\InstallP11_2G.exe
"C:\Program Files\Mozilla Firefox\InstallP11_2G.exe" /install "HDZB USBKEY 2G" "C:\Windows\system32\CCB_HDZB_2G_P11.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32.exe C:\Windows\system32\CCBHDSNCtrl.dll -s
C:\Windows\system32\regsvr32.exe
regsvr32.exe C:\Windows\system32\CCBHDSNCtrl.dll -s
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C C:\Windows\system32\sc.exe config SCardSvr start= auto
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config SCardSvr start= auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C C:\Windows\system32\sc.exe start SCardSvr
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe start SCardSvr
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -s SCardSvr
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C C:\Windows\system32\sc.exe start CertPropSvc
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe start CertPropSvc
C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe
"C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C C:\Windows\system32\net.exe STOP "HZ_CommSrv"
C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe STOP "HZ_CommSrv"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP "HZ_CommSrv"
C:\Windows\SysWOW64\cmd.exe
cmd /C "C:\Windows\system32\HZ_CommSrv.exe" /uninstall
C:\Windows\SysWOW64\cmd.exe
cmd /C "C:\Windows\system32\HZ_CommSrv.exe" /install
C:\Windows\SysWOW64\HZ_CommSrv.exe
C:\Windows\system32\HZ_CommSrv.exe /install
C:\Windows\SysWOW64\cmd.exe
cmd /C C:\Windows\system32\net.exe START "HZ_CommSrv"
C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe START "HZ_CommSrv"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 START "HZ_CommSrv"
C:\Windows\SysWOW64\HZ_CommSrv.exe
C:\Windows\SysWOW64\HZ_CommSrv.exe
C:\Program Files\Mozilla Firefox\InstallP11_HDZB.exe
"C:\Program Files\Mozilla Firefox\InstallP11_HDZB.exe" /install "HDZB USBKEY" "C:\Windows\system32\HDCCBpkcs11.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32.exe C:\Windows\system32\HDCCBCtrl.dll -s
C:\Windows\system32\regsvr32.exe
regsvr32.exe C:\Windows\system32\HDCCBCtrl.dll -s
C:\Program Files (x86)\CCBComponents\HDZB\USBKeyTools.exe
"C:\Program Files (x86)\CCBComponents\HDZB\USBKeyTools.exe"
C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe
"C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\Tendyron_Install_Silent.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /u /s C:\Windows\system32\CCBSignCom.ocx
C:\Windows\system32\regsvr32.exe
regsvr32.exe /u /s C:\Windows\system32\CCBSignCom.ocx
C:\Windows\system32\regsvr32.exe
regsvr32.exe /i /s C:\Windows\system32\CCBSignCom.ocx
C:\Windows\system32\regsvr32.exe
regsvr32.exe /u /s ccb_tdrmanager.dll
C:\Windows\system32\regsvr32.exe
regsvr32.exe /i /s C:\Windows\system32\ccb_tdrmanager.dll
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /i /s C:\Windows\system32\CCBSignCom.ocx
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /u /s ccb_tdrmanager.dll
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe" RegSecurity
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe" RegCCBP11
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\modutil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\modutil.exe" -force -add "CCB-TDR-PKCS11" -libfile "C:\Windows\system32\D4CSP_CCB.dll" -dbdir "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/0vcfaxx4.Admin"
C:\Windows\SysWOW64\D4Svr_CCB.exe
D4Svr_CCB.exe restart
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe" RegCCBPlugin
C:\Windows\SysWOW64\D4Svr_CCB.exe
C:\Windows\system32/D4Svr_CCB.exe kill
C:\Windows\SysWOW64\regedit.exe
regedit.exe /S C:\Windows\system32/ie_tdr.reg
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /i /s C:\Windows\system32\ccb_tdrmanager.dll
C:\Windows\SysWOW64\regedit.exe
regedit.exe /S C:\Windows\system32\CCB_AUTO_RUN.reg
C:\Windows\SysWOW64\regedit.exe
regedit.exe /S C:\Windows\system32\CCB_RootCert.reg
C:\Windows\SysWOW64\regedit.exe
regedit.exe /S C:\Windows\system32\CCB_IESECLEVER.reg
C:\Windows\SysWOW64\regedit.exe
regedit.exe /S C:\Windows\system32\Trust.reg
C:\Windows\SysWOW64\D4Svr_CCB.exe
C:\Windows\system32\D4Svr_CCB.exe
C:\Windows\SysWOW64\D4Ser_CCB.exe
C:\Windows\system32\D4Ser_CCB.exe -i -s
C:\Windows\SysWOW64\D4Ser_CCB.exe
C:\Windows\SysWOW64\D4Ser_CCB.exe
C:\Windows\SysWOW64\D4MON_CCB.exe
C:\Windows\SysWOW64\D4MON_CCB.exe
C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\WDCCB_32+64bit.exe
"C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\WDCCB_32+64bit.exe"
C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe
"C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe"
C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCID.exe
"C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCID.exe"
C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCIDCom.exe
"C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCIDCom.exe"
C:\Program Files\CCBComponents\WATCHDATA\registCCID.exe
"C:\Program Files\CCBComponents\WATCHDATA\registCCID.exe"
C:\Program Files\CCBComponents\WATCHDATA\registerocx.exe
"C:\Program Files\CCBComponents\WATCHDATA\registerocx.exe"
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\wdccb.dll
C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe
"C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe"
C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe
"C:\Windows\system32\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\WDPKCSUtil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\WDPKCSUtil.exe" -install
C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe
"C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\AddCert.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\AddCert.exe"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe" -A -n "CCB ROOT" -t "TC,TC,TC" -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/0vcfaxx4.Admin" -i "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\ccbcert.cer"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe" -A -n "CCBRSACAROOT" -t "TC,TC,TC" -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/0vcfaxx4.Admin" -i "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\rsa2048ca.cer"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe" -A -n "CCBSM2CAROOT" -t "TC,TC,TC" -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/0vcfaxx4.Admin" -i "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBSM2CAROOT.cer"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe" -A -n "CCBSM2CACHILD" -t "TC,TC,TC" -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/0vcfaxx4.Admin" -i "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBSM2CACHILD.cer"
C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe
"C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe"
C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe
"C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe"
C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe
"C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe"
C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe
"C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe"
C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe
"C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe"
C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe
"C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe"
C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe
"C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe"
C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe
"C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\System.dll
| MD5 | 00a0194c20ee912257df53bfe258ee4a |
| SHA1 | d7b4e319bc5119024690dc8230b9cc919b1b86b2 |
| SHA256 | dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3 |
| SHA512 | 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667 |
C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\SkinBtn.dll
| MD5 | e4ec95271ff1bcebab49bdfed6817a22 |
| SHA1 | 2c03e97f4773aea80ecdb98a1482e5896fe4677b |
| SHA256 | ee1c06692a757473737b0ebdef16f77b63afac864d0890022d905e4873737dd6 |
| SHA512 | 771a527133806307a1b17b7e956d6a3c16e9bc675bf084b43204ae784a057dac2726dbf90645692876043a4e7365ba8825c167621fde4760c79cd84679e2aa3d |
C:\Windows\SysWOW64\WDGetDeviceCaps.dll
| MD5 | 69bdf8e85baf7c14cd96b5803e91623b |
| SHA1 | ba9f5667b9ae1cf559fc2c5c7c1dfb236d6c4701 |
| SHA256 | 770f76c518a0246a16b698e647f0e61caa61cc48249f9f58a03ed3d09cf7381c |
| SHA512 | 9ba7c4889659ef26f7e13ee2016e75c63fdf04f073763607546a09f799f035bff946370053f3258964c86e5f1e330f422154979699cf180cde8021da293b5a97 |
C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\UserInfo.dll
| MD5 | 1e8e11f465afdabe97f529705786b368 |
| SHA1 | ea42bed65df6618c5f5648567d81f3935e70a2a0 |
| SHA256 | 7d099352c82612ab27ddfd7310c1aa049b58128fb04ea6ea55816a40a6f6487b |
| SHA512 | 16566a8c1738e26962139aae893629098dc759e4ac87df3e8eb9819df4e0e422421836bb1e4240377e00fb2f4408ce40f40eee413d0f6dd2f3a4e27a52d49a0b |
C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\nsDialogs.dll
| MD5 | ab73c0c2a23f913eabdc4cb24b75cbad |
| SHA1 | 6569d2863d54c88dcf57c843fc310f6d9571a41e |
| SHA256 | 3d0060c5c9400a487dbefe4ac132dd96b07d3a4ba3badab46a7410a667c93457 |
| SHA512 | 99d287b5152944f64edc7ce8f3ebcd294699e54a5b42ac7a88e27dff8a68278a5429f4d299802ee7ddbe290f1e3b6a372a5f3bb4ecb1a3c32e384bca3ccdb2b8 |
C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\WndProc.dll
| MD5 | f0cb331dd4bd92a6ebce45e7cd1cf5ef |
| SHA1 | b66ea0c10b08750295f2dc7c170b370402393214 |
| SHA256 | e7b3115fa2ce4a8fa09beeefa4fb634a474197f38a2854ce9be60d0a26016458 |
| SHA512 | 7c33418f39b91ae0d4cc8b560f516bac293593eef539832815028878c2058bf1691c2d767a039cf312989839071f2f6f0b6d9d59835acdfff6b448bf1ffea271 |
C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\SkinProgress.dll
| MD5 | cc037c4703d3ec257efeef2ce0a1a20e |
| SHA1 | b3d6cc8f687a31fb2c1a5921a38de9429af20502 |
| SHA256 | 888b32ecbc37ce67d4edc28d894cba0a4f4e2488cfc2212d1af011bd0bfe97ff |
| SHA512 | 120bfa0a68775bef04c1863023b0e73a41982284fb36da7f497fbb7d5ed8631ad02fa09951424d339f6fefaa90a17c12f949dd68bb33bad64b1b7cace489d2a7 |
C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\nsProcess.dll
| MD5 | 05450face243b3a7472407b999b03a72 |
| SHA1 | ffd88af2e338ae606c444390f7eaaf5f4aef2cd9 |
| SHA256 | 95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89 |
| SHA512 | f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b |
C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\KillProcDLL.dll
| MD5 | 99f345cf51b6c3c317d20a81acb11012 |
| SHA1 | b3d0355f527c536ea14a8ff51741c8739d66f727 |
| SHA256 | c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93 |
| SHA512 | 937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef |
memory/1212-97-0x0000000003151000-0x0000000003152000-memory.dmp
memory/1212-95-0x0000000003150000-0x0000000003153000-memory.dmp
memory/1212-96-0x0000000003150000-0x0000000003153000-memory.dmp
memory/1212-110-0x0000000003150000-0x0000000003153000-memory.dmp
memory/1212-111-0x0000000003150000-0x0000000003153000-memory.dmp
memory/1212-112-0x0000000003150000-0x0000000003153000-memory.dmp
memory/1212-113-0x0000000003151000-0x0000000003152000-memory.dmp
C:\Windows\SysWOW64\CCBSignCom.ocx
| MD5 | e4f5e04513036f0ddca8452f6b88981c |
| SHA1 | a31c11631df92f0bf4d79e90bdb5769e856d79c0 |
| SHA256 | 2b3d9e41ee6faac2964f185fc9db6da191beeb2a6e55fe551761d2c0b3d891cc |
| SHA512 | b1a491f8b25bdf51577a38b683b3d67fd652bfaf90aa9ef8332a35d33403cc889838b72a3ec1f15c424a5284ec182b22110514b58e94e8d55c8a329556153949 |
memory/1212-139-0x0000000005250000-0x0000000005264000-memory.dmp
C:\Windows\SysWOW64\CCBNetSignCom.dll
| MD5 | 6e273d4a6e9c7d903c7bab06d236a8d5 |
| SHA1 | aa16f5fae95970c25512302f735e1ef17f207ad1 |
| SHA256 | ab9ecb56a434c27d7d7759f292107ca96247cd695886e6df7715be7645f468ab |
| SHA512 | 4e9b1f28377d6b335db37d7d84cecdf70e8ca34dd3082c1e06c3731e32c578b8073e5f25e395319a55b0a96c1c6b216600e1350129190ee1b5706853b7c6efa4 |
memory/1212-146-0x0000000005370000-0x000000000539B000-memory.dmp
C:\Program Files (x86)\CCBComponents\Detector\InfoScan.dll
| MD5 | 5cb64d5b941ec3d20ac6d7857684c2bb |
| SHA1 | f2bfe5aaaad94eda13af0539ecc77e9bdc1f0934 |
| SHA256 | 1860b4b05a00601804c1dcaff6be842b793439415856dc15ee8a4ba919ae4e81 |
| SHA512 | 0ad989eca15e8a02c7add455ee5e302f060644c040aaab4be453df1638a64986f61a1f18e4ec82d671f0903b6d2a820a2d1ccfc34aff7f6dec823a92c18c889d |
C:\Program Files (x86)\CCBComponents\Detector\CCBSignCom.dll
| MD5 | f6a368156833b41c599b20abb170c311 |
| SHA1 | 81e37a72ac80b0241316d307f0fe1fae12cb1292 |
| SHA256 | cfff2006afce81335b920cdc79f891400fb58e8bac8849a7cfc3af1395c9cff3 |
| SHA512 | 1105ec1d006ca02462f803da3b5a8fcd663f7efc4f3ff900d796f4aa1b1a0da4879d2f283c6f6c6d83207fd3bc54ebca592f8b7ddbb3090a0b42636212320537 |
memory/1212-160-0x0000000005370000-0x00000000053B9000-memory.dmp
C:\Windows\SysWOW64\CCB_GMSignCom.dll
| MD5 | 5ff73145e92972b7bc676eb7e417b90f |
| SHA1 | f8fd6f624453240dce8c4d9753ddc63323a92d1a |
| SHA256 | 1ca4326bceb304111af72eb3db6a3149b49bc389bab8fae02ae8d40cbbd45f1d |
| SHA512 | 68fcae61701da5190a10ec8e04406d881a64422029a3146fa1c54558bc88e8e51150baf2db821bf01a02864afc3630bbb23b9d3e415349fc77f94f536387dd4c |
memory/1212-170-0x0000000005250000-0x000000000526A000-memory.dmp
C:\Windows\SysWOW64\CCB_SwxCryptSimple.ocx
| MD5 | e1201caf7fb3afdb374d3b920861a44d |
| SHA1 | 9bd5a5d32d54b50a9977da72d30081585402795f |
| SHA256 | 3b1fead7a903b7e130ff4bd13984af2c7f6709f452cb2900052a8fac92ea9208 |
| SHA512 | f4fdd73be7e08fe82fdb43b8813593053e5e4a5c62e2575a005b8b85e7d30a3bee091c66b6d9c73e5dc6b0fee81898b6c03dee4da14bcdd0ee1194ab5ca9a86d |
memory/1212-177-0x0000000003150000-0x000000000315D000-memory.dmp
C:\Windows\SysWOW64\CCB_B2B_NetSign.dll
| MD5 | 2ff34fe3f36fbfa2a294e74d697c2a08 |
| SHA1 | ed380eb82606ca061ad41e6f0adbab336a8a31db |
| SHA256 | 37cadf96f82b728536f4d3ac646d7431826118c0f3549ad1fa45a81c653e4647 |
| SHA512 | 7de686d6b906458af4e05adce4a7cea793d2e77e0f9ee7dd909f3c45fd8d47f997ea8e7677fcc3c85e1fb3cee6fa480acbcc67596b33fc90a4f69f409d7ba316 |
memory/1212-185-0x0000000005370000-0x00000000053B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsv3B65.tmp\nsExec.dll
| MD5 | e54eb27fb5048964e8d1ec7a1f72334b |
| SHA1 | 2b76d7aedafd724de96532b00fbc6c7c370e4609 |
| SHA256 | ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824 |
| SHA512 | c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4 |
C:\Windows\system32\CCBSignCom.ocx
| MD5 | 2128d0b70caa153947174f138dc11946 |
| SHA1 | a21e6e153135b820c685c57b0c6337ed9f6dafda |
| SHA256 | 6c33be6e11ba387c662d25982dd9098a587b9b6906094596c65ca6e8442e6d98 |
| SHA512 | 87f953cf9e4fa8756702f7b9524fa019ae56320267d3b15ac5862f8ef3f233a6681975ca4857f8a90b75991f4dacd4a7ba35bcd61f044bd36a0a87c605b26761 |
C:\Windows\system32\CCBNetSignCom.dll
| MD5 | 069063b19534f2699e4d353fbe72fe42 |
| SHA1 | 6ded747a28f7bd791bd8166c89d265ec68545d4a |
| SHA256 | 68a4f6faf5e733a6a532e36a93764198592cc0c35b0891145048c0c3c394c08c |
| SHA512 | 663d0bd9d46118807d6904f679d3206befd77da33983f73050ef6319c66b358c76da0833fcc61bdf1e4749f5343b1962dca3127e1be13eb7c8f4404a0a4e9929 |
C:\Program Files\CCBComponents\Detector\CCBSignCom.dll
| MD5 | d0b6647ef3102b155dc6101bf6a27120 |
| SHA1 | 62df487fcac03d6596b9100f2eb7a85e965f0cb9 |
| SHA256 | b78ed7af92fbd47167ec57e451b7490056a243866ce491dab1097df89ed79186 |
| SHA512 | 1c2b1b6da76e323c340863b0fc0c860e1251b2bc48082136cd0e1a571219d73f796b1c483c361fddafd2ffd05d24d669a04a38fc43faeae9fa0d398668a5ccf4 |
C:\Windows\system32\CCB_GMSignCom.dll
| MD5 | 515a7c20b95a3c55eb490a54d82d33b5 |
| SHA1 | 68638eae1f06d1ef94841a7b3deee46dd8db8a9d |
| SHA256 | 4fdd8bfc2980ba057a0b7e44fea8e0457bcc12ab0c5a639a0f0855e059cb674c |
| SHA512 | ba66d906fe187abcde5e4d045cd4a9abc2ec60ac4c7c680310261cc637cee47b7b1f75f1c8bf1504438f4110197c52e7cec4aff499366c054d22eda77616830c |
C:\Program Files\CCBComponents\Detector\InfoScan.dll
| MD5 | 71f74b17f453246c7d88126cd80068f3 |
| SHA1 | dbe6b9b6a95cab190d66de7f0375a2ec88286359 |
| SHA256 | ba3ad663e1f5cb810db1c34dc9cca21190500979e15e1641215cd8437b2f6fca |
| SHA512 | f8d91aa100275bad79e5272efc083240d316182b91e7534a84806b21cb9047eaffc39f405a7d3f9acc39791c30d1e8aa86fc344e293554926f11af128328d2d6 |
C:\Program Files (x86)\CCBComponents\Detector\CCBEnckey.ocx
| MD5 | 62837d39d1936664809ae7adc52b5d0e |
| SHA1 | 5f79dd73ed525ae182a60a039fc3d06288e8fd44 |
| SHA256 | e53e3ce9e2185bc0a2f80f8a8d860b199a4a312bd7f3db0a147d9dc5e92d520d |
| SHA512 | ee888f9ae9e8f78195a67bb5d4404b86e7c5bff13141d179f9e34372a2323b1eec1668a917d81c9b717565fda11e161aa752485610e4b1db2865d0631c631c80 |
memory/1212-284-0x0000000003150000-0x0000000003180000-memory.dmp
C:\Program Files\CCBComponents\Detector\CCBEnckey.ocx
| MD5 | a4311aa2526e1ce8ce888b4eebf5ba63 |
| SHA1 | 278e9c6377a0039db286030cdac82112cef4f0e6 |
| SHA256 | ed953b3cbbbde0291f7e27244560c7ed65e5517c358f3049eb2ed938a11afa35 |
| SHA512 | 6316c32b732c7cbdcaaf41c7e23676392cee1728f716fdf3405a84e99426710c59107f3db3957024afe138bc2bb12a960e3e5c889b4d3d0d94626be3f9186832 |
memory/2160-346-0x0000000002270000-0x000000000227D000-memory.dmp
memory/2160-351-0x0000000002270000-0x000000000227D000-memory.dmp
memory/2160-356-0x0000000002EE0000-0x0000000002F45000-memory.dmp
C:\Windows\SysWOW64\GetID.ocx
| MD5 | 5e46a2ab8198982de8b4a432e9b1ffa5 |
| SHA1 | 4605855364ce1f5cca174b0a721be8f4ad539816 |
| SHA256 | d128f2f8863db79ca5ad1f18ecb07c56b9f194ca5d9c049e0e53fa4916f83a93 |
| SHA512 | 6981db8de870c1f13c87155d97ac650b7d1805c03d66d9d567d1561e1ee5cd001f3d7251fb7361eea4a92e65373f52816218cab023e92977746ff094ff55b0b5 |
memory/5032-365-0x0000000002B70000-0x0000000002C7D000-memory.dmp
memory/2160-373-0x0000000003450000-0x000000000348A000-memory.dmp
C:\Windows\SysWOW64\TerminateProcess_dmwz.dll
| MD5 | b8923aa4efbb7be1b46dae19947be9d8 |
| SHA1 | 13f411716c5c0020c1d7873ca06e2d0aa93898fe |
| SHA256 | 6448b4fac741623589cd16a8a26b97e17bb4fa37216138ec0ce34946b5e6fb27 |
| SHA512 | a775ea0e55e1b215b3cb9294a6edfdfc52a00624b07f2763fe34ff7d4f48b2bd6c091dee979a0909b05a16897db17e7d88dee320a67d0e7b002d664ae5b5abb4 |
C:\Users\Admin\AppData\Local\Temp\nse69D8.tmp\GetVersion.dll
| MD5 | b4cec45a9909c10a8d387c8eb72e8d0d |
| SHA1 | 609e1ff7627aa88db0adbf79897fc8c786f42be5 |
| SHA256 | aea495c63eb5aef15961c03a73213ac586830ced769f489b147e8076e59eb8c8 |
| SHA512 | 337e84ec8b5acec83091833d70ffb4828442467d82a044ec6986547d4d55c9e39a861f3d06fd76289dad81b98f44ef7fe70f449db5baa51699464a7d95cc301a |
memory/3864-492-0x0000000000D70000-0x0000000000EB6000-memory.dmp
memory/3864-493-0x0000000000D70000-0x0000000000EB6000-memory.dmp
memory/3864-496-0x0000000073D90000-0x0000000073EC5000-memory.dmp
memory/3864-497-0x0000000073D90000-0x0000000073EC5000-memory.dmp
memory/4836-533-0x00000000032A0000-0x00000000032DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nso902B.tmp\ExecCmd.dll
| MD5 | b9380b0bea8854fd9f93cc1fda0dfeac |
| SHA1 | edb8d58074e098f7b5f0d158abedc7fc53638618 |
| SHA256 | 1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244 |
| SHA512 | 45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c |
C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_TokenV2.dll
| MD5 | c4c40938238517a60c868a3bbc4b6c8f |
| SHA1 | 9cfb2fb44a0f0618cadf923bcffe85371661bc0a |
| SHA256 | 82821073aa56804ee9b0fb8a7645565f302bef94424e14cd26b489350455e5b3 |
| SHA512 | 0f65b422373bf11d01cdc8c3aac24bae36cc81a0879bcfcd0d59fcf14a16bd4f3aa45762d910c7da0353eb40549555c9a3b3823623122d156985a669a9b0e0d6 |
C:\Users\Admin\AppData\Local\Temp\nso902B.tmp\ThreadTimer.dll
| MD5 | 697f61a904654e9363e28c5223182994 |
| SHA1 | df916f7098e3f89a5cf100529ba3480feba71ce9 |
| SHA256 | 5ffc3354029e6c6ed0a7db4690fe74d453980a3f21dc8cf0fb94cb5bbd421ac1 |
| SHA512 | 3bfd89810bccb0d8b389988201f65b8823f138f763a1cc0cbeebdeee5a086c5c8dfb18e2a4d664648224bb96dce0ce7b6936ccc63b10f6f56fc1a4247a0d0eb4 |
C:\Windows\SysWOW64\CCBHDSNCtrl.dll
| MD5 | 7a67aaa9d7135c242fdf37214d47226e |
| SHA1 | 1baba28f2f3faf03413090d1bd36777f512f385e |
| SHA256 | 38913ac0e315e6f7ec9bdb9d0e82dbeff6cce9effdacee3854454a7915c21e1f |
| SHA512 | 87c56390c6d979312945594596bcb03bf14b30ecc683b13f3de4809735730594a0d60170e90b6880abc74669a5b83cc36a0e2c98630726e9cbc40158fa5782e6 |
C:\Users\Admin\AppData\Local\Temp\nso902B.tmp\hzSrv.dll
| MD5 | f816b7dd6a58d7cd07ad9cb34f853032 |
| SHA1 | 28bec0775633c12d68cb8f8e6b4036c7375bf6b0 |
| SHA256 | 9794c36fc163fe0d2821fdd599d7940b3159d8856d62de3d4280f457439a4f61 |
| SHA512 | 7a483a42dc341f6ffd73f64020527940efc56dca5e629caceae5fd544b9c42fac361d7a15cd47a8b323053321c8eaf411b2b37af0bd432ba2bca7e981efd4b7d |
memory/1212-742-0x0000000003151000-0x0000000003152000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nso902B.tmp\InstDrv.dll
| MD5 | e33c90099612f1769abae7da48953731 |
| SHA1 | e111dfa793910b7a4c4c0a845415f4de839f5f41 |
| SHA256 | e513f09fa603941cf40bd76e458069966a616b3e125b772f85259ea2a9fbd937 |
| SHA512 | 1fa472a40c3bc05e2e970a7621ae0d40d5d86e6c75d28807d6780330a735254653c777f73aff5ae60af8e2030df3bd535bfa2ec0e9ddeb5b18303b3124169d8a |
C:\Program Files (x86)\CCBComponents\HDZB\log\202405.log
| MD5 | 693da4f6455923b171dd47b79dbda99b |
| SHA1 | d619d519b43f399b8009229e39c11007a098af93 |
| SHA256 | 97a2de3f8b035acbee7c2b2407d1d0226dfb7aeed3a4080b2eaf96b1e7e13d71 |
| SHA512 | c641a261e91909bdf21526b2e2c1c027127d34c3334d2bc24b14d4330f90861ad713f7855bf705215add339083d769aca1c38787662c2966bfb0284d10da748e |
C:\Windows\SysWOW64\HDCCBCtrl.dll
| MD5 | c586841bfe36f0d666e5266f176a1eac |
| SHA1 | c5dfcebe290c1a2ee8b552020ce81835ab863ad2 |
| SHA256 | e287f8e7f293af3718ac710d011a89945ec179b5149db652faa8842be3714819 |
| SHA512 | 8ab6dcb4614f0fc821d83eb2a145e1cbe16d86a5a3d5770f2cec1e34f369086c7e17e3030f78f3fe3ef58871539467894ab6680476f881b2f8cab176769b80f5 |
C:\Users\Admin\AppData\Local\Temp\nsaB8F2.tmp\UserInfo.dll
| MD5 | d16e06c5de8fb8213a0464568ed9852f |
| SHA1 | d063690dc0d2c824f714acb5c4bcede3aa193f03 |
| SHA256 | 728472ba312ae8af7f30d758ab473e0772477a68fcd1d2d547dafe6d8800d531 |
| SHA512 | 60502bb65d91a1a895f38bd0f070738152af58ffa4ac80bac3954aa8aad9fda9666e773988cbd00ce4741d2454bf5f2e0474ce8ea18cfe863ec4c36d09d1e27a |
C:\Users\Admin\AppData\Local\Temp\nsaB8F2.tmp\Plugin_CCB.dll
| MD5 | 8aa990c680e54554fcdf1e07e59ed789 |
| SHA1 | fdbcb99c041d0453e99ddef11fa70d60a812120f |
| SHA256 | 4c2d967fde800c92e003c926cde1f166d987409b38b53e9371f6e72b0c1fb342 |
| SHA512 | c227bc1fcb07534d6d66e874cbe1a076569c8a8d30cfe42683ce94a7b4d8d3268dd74610d5af8cfa035f932ec056c9f466ebd04bcbf81fa78fffac83be536747 |
C:\Users\Admin\AppData\Local\Temp\nsaB8F2.tmp\KillProcDLL.dll
| MD5 | 83142eac84475f4ca889c73f10d9c179 |
| SHA1 | dbe43c0de8ef881466bd74861b2e5b17598b5ce8 |
| SHA256 | ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729 |
| SHA512 | 1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1 |
memory/3864-1016-0x0000000000D70000-0x0000000000EB6000-memory.dmp
memory/2620-1017-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0vcfaxx4.Admin\secmod.db
| MD5 | 8ee1e41575525e4d2b7d75a5c70b8ff4 |
| SHA1 | ed4ffc9b3cbc0caaef5740327eae49c445ca8fa7 |
| SHA256 | dacfde7b4da88a2b516c19e7af8fc6c6d5efcb8befe11195f1bb0d4ee166eae1 |
| SHA512 | 4a811911473500dc1fcc9b8b94759985463a1222339f17a1b063f3616496e803eb013efa04866b0e81f80e62d8f0e400468e50d56a81ae526ee0d4fe952c6f12 |
memory/2620-1034-0x0000000000400000-0x000000000041E000-memory.dmp
memory/3864-1089-0x0000000073D90000-0x0000000073EC5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsaB8F2.tmp\System.dll
| MD5 | 959ea64598b9a3e494c00e8fa793be7e |
| SHA1 | 40f284a3b92c2f04b1038def79579d4b3d066ee0 |
| SHA256 | 03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b |
| SHA512 | 5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64 |
C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\DisplayKey.gif
| MD5 | b5cc4051adf7489a983c0655c27bc9f3 |
| SHA1 | f52d0a0e0e2dfedcab73a6328b8e413b4285a512 |
| SHA256 | ad86465eb3baca8d9457fe1bd15d76572a6c625a384d4f7b0ff542776245cbcb |
| SHA512 | 0d3c9778e5a87b1c01ec4898fe446222ca608f50ca04f689f7bcd5ca75d3449912fb5d9b4c99a1e332699c82bf0ba3590bb1a8f05e2bac1b408130182fecc320 |
C:\Windows\SysWOW64\CCBNSIS.dll
| MD5 | 477d298aba04d17560ffc745012d8c28 |
| SHA1 | afccc4d84dcb099240fd7d062f0a059c688427b6 |
| SHA256 | 423fecc280c52f2d90597ebe6e4f358d3211933dd642ec636c31f8bda1a26cad |
| SHA512 | 4c3976f4c7f63939c36838d6870e3169d409846ff3259d75c5e710f65c2850dcf1f156c6c65a1d77744e6a0f718d9421fd79c0e25623a50188d3b5a23720fdf8 |
C:\Program Files (x86)\CCBComponents\WATCHDATA\log\202405_install.log
| MD5 | bbf4ab9910fbabf2db4234e82afbc475 |
| SHA1 | f318b9e6284e2ab8efaf35911f0fd2f1d09fcb91 |
| SHA256 | 89bd99c93b0243a0e6861e9bc91c207d064e8360473d34face74dc7c04fb2a16 |
| SHA512 | 7f8670d4daeb717d73109f0b8aaab974e2d632bd6412a1567c0274d66eccfc0910473f8acd3815dc92a8d6dadfa4353522e7b2b6e3fcd43a5f0010bf5240f8e6 |
memory/4120-1253-0x0000000010000000-0x0000000010097000-memory.dmp
memory/4120-1256-0x0000000002240000-0x00000000022A5000-memory.dmp
memory/4120-1255-0x0000000002240000-0x00000000022A5000-memory.dmp
memory/4120-1263-0x00000000025B0000-0x00000000025E9000-memory.dmp
memory/4120-1262-0x00000000025B0000-0x00000000025E9000-memory.dmp
memory/412-1268-0x0000000000EF0000-0x0000000000F55000-memory.dmp
memory/412-1269-0x0000000000EF0000-0x0000000000F55000-memory.dmp
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\AddCert.exe
| MD5 | 4088bded78af790b3200d0ebb519901f |
| SHA1 | a4eccc39fa9516a51a1ff55ee01dbaf693a80d16 |
| SHA256 | 83b540939cabe0fbfb0e3fe7a5782be201cd5280c14d850df3249559999fc44d |
| SHA512 | 7550c776f08107dd43c9599ffedd0ed3a21d1541f2c594a9ab4b515d06140c4c42862ecd378c0bd419cd9cb6c9fb97e675ff2c2b049c1d1e2dae00e3cf693042 |
memory/3044-1282-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3044-1291-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4000-1292-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4000-1301-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4436-1302-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4436-1311-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3136-1312-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3136-1321-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4120-1358-0x0000000010000000-0x0000000010097000-memory.dmp
memory/4120-1359-0x0000000002240000-0x00000000022A5000-memory.dmp
memory/4120-1360-0x00000000025B0000-0x00000000025E9000-memory.dmp
memory/412-1361-0x0000000000EF0000-0x0000000000F55000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CCBCertificate = "C:\\Program Files (x86)\\CCBComponents\\DMWZ\\CCBCertificate.exe" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npdmwritecert.dll | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\uninst.exe | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\DMWZ\log\202405.log | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\DMWZ\setting.ini | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\usbccid.sys | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\language\Chinese.ini | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npdmccbplugin.dll | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\usbccid.cat | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\language\TraditionalChinese.ini | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\InstallerCCID.exe | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\language\English.ini | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CheckP11.exe | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\setting.ini | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\usbccid.inf | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757}\ = "GetID Property Page" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GETID.GetIDCtrl.1\CLSID | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\ProgID | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\ | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\TypeLib\ = "{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\MiscStatus\1 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{22240571-121F-4E26-B34C-56AF75F6446B} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\GetID.ocx, 1" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\TypeLib\ = "{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\TypeLib\ = "{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\MiscStatus\1\ = "132241" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\FLAGS\ = "2" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib\ = "{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\ = "_DGetIDEvents" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GETID.GetIDCtrl.1\CLSID\ = "{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\HELPDIR\ | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\MiscStatus\ = "0" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\GetID.ocx" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\ = "GetID Control" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\ProgID\ = "GETID.GetIDCtrl.1" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Control\ | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib\ = "{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\ = "_DGetIDEvents" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Version | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32\ = "C:\\Windows\\SysWow64\\GetID.ocx" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\ | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GETID.GetIDCtrl.1 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GETID.GetIDCtrl.1\ = "GetID Control" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\ = "GetID ActiveX Control module" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\ = "_DGetID" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\ = "_DGetID" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757}\InprocServer32\ = "C:\\Windows\\SysWow64\\GetID.ocx" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe"
C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe
"C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsb4AA7.tmp\System.dll
| MD5 | 00a0194c20ee912257df53bfe258ee4a |
| SHA1 | d7b4e319bc5119024690dc8230b9cc919b1b86b2 |
| SHA256 | dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3 |
| SHA512 | 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667 |
C:\Users\Admin\AppData\Local\Temp\nsb4AA7.tmp\UserInfo.dll
| MD5 | 1e8e11f465afdabe97f529705786b368 |
| SHA1 | ea42bed65df6618c5f5648567d81f3935e70a2a0 |
| SHA256 | 7d099352c82612ab27ddfd7310c1aa049b58128fb04ea6ea55816a40a6f6487b |
| SHA512 | 16566a8c1738e26962139aae893629098dc759e4ac87df3e8eb9819df4e0e422421836bb1e4240377e00fb2f4408ce40f40eee413d0f6dd2f3a4e27a52d49a0b |
C:\Users\Admin\AppData\Local\Temp\nsb4AA7.tmp\GetVersion.dll
| MD5 | b4cec45a9909c10a8d387c8eb72e8d0d |
| SHA1 | 609e1ff7627aa88db0adbf79897fc8c786f42be5 |
| SHA256 | aea495c63eb5aef15961c03a73213ac586830ced769f489b147e8076e59eb8c8 |
| SHA512 | 337e84ec8b5acec83091833d70ffb4828442467d82a044ec6986547d4d55c9e39a861f3d06fd76289dad81b98f44ef7fe70f449db5baa51699464a7d95cc301a |
C:\Windows\SysWOW64\CCBKCSPV2.dll
| MD5 | 1c9bbec0fb2356025abfbe9e5ab2389e |
| SHA1 | 1afcb5b13146983c981c3e069c0af41102e4b7de |
| SHA256 | 2e51dde6b79f7cd4655b716b8560d368a4728af50c8cad4f14378937948033fd |
| SHA512 | 814b0f195978d35f7b101881033a82f0628e9d02d345b5053db0afe4bf8b7b69f14f9c7e0119a49d9c043bbade944b2a787c5297dce7c0bcc016e34908441724 |
memory/876-57-0x0000000002ED0000-0x0000000002EDD000-memory.dmp
C:\Windows\SysWOW64\CCBKCSP.dll
| MD5 | 635c71f7a76a2917bdc642d3fe726e59 |
| SHA1 | f48ede1e746c83daa4362147b5e9bd00a3b0b012 |
| SHA256 | 2321e45539ce5d286aa8ecdbb5a402e8ee11a3d29d1ee8aed784bcb47b8df129 |
| SHA512 | 4e948e351d7ad587aab8813aa1159095687f10a4b8dc19218e5d827ceaf1d77ff946b32977560debf5e6dedf32cfd7eadc3d4197c1f5c35c3dba0f2f692ab6f7 |
memory/876-64-0x0000000002ED0000-0x0000000002EDD000-memory.dmp
C:\Windows\SysWOW64\GetID.ocx
| MD5 | 5e46a2ab8198982de8b4a432e9b1ffa5 |
| SHA1 | 4605855364ce1f5cca174b0a721be8f4ad539816 |
| SHA256 | d128f2f8863db79ca5ad1f18ecb07c56b9f194ca5d9c049e0e53fa4916f83a93 |
| SHA512 | 6981db8de870c1f13c87155d97ac650b7d1805c03d66d9d567d1561e1ee5cd001f3d7251fb7361eea4a92e65373f52816218cab023e92977746ff094ff55b0b5 |
memory/876-71-0x0000000002ED0000-0x0000000002F35000-memory.dmp
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe
| MD5 | 4cf8946b95aaacc7397528f87f544931 |
| SHA1 | ea453cca204512982e0f60d848e434e5f069bc94 |
| SHA256 | 690eca7ebb28c4839e2971b5d268eab080c84a34eefff6a3ed1c80bd38b618b1 |
| SHA512 | f4cc9da0a33760daa331da1c5d8c73f8cdd69b5c9ad76db4a76252b4898fb1ab01a35d9aa856d07a9771e0d8da175ccb569c1f17cb7986ecc599fbd3a4408207 |
C:\Windows\SysWOW64\TerminateProcess_dmwz.dll
| MD5 | b8923aa4efbb7be1b46dae19947be9d8 |
| SHA1 | 13f411716c5c0020c1d7873ca06e2d0aa93898fe |
| SHA256 | 6448b4fac741623589cd16a8a26b97e17bb4fa37216138ec0ce34946b5e6fb27 |
| SHA512 | a775ea0e55e1b215b3cb9294a6edfdfc52a00624b07f2763fe34ff7d4f48b2bd6c091dee979a0909b05a16897db17e7d88dee320a67d0e7b002d664ae5b5abb4 |
memory/876-84-0x0000000003450000-0x000000000348A000-memory.dmp
C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe
| MD5 | c63e5be9a5fff8a11eea35f7d18f74b0 |
| SHA1 | 76401ef3718f853cd523d49cc958978ec4eb729f |
| SHA256 | 0a82a83db2a3bc561542f437bc8aedfd210a47fd56be7f80990a9c53ea730c69 |
| SHA512 | 775445dfefb53efc841f026873016cd6e54567c0138b65d2da8e8b38af2dd9a6952cc69913dadb4df3fd57558394b6ff5256aa1951c1455c2b27011c6061741e |
memory/4656-231-0x0000000000320000-0x0000000000466000-memory.dmp
memory/4656-233-0x0000000000320000-0x0000000000466000-memory.dmp
C:\Windows\SysWOW64\CCBDMBDI.dll
| MD5 | 193a33c6c16f816c22deb5d5738c7306 |
| SHA1 | 3e174015d9d87be3a213002c1a99228e9dc5b6ea |
| SHA256 | 4c67fffcccdf3e51e110959b1df4fe67303737c4000f8bd33cd9e92d84daa681 |
| SHA512 | b623655dd59084b2f9057c793e5b9ab9c6b8f3e627f9a0d871b0e4bdbff2486691cfa6b8f1a11177f127488c92d78725da6cfd52c741731fb65d3b303b8880d4 |
memory/4656-237-0x00000000750C0000-0x00000000751F5000-memory.dmp
memory/4656-238-0x00000000750C0000-0x00000000751F5000-memory.dmp
C:\Program Files (x86)\CCBComponents\DMWZ\Language\English.ini
| MD5 | 15759a49acdb8a322c2c09b81fc71def |
| SHA1 | e24d59497c2f632fbf6fb3057ff76bbb6f2e5acc |
| SHA256 | b42aa3ba6f98117fca428d967574852ae646811433c0fbb0022f10fc5bc296bd |
| SHA512 | 7bc66dea932212307cf349ee5c9450891f8dee54f7bef6a027d0e763a615531e583cfd4520e82819ddaade3a5d375442fc08612c91ea31b3c506991bfd358b3e |
C:\Program Files (x86)\CCBComponents\DMWZ\Language\Chinese.ini
| MD5 | 8ed98c55a52ce392e605726f1601955b |
| SHA1 | 4b29520e47e5e94f8cddf6ed41656b4225465f10 |
| SHA256 | 1153dd6d71ce487bc24338636639512220a519b7af738474979ef73dcf735e59 |
| SHA512 | 925dd1577db33a65dd18ab2becff3e81ce04e0625e4e3053597553d4f866cb4d4fc08d2cf4a3230e51ffe13e796c2e14394702db3bfe0837da54d6514848590d |
C:\Program Files (x86)\CCBComponents\DMWZ\setting.ini
| MD5 | e7750f1ca97ab8dce4052948bd2edd6f |
| SHA1 | a27413430b8f782ccb8ba6bcf5f11a9928e0535c |
| SHA256 | b6a40c7cd04ca11ed95495e089a69e56f799fabf0f39568f4ee7bb19ae49d769 |
| SHA512 | 5b36b9459730b19e7485ea7d882e4ca132197493d8d33616618e3646b30b782001682dcab5f02c24ca22cf2d76c97d99098b17440937c54d10bbd40a8eb39228 |
memory/4656-245-0x0000000000320000-0x0000000000466000-memory.dmp
memory/4656-246-0x00000000750C0000-0x00000000751F5000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
96s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4988 wrote to memory of 5024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4988 wrote to memory of 5024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4988 wrote to memory of 5024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5024 -ip 5024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win10v2004-20240508-en
Max time kernel
94s
Max time network
100s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2008 wrote to memory of 2060 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2008 wrote to memory of 2060 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2008 wrote to memory of 2060 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\CCBDMBDI.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\CCBDMBDI.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2060 -ip 2060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/2060-0-0x0000000074CB0000-0x0000000074DE5000-memory.dmp
memory/2060-1-0x0000000074CB0000-0x0000000074DE5000-memory.dmp
memory/2060-4-0x0000000074CB0000-0x0000000074DE5000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win7-20240215-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 224
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win7-20231129-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CCBCertificate = "C:\\Program Files (x86)\\CCBComponents\\DMWZ\\CCBCertificate.exe" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\language\Chinese.ini | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\setting.ini | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\usbccid.cat | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\InstallerCCID.exe | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npdmwritecert.dll | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\uninst.exe | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\usbccid.inf | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npdmccbplugin.dll | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CheckP11.exe | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\usbccid.sys | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\language\English.ini | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\DMWZ\log\202405.log | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\DMWZ\setting.ini | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\language\TraditionalChinese.ini | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{22240571-121F-4E26-B34C-56AF75F6446B} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\MiscStatus\1 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib\ = "{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\MiscStatus\1\ = "132241" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GETID.GetIDCtrl.1\ = "GetID Control" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\HELPDIR\ | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib\ = "{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\ = "GetID Control" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\GetID.ocx, 1" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\ = "_DGetID" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757}\InprocServer32\ = "C:\\Windows\\SysWow64\\GetID.ocx" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\ | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GETID.GetIDCtrl.1 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\TypeLib\ = "{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\ = "_DGetIDEvents" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757}\ = "GetID Property Page" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Control\ | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GETID.GetIDCtrl.1\CLSID\ = "{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\ProgID | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\ | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\ = "_DGetID" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\TypeLib\ = "{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\GetID.ocx" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32\ = "C:\\Windows\\SysWow64\\GetID.ocx" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\ToolboxBitmap32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\MiscStatus\ = "0" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\FLAGS\ = "2" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3}\TypeLib | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\ = "_DGetIDEvents" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22240571-121F-4E26-B34C-56AF75F6446B}\TypeLib\ = "{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\ProgID\ = "GETID.GetIDCtrl.1" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA8FFE28-696F-4E9A-BDE4-69E20C8ACDA0}\1.0\ = "GetID ActiveX Control module" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCB_DM_LCD_32_silent.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe"
C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe
"C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsi10D4.tmp\System.dll
| MD5 | 00a0194c20ee912257df53bfe258ee4a |
| SHA1 | d7b4e319bc5119024690dc8230b9cc919b1b86b2 |
| SHA256 | dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3 |
| SHA512 | 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667 |
\Users\Admin\AppData\Local\Temp\nsi10D4.tmp\UserInfo.dll
| MD5 | 1e8e11f465afdabe97f529705786b368 |
| SHA1 | ea42bed65df6618c5f5648567d81f3935e70a2a0 |
| SHA256 | 7d099352c82612ab27ddfd7310c1aa049b58128fb04ea6ea55816a40a6f6487b |
| SHA512 | 16566a8c1738e26962139aae893629098dc759e4ac87df3e8eb9819df4e0e422421836bb1e4240377e00fb2f4408ce40f40eee413d0f6dd2f3a4e27a52d49a0b |
\Users\Admin\AppData\Local\Temp\nsi10D4.tmp\GetVersion.dll
| MD5 | b4cec45a9909c10a8d387c8eb72e8d0d |
| SHA1 | 609e1ff7627aa88db0adbf79897fc8c786f42be5 |
| SHA256 | aea495c63eb5aef15961c03a73213ac586830ced769f489b147e8076e59eb8c8 |
| SHA512 | 337e84ec8b5acec83091833d70ffb4828442467d82a044ec6986547d4d55c9e39a861f3d06fd76289dad81b98f44ef7fe70f449db5baa51699464a7d95cc301a |
\Windows\SysWOW64\CCBKCSPV2.dll
| MD5 | 1c9bbec0fb2356025abfbe9e5ab2389e |
| SHA1 | 1afcb5b13146983c981c3e069c0af41102e4b7de |
| SHA256 | 2e51dde6b79f7cd4655b716b8560d368a4728af50c8cad4f14378937948033fd |
| SHA512 | 814b0f195978d35f7b101881033a82f0628e9d02d345b5053db0afe4bf8b7b69f14f9c7e0119a49d9c043bbade944b2a787c5297dce7c0bcc016e34908441724 |
memory/2152-51-0x00000000003C0000-0x00000000003CD000-memory.dmp
\Windows\SysWOW64\CCBKCSP.dll
| MD5 | 635c71f7a76a2917bdc642d3fe726e59 |
| SHA1 | f48ede1e746c83daa4362147b5e9bd00a3b0b012 |
| SHA256 | 2321e45539ce5d286aa8ecdbb5a402e8ee11a3d29d1ee8aed784bcb47b8df129 |
| SHA512 | 4e948e351d7ad587aab8813aa1159095687f10a4b8dc19218e5d827ceaf1d77ff946b32977560debf5e6dedf32cfd7eadc3d4197c1f5c35c3dba0f2f692ab6f7 |
memory/2152-55-0x00000000003C0000-0x00000000003CD000-memory.dmp
\Windows\SysWOW64\GetID.ocx
| MD5 | 5e46a2ab8198982de8b4a432e9b1ffa5 |
| SHA1 | 4605855364ce1f5cca174b0a721be8f4ad539816 |
| SHA256 | d128f2f8863db79ca5ad1f18ecb07c56b9f194ca5d9c049e0e53fa4916f83a93 |
| SHA512 | 6981db8de870c1f13c87155d97ac650b7d1805c03d66d9d567d1561e1ee5cd001f3d7251fb7361eea4a92e65373f52816218cab023e92977746ff094ff55b0b5 |
memory/2152-59-0x0000000001EA0000-0x0000000001F05000-memory.dmp
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe
| MD5 | 4cf8946b95aaacc7397528f87f544931 |
| SHA1 | ea453cca204512982e0f60d848e434e5f069bc94 |
| SHA256 | 690eca7ebb28c4839e2971b5d268eab080c84a34eefff6a3ed1c80bd38b618b1 |
| SHA512 | f4cc9da0a33760daa331da1c5d8c73f8cdd69b5c9ad76db4a76252b4898fb1ab01a35d9aa856d07a9771e0d8da175ccb569c1f17cb7986ecc599fbd3a4408207 |
\Windows\SysWOW64\TerminateProcess_dmwz.dll
| MD5 | b8923aa4efbb7be1b46dae19947be9d8 |
| SHA1 | 13f411716c5c0020c1d7873ca06e2d0aa93898fe |
| SHA256 | 6448b4fac741623589cd16a8a26b97e17bb4fa37216138ec0ce34946b5e6fb27 |
| SHA512 | a775ea0e55e1b215b3cb9294a6edfdfc52a00624b07f2763fe34ff7d4f48b2bd6c091dee979a0909b05a16897db17e7d88dee320a67d0e7b002d664ae5b5abb4 |
memory/2152-69-0x0000000003740000-0x000000000377A000-memory.dmp
C:\Program Files (x86)\CCBComponents\DMWZ\Log\202405.log
| MD5 | 1460a0f715742a73d31223d22b391b58 |
| SHA1 | 3c065fafd04320ec3ab5be49b9b9168258ee7dfa |
| SHA256 | 1ddd36f88b7d6b5f57b1f076ea8c698696a4be39f9fdd8f1bd1741e43eb5897c |
| SHA512 | 9d9c4db0f8814f5945ed0857fbd00a2f0ed7541a1f0a5dd2415805d685033e37455784ffafafc479f26c934b0427bae14b9a3b45da4b1c21bbf49838d234a368 |
\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe
| MD5 | c63e5be9a5fff8a11eea35f7d18f74b0 |
| SHA1 | 76401ef3718f853cd523d49cc958978ec4eb729f |
| SHA256 | 0a82a83db2a3bc561542f437bc8aedfd210a47fd56be7f80990a9c53ea730c69 |
| SHA512 | 775445dfefb53efc841f026873016cd6e54567c0138b65d2da8e8b38af2dd9a6952cc69913dadb4df3fd57558394b6ff5256aa1951c1455c2b27011c6061741e |
memory/2152-180-0x0000000003740000-0x0000000003886000-memory.dmp
memory/2152-179-0x0000000003740000-0x0000000003886000-memory.dmp
memory/1872-182-0x0000000001070000-0x00000000011B6000-memory.dmp
memory/1872-183-0x0000000001070000-0x00000000011B6000-memory.dmp
C:\Windows\SysWOW64\CCBDMBDI.dll
| MD5 | 193a33c6c16f816c22deb5d5738c7306 |
| SHA1 | 3e174015d9d87be3a213002c1a99228e9dc5b6ea |
| SHA256 | 4c67fffcccdf3e51e110959b1df4fe67303737c4000f8bd33cd9e92d84daa681 |
| SHA512 | b623655dd59084b2f9057c793e5b9ab9c6b8f3e627f9a0d871b0e4bdbff2486691cfa6b8f1a11177f127488c92d78725da6cfd52c741731fb65d3b303b8880d4 |
memory/1872-188-0x0000000074C60000-0x0000000074D95000-memory.dmp
memory/1872-189-0x0000000074C60000-0x0000000074D95000-memory.dmp
C:\Program Files (x86)\CCBComponents\DMWZ\Language\English.ini
| MD5 | 15759a49acdb8a322c2c09b81fc71def |
| SHA1 | e24d59497c2f632fbf6fb3057ff76bbb6f2e5acc |
| SHA256 | b42aa3ba6f98117fca428d967574852ae646811433c0fbb0022f10fc5bc296bd |
| SHA512 | 7bc66dea932212307cf349ee5c9450891f8dee54f7bef6a027d0e763a615531e583cfd4520e82819ddaade3a5d375442fc08612c91ea31b3c506991bfd358b3e |
C:\Program Files (x86)\CCBComponents\DMWZ\Language\Chinese.ini
| MD5 | 8ed98c55a52ce392e605726f1601955b |
| SHA1 | 4b29520e47e5e94f8cddf6ed41656b4225465f10 |
| SHA256 | 1153dd6d71ce487bc24338636639512220a519b7af738474979ef73dcf735e59 |
| SHA512 | 925dd1577db33a65dd18ab2becff3e81ce04e0625e4e3053597553d4f866cb4d4fc08d2cf4a3230e51ffe13e796c2e14394702db3bfe0837da54d6514848590d |
C:\Program Files (x86)\CCBComponents\DMWZ\setting.ini
| MD5 | e7750f1ca97ab8dce4052948bd2edd6f |
| SHA1 | a27413430b8f782ccb8ba6bcf5f11a9928e0535c |
| SHA256 | b6a40c7cd04ca11ed95495e089a69e56f799fabf0f39568f4ee7bb19ae49d769 |
| SHA512 | 5b36b9459730b19e7485ea7d882e4ca132197493d8d33616618e3646b30b782001682dcab5f02c24ca22cf2d76c97d99098b17440937c54d10bbd40a8eb39228 |
memory/2152-196-0x0000000003740000-0x0000000003886000-memory.dmp
memory/1872-197-0x0000000001070000-0x00000000011B6000-memory.dmp
memory/1872-198-0x0000000074C60000-0x0000000074D95000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4824 wrote to memory of 1684 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4824 wrote to memory of 1684 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4824 wrote to memory of 1684 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmwritecert.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmwritecert.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1684 -ip 1684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 652
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\InstallP11.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\InstallP11.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win10v2004-20240426-en
Max time kernel
135s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1240 wrote to memory of 2708 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1240 wrote to memory of 2708 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1240 wrote to memory of 2708 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmccbplugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmccbplugin.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2708 -ip 2708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 628
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\CheckP11.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\CheckP11.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win7-20240419-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\InstallP11.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\InstallP11.exe"
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win10v2004-20240508-en
Max time kernel
100s
Max time network
156s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\InstallP11.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\InstallP11.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win7-20231129-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\CCBDMBDI.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\CCBDMBDI.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 248
Network
Files
memory/2148-3-0x0000000075450000-0x0000000075585000-memory.dmp
memory/2148-2-0x00000000751A0000-0x00000000752D5000-memory.dmp
memory/2148-1-0x0000000075450000-0x0000000075585000-memory.dmp
memory/2148-0-0x0000000075430000-0x0000000075565000-memory.dmp
memory/2148-4-0x0000000075450000-0x0000000075585000-memory.dmp
memory/2148-7-0x0000000075450000-0x0000000075585000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3468 wrote to memory of 2596 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3468 wrote to memory of 2596 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3468 wrote to memory of 2596 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\CCBDMBDI.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\CCBDMBDI.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2596 -ip 2596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
Files
memory/2596-0-0x0000000075280000-0x00000000753B5000-memory.dmp
memory/2596-1-0x0000000075280000-0x00000000753B5000-memory.dmp
memory/2596-4-0x0000000075280000-0x00000000753B5000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win7-20240221-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Creates new service(s)
Stops running service(s)
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wdcertm_ccb = "C:\\Windows\\system32\\WatchData\\Watchdata CCB OCL CSP v3.2\\WDCertM_CCB.exe" | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\WDCCB_32+64bit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CCBCertificate = "C:\\Program Files (x86)\\CCBComponents\\DMWZ\\CCBCertificate.exe" | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\USBKeyTools.exe = "C:\\Program Files (x86)\\CCBComponents\\HDZB\\USBKeyTools.exe" | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\D4Svr_CCB.exe = "D4Svr_CCB.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npTDRSNctrl.dll | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\WATCHDATA\logo.bmp | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\WDCCB_32+64bit.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\WATCHDATA\recfull.ico | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\WDCCB_32+64bit.exe | N/A |
| File created | C:\Program Files\CCBComponents\WATCHDATA\usbccid.cat | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\WDCCB_32+64bit.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npCCBEnckey.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\libnspr4.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\CCBComponents\DMWZ\uninst.exe | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_DM_LCD_x64_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\cert\rsa2048ca.cer | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\InstallP11_HDZB.exe | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\res\Hand_TDR.bmp | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\res\TrayMenu_BackPic_1028.bmp | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\WATCHDATA\usbccid.sys | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\WDCCB_32+64bit.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\Ccb_Cert_watchdata2G_GM.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npHDZBSNCtrl.dll | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| File created | C:\Program Files\CCBComponents\Detector\Ccb_Cert_TDR_GM.dll | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npTDRImportCertCtrl.dll | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\nss3.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\plc4.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\ssl3.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\WATCHDATA\usb.inf | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\WDCCB_32+64bit.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\WDPKCSUtil.exe | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\WDCCB_32+64bit.exe | N/A |
| File created | C:\Program Files\CCBComponents\WATCHDATA\usbccid.sys | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\WDCCB_32+64bit.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npCCBGmSignCtrl.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\res\PasswordManage_1028.bmp | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files\CCBComponents\Detector\InfoScan.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\CCBEnckey.ocx | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\usbccid.sys | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\lang\x64\ChineseTraditional.dll | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\USBKeyTools.exe | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| File created | C:\Program Files\CCBComponents\Detector\Ccb_Cert_TDR2G.dll | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\res\DetectRepair_2052.bmp | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\npCCBNetSignCom.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCID.exe | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\WDCCB_32+64bit.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\Ccb_Cert_TDR2G.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\res\Keyboard_Sel.bmp | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\res\D4C_1.gif | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\Detector\Ccb_Cert_TDR_GM.dll | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files\CCBComponents\WATCHDATA\InstallUsbccid.exe | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\WDCCB_32+64bit.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\CCB_B2B_NetSign.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\libplc4.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\DMWZ\log\202405.log | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\DisplayK33.gif | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\nssckbi.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\CCBComponents\Detector\CCBNetSignCom.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\CCIDDriverInstall64.exe | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\Langs\2052.ini | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\usbccid.cat | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\lang\ChineseSimple.dll | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\InstallP11_2G.exe | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\AdminRepair_CCB.exe | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\res\OnlineCS_2052.bmp | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\Ccb_Cert_dmwz_GM.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\ccb_pin_cert.dll | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\CCBComponents\Detector\CCBEnckey.ocx | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\DMWZ\uninst.exe | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| File created | C:\Program Files\CCBComponents\DMWZ\setting.ini | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_DM_LCD_x64_silent.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\HDZB\FileOccupiedProcess_x64.exe_Rename | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Detector\CCBSignCom.ocx | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CCBComponents\DMWZ\setting.ini | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\HDZB\DisplayK54.gif | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| File created | C:\Program Files (x86)\CCBComponents\Tendyron\res\Keyboard_UP.bmp | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe | N/A |
| File created | C:\Program Files\CCBComponents\WATCHDATA\DisableUDKDevice.exe | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\WDCCB_32+64bit.exe | N/A |
| File created | C:\Program Files\CCBComponents\uninst.exe | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
Executes dropped EXE
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Loads dropped DLL
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8B0AAA-249E-42E5-92AB-DD70ECB7A4E0}\InprocServer32\ = "C:\\Windows\\system32\\CCBSIG~1.OCX" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC96F5A4-C930-4226-ADAB-59349AE585E9}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC96F5A4-C930-4226-ADAB-59349AE585E9}\InprocServer32\ = "C:\\Windows\\system32\\CCBNetSignCom.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1CE16C6-EE96-44D0-8866-654C5536F810}\InprocServer32\ = "C:\\Program Files\\CCBComponents\\Detector\\CCBEnckey.ocx" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757}\InprocServer32\ = "C:\\Windows\\system32\\GetID.ocx" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8B0AAA-249E-42E5-92AB-DD70ECB7A4E0}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2017CCAC-0A5A-4674-86D9-55C8FA8BFD97}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32\ = "C:\\Windows\\system32\\CCBSIG~1.OCX" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32\ = "C:\\Windows\\system32\\CCBHDSNCtrl.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86}\InprocServer32\ = "C:\\Windows\\system32\\HDCCBCtrl.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8B0AAA-249E-42E5-92AB-DD70ECB7A4E0}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\InprocServer32\ = "C:\\Windows\\system32\\CCB_GMSignCom.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{723CFFE0-A2C0-4517-9468-D3EE78F85A3B}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7741FA74-F105-4BEC-9451-1F84F5222EB8}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1CE16C6-EE96-44D0-8866-654C5536F810}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48A7113A-2B2E-4ED3-9B26-5C21FABEB217}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48A7113A-2B2E-4ED3-9B26-5C21FABEB217}\InprocServer32\ = "C:\\Windows\\system32\\ccb_tdrmanager.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7741FA74-F105-4BEC-9451-1F84F5222EB8}\InprocServer32\ = "C:\\Program Files\\CCBComponents\\Detector\\CCBEnckey.ocx" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1CE16C6-EE96-44D0-8866-654C5536F810}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\InprocServer32\ = "C:\\PROGRA~1\\CCBCOM~1\\Detector\\InfoScan.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC96F5A4-C930-4226-ADAB-59349AE585E9}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2017CCAC-0A5A-4674-86D9-55C8FA8BFD97}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{723CFFE0-A2C0-4517-9468-D3EE78F85A3B}\InprocServer32\ = "C:\\PROGRA~1\\CCBCOM~1\\Detector\\InfoScan.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8B0AAA-249E-42E5-92AB-DD70ECB7A4E0}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2017CCAC-0A5A-4674-86D9-55C8FA8BFD97}\InprocServer32\ = "C:\\Program Files\\CCBComponents\\Detector\\CCBSignCom.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48A7113A-2B2E-4ED3-9B26-5C21FABEB217}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}\InprocServer32\ = "C:\\Windows\\system32\\wdccb.dll" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8B0AAA-249E-42E5-92AB-DD70ECB7A4E0}\InprocServer32\ = "C:\\Windows\\system32\\CCBSIG~1.OCX" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}\InprocServer32 | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32\ = "C:\\Windows\\system32\\CCBSIG~1.OCX" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\InprocServer32\ = "C:\\Windows\\system32\\GetID.ocx" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\Control\ | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ccb_tdrmanager.Token_CCB\ = "Token_CCB Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\MiscStatus | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B45B58FF-1085-48DB-8DB0-C6C4F2FB8597}\1.0\HELPDIR | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BC96F5A4-C930-4226-ADAB-59349AE585E9}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\MiscStatus\ = "0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\Insertable | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\TypeLib | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{98729C57-FC65-44AC-BE3B-CDCCD551FE03}\1.0\FLAGS\ = "0" | C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B7F63FD-BDD9-44DC-AFF3-8E4263B6644B}\TypeLib\ = "{DD45B150-DE36-486C-8590-F3BA84989601}" | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{959E40E2-793D-472E-9732-9536A31F3337}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A79ECA9F-B118-4809-B6E0-25012FFCF7EC}\1.0\0\win64\ = "C:\\Program Files\\CCBComponents\\Detector\\InfoScan.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C144630-8A42-4993-97DB-E1A814A03757} | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\ = "GetID Control" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC16B67A-B2BA-4D0C-9F3A-24F200680629} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57328AEB-35E3-4967-8AAF-BC4E82DDB2A6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1CDA9092-5173-48DF-A108-2BE97D6D9FC2}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2017CCAC-0A5A-4674-86D9-55C8FA8BFD97}\TypeLib\ = "{63D36960-31DC-4D7C-BC3F-E8CB9CA5CBD8}" | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\VersionIndependentProgID\ = "CCB_GMSignCom.CCB_GMSignCtl" | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\Insertable | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B7F63FD-BDD9-44DC-AFF3-8E4263B6644B}\InprocServer32\ = "C:\\Windows\\SysWow64\\CCB_B2B_NetSign.dll" | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{537F36DC-4C2A-456D-A87F-00ED6F804908}\TypeLib | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B44DDA5F-CBD4-428E-A82A-041C0634A603}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{723CFFE0-A2C0-4517-9468-D3EE78F85A3B} | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\CurVer\ = "GDCCBCtrl.SNCtrl.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8B0AAA-249E-42E5-92AB-DD70ECB7A4E0}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1A41E8A-1444-43AD-A194-664816D6EF23}\1.0\FLAGS\ = "0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E8B0AAA-249E-42E5-92AB-DD70ECB7A4E0}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86} | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CCBSIGNCOM.CCBSignComCtrl.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}\Insertable | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9249C471-F21F-47E8-9988-0F48C119E54D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FFA12F84-D089-4CE1-BCDE-6F7F1383C3FE} | C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BC96F5A4-C930-4226-ADAB-59349AE585E9}\Programmable | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F14548F-6975-40F1-AE24-6E2D1D449B2F}\MiscStatus\ = "0" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{959E40E2-793D-472E-9732-9536A31F3337}\1.0\0\win32\ = "C:\\Windows\\system32\\CCB_GMSignCom.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86}\InprocServer32\ = "C:\\Windows\\SysWow64\\HDCCBCtrl.dll" | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CCBNetSignTest.InfoSecNetSign\CLSID\ = "{1B7F63FD-BDD9-44DC-AFF3-8E4263B6644B}" | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{98729C57-FC65-44AC-BE3B-CDCCD551FE03}\1.0\HELPDIR | C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}\TypeLib\ = "{98729C57-FC65-44AC-BE3B-CDCCD551FE03}" | C:\Windows\System32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\wdccb.dll, 101" | C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GETID.GetIDCtrl.1\ = "GetID Control" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WDCCB.WDCCBCtrl | C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE0460F5-48BD-4DC1-A046-0BDCB5A06CEB}\ = "WDCCBCtrl Class" | C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CCBSIGNCOM.CCBSignComCtrl.1\ = "CCBSignCom Control" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC96F5A4-C930-4226-ADAB-59349AE585E9}\Version\ = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB76A86}\Programmable | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48A7113A-2B2E-4ED3-9B26-5C21FABEB217}\ProgID\ = "ccb_tdrmanager.Token_CCB.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5DFD97E-664A-483F-A69B-55096D1A4E59}\TypeLib | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F432EA4-52B9-442C-AFBD-E1A73AD87043}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1CE16C6-EE96-44D0-8866-654C5536F810}\Version | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43F3E01A-9737-4223-A4BB-1587B96A79C3} | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_DM_LCD_32_silent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AEEF9BA4-6081-4768-8566-85D26E323ED8}\ = "IWDCCBCtrl" | C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3FE2B467-9121-4610-96C7-24DD7F06861D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBA27CAD-B01E-49D2-A157-D6A0B411279F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\INFOSCAN.InfoScanCtrl.1\ = "InfoScan Control" | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9249C471-F21F-47E8-9988-0F48C119E54D}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{128EEE5A-A2FD-4DDC-AFAD-8B03DA1CA18F}\MiscStatus\1\ = "132241" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\CurVer\ = "GDCCBCtrl.SNCtrl.1" | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8582B4AF7491B3D16636EEB32D44993D7DEE6C40\Blob = 0300000001000000140000008582b4af7491b3d16636eeb32d44993d7dee6c402000000001000000bb020000308202b730820220a003020102020116300d06092a864886f70d010104050030818c310b300906035504061302434e310c300a060355040a130343434231143012060355040b130b4343425f4e657462616e6b310b300906035504081302424a311430120603550403130b43434220434120524f4f543111300f060355040713085869204368656e673123302106092a864886f70d010901161463612f7a682f636362406363622e636f6d2e636e301e170d3039303630313030303030305a170d3139303630313030303030305a30818c310b300906035504061302434e310c300a060355040a130343434231143012060355040b130b4343425f4e657462616e6b310b300906035504081302424a311430120603550403130b43434220434120524f4f543111300f060355040713085869204368656e673123302106092a864886f70d010901161463612f7a682f636362406363622e636f6d2e636e30819f300d06092a864886f70d010101050003818d0030818902818100a23f2503f132999d842fa2a865e6df59102f6e58f83414b79645bd301141ce1ad034dd3a17cfdfa3455be443c4636419c8eec65faa0271a186384b824e4ca640bec1212817dd5a9c5597a6104f1e11beb25227418bfbe2039168b99f725c077b5df50e008f6b51ed55c690e48858833ec98c0ea8ec3bf2a540e47a94bf8eb1870203010001a327302530120603551d130101ff040830060101ff020102300f0603551d0f0101ff04050303000600300d06092a864886f70d0101040500038181008e087ec187e081bd962a9cf9b8a9acc7bbec8cc0dbc193c52901c52d196b685834adb396aa72a94d098fe5ccdf956021e1167d5b26e9a9a55d46d319238127574236eb3d756e0ccd8bb1fbe68ebba895f60115609085ed2f419c32f1a8618be9e4899c2274f3f3dd18671d4bc01210839011903c8e2baa03a312769f7e39ba8a | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8582B4AF7491B3D16636EEB32D44993D7DEE6C40\Blob = 0300000001000000140000008582b4af7491b3d16636eeb32d44993d7dee6c402000000001000000bb020000308202b730820220a003020102020116300d06092a864886f70d010104050030818c310b300906035504061302434e310c300a060355040a130343434231143012060355040b130b4343425f4e657462616e6b310b300906035504081302424a311430120603550403130b43434220434120524f4f543111300f060355040713085869204368656e673123302106092a864886f70d010901161463612f7a682f636362406363622e636f6d2e636e301e170d3039303630313030303030305a170d3139303630313030303030305a30818c310b300906035504061302434e310c300a060355040a130343434231143012060355040b130b4343425f4e657462616e6b310b300906035504081302424a311430120603550403130b43434220434120524f4f543111300f060355040713085869204368656e673123302106092a864886f70d010901161463612f7a682f636362406363622e636f6d2e636e30819f300d06092a864886f70d010101050003818d0030818902818100a23f2503f132999d842fa2a865e6df59102f6e58f83414b79645bd301141ce1ad034dd3a17cfdfa3455be443c4636419c8eec65faa0271a186384b824e4ca640bec1212817dd5a9c5597a6104f1e11beb25227418bfbe2039168b99f725c077b5df50e008f6b51ed55c690e48858833ec98c0ea8ec3bf2a540e47a94bf8eb1870203010001a327302530120603551d130101ff040830060101ff020102300f0603551d0f0101ff04050303000600300d06092a864886f70d0101040500038181008e087ec187e081bd962a9cf9b8a9acc7bbec8cc0dbc193c52901c52d196b685834adb396aa72a94d098fe5ccdf956021e1167d5b26e9a9a55d46d319238127574236eb3d756e0ccd8bb1fbe68ebba895f60115609085ed2f419c32f1a8618be9e4899c2274f3f3dd18671d4bc01210839011903c8e2baa03a312769f7e39ba8a | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\10C88517844DD2AD24497FD5D35369E4F9873F1A | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1FE7A4A0984F10046CE3007D24E135C0828683A1\Blob = 0300000001000000140000001fe7a4a0984f10046ce3007d24e135c0828683a12000000001000000c7010000308201c330820166a003020102020600dbbc432b86300c06082a811ccf5501837505003035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f54301e170d3135303432353039303330315a170d3435303432353039303330315a3035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f543059301306072a8648ce3d020106082a811ccf5501822d034200047108bd2781def82a96655bb818265771a839bf32812b7cc4623b21f44d1c0e517fb15bdc3435a94d989a3476369aa105faefd53ae2bddf9263d518bfa2065c4aa360305e301f0603551d230418301680142e96d3f701920b15b70a2e691847d85eddb0354e300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604142e96d3f701920b15b70a2e691847d85eddb0354e300c06082a811ccf55018375050003490030460221008a45416d9cb81de03028c53168f89dc85dc197c6c498545f7ac708721baed189022100e8e47cc8dc138b915e3a15fd10f87d08d0c877b70ee5725af971ee31fca58666 | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\10C88517844DD2AD24497FD5D35369E4F9873F1A\Blob = 03000000010000001400000010c88517844dd2ad24497fd5d35369e4f9873f1a200000000100000048030000308203443082022ca003020102020600a3331aa57b300d06092a864886f70d01010b05003032310b300906035504061302434e310c300a060355040a0c034343423115301306035504030c0c4343425253414341524f4f54301e170d3135313031373131333130385a170d3338303131373131333130385a3032310b300906035504061302434e310c300a060355040a0c034343423115301306035504030c0c4343425253414341524f4f5430820122300d06092a864886f70d01010105000382010f003082010a0282010100c211c0db81d7e4ca7600f06ee8dfd294f80beacf9a957230bf481c99eccd5a00fe0df8b25368e56f7a8f472469a6ba677b4bb0b6318024ea0c73fca6ff9d98ecf41d401e6027f0c208fff4ff316a3c88745ca457d040b419f482e14650f2a589c9793e06c6d993dff64839321b2fbb8c2abf687cd607b6fb4f3bcaaa85d4a11028c6fafef60afff91ea871351e5b5027d1a705ae2acb687bb0c41797deb470339472b5a0c14800a6f9d2f03b391e0d539d012930d277567a6dc3de80cb49815a9132f7bce249affb521fc4e2264048aa2e26f039b2a7106aea9a2754d3aedb20050e4b30a4d02fece3a75ef33f77765a46692eac8123c87550d959f0fc8f6b250203010001a360305e301f0603551d23041830168014295e7487d5004a13cf5eee03414db5bcae0ef6db300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e04160414295e7487d5004a13cf5eee03414db5bcae0ef6db300d06092a864886f70d01010b05000382010100b32e9655553ab411c295f22708845afe806d48ae80516d9c474e354db48ca59765a69486877d448dfd5f8bd3308d8fedc0d20af2ff2734ef41f07e31a53567ac626856c4d98e7c5c7216e23b71b783b19b5776d50cb28ecc2c1a16059a824712cebda36909f1ba6e44697f58679b2e1a1fc28a9b99ed46dede56482bbbdf1b35da79152083c9fc4a21c456b95aa65992c3160c8fb2e4403463169862067cf4650defd117dfbea1a051b083ab3062216a69deed3129f3d8eef23528edeabc708bbdb951abb1b75b24cad73410b06e194516b9641852f1ef6db6ae560cb4428189eb5421edcbfa543e3c91d5a011e0af2618aacf46ecc24d0a437551ac82f832fd | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\4FFD0EC66CD554F2DB6140BF9DA26CEB3AD12948 | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1FE7A4A0984F10046CE3007D24E135C0828683A1 | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\8582B4AF7491B3D16636EEB32D44993D7DEE6C40 | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\10C88517844DD2AD24497FD5D35369E4F9873F1A | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\4FFD0EC66CD554F2DB6140BF9DA26CEB3AD12948\Blob = 0300000001000000140000004ffd0ec66cd554f2db6140bf9da26ceb3ad1294820000000010000001902000030820215308201b8a003020102020600dbbc432b89300c06082a811ccf5501837505003035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f54301e170d3135303432353039323130305a170d3335303432303039323130305a3036310b300906035504061302434e310f300d060355040a0c06434342534d323116301406035504030c0d434342534d3243414348494c443059301306072a8648ce3d020106082a811ccf5501822d03420004c70b30cfe6cf7d6d13369d3a432bed01e845f842e0c203a4c4ef5587f5f77f584e97bc72e37f9f751e60e97fa2b2889b4226751578e0f0f0dea496492ff51616a381b03081ad301f0603551d230418301680142e96d3f701920b15b70a2e691847d85eddb0354e300f0603551d130101ff040530030101ff304d0603551d1f044630443042a040a03ea43c303a310c300a06035504030c0361726c310c300a060355040b0c0361726c310f300d060355040a0c06434342534d32310b300906035504061302434e300b0603551d0f040403020106301d0603551d0e04160414872e0a1ce624719dc394fcdb3bc0ed67f27166c0300c06082a811ccf550183750500034900304602210093ac13593bb415c727b2cac2055770781ad6fa4387d23ef46e8e51476e4d5c08022100e22cb6ffb9a357d9b864413d514f3f593a30fae07c4d9db74a5be06a11156e20 | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1FE7A4A0984F10046CE3007D24E135C0828683A1\Blob = 0300000001000000140000001fe7a4a0984f10046ce3007d24e135c0828683a12000000001000000c7010000308201c330820166a003020102020600dbbc432b86300c06082a811ccf5501837505003035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f54301e170d3135303432353039303330315a170d3435303432353039303330315a3035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f543059301306072a8648ce3d020106082a811ccf5501822d034200047108bd2781def82a96655bb818265771a839bf32812b7cc4623b21f44d1c0e517fb15bdc3435a94d989a3476369aa105faefd53ae2bddf9263d518bfa2065c4aa360305e301f0603551d230418301680142e96d3f701920b15b70a2e691847d85eddb0354e300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604142e96d3f701920b15b70a2e691847d85eddb0354e300c06082a811ccf55018375050003490030460221008a45416d9cb81de03028c53168f89dc85dc197c6c498545f7ac708721baed189022100e8e47cc8dc138b915e3a15fd10f87d08d0c877b70ee5725af971ee31fca58666 | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\10C88517844DD2AD24497FD5D35369E4F9873F1A\Blob = 04000000010000001000000031cfed1a683bce177a1d9809000de0b6140000000100000014000000295e7487d5004a13cf5eee03414db5bcae0ef6db03000000010000001400000010c88517844dd2ad24497fd5d35369e4f9873f1a0f0000000100000020000000650349a12af1392e37617c02d34f7fc997605d8c4375a686d3bddb03ec18eb49190000000100000010000000f440f1336e5542f4d416cddf706efda9200000000100000048030000308203443082022ca003020102020600a3331aa57b300d06092a864886f70d01010b05003032310b300906035504061302434e310c300a060355040a0c034343423115301306035504030c0c4343425253414341524f4f54301e170d3135313031373131333130385a170d3338303131373131333130385a3032310b300906035504061302434e310c300a060355040a0c034343423115301306035504030c0c4343425253414341524f4f5430820122300d06092a864886f70d01010105000382010f003082010a0282010100c211c0db81d7e4ca7600f06ee8dfd294f80beacf9a957230bf481c99eccd5a00fe0df8b25368e56f7a8f472469a6ba677b4bb0b6318024ea0c73fca6ff9d98ecf41d401e6027f0c208fff4ff316a3c88745ca457d040b419f482e14650f2a589c9793e06c6d993dff64839321b2fbb8c2abf687cd607b6fb4f3bcaaa85d4a11028c6fafef60afff91ea871351e5b5027d1a705ae2acb687bb0c41797deb470339472b5a0c14800a6f9d2f03b391e0d539d012930d277567a6dc3de80cb49815a9132f7bce249affb521fc4e2264048aa2e26f039b2a7106aea9a2754d3aedb20050e4b30a4d02fece3a75ef33f77765a46692eac8123c87550d959f0fc8f6b250203010001a360305e301f0603551d23041830168014295e7487d5004a13cf5eee03414db5bcae0ef6db300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e04160414295e7487d5004a13cf5eee03414db5bcae0ef6db300d06092a864886f70d01010b05000382010100b32e9655553ab411c295f22708845afe806d48ae80516d9c474e354db48ca59765a69486877d448dfd5f8bd3308d8fedc0d20af2ff2734ef41f07e31a53567ac626856c4d98e7c5c7216e23b71b783b19b5776d50cb28ecc2c1a16059a824712cebda36909f1ba6e44697f58679b2e1a1fc28a9b99ed46dede56482bbbdf1b35da79152083c9fc4a21c456b95aa65992c3160c8fb2e4403463169862067cf4650defd117dfbea1a051b083ab3062216a69deed3129f3d8eef23528edeabc708bbdb951abb1b75b24cad73410b06e194516b9641852f1ef6db6ae560cb4428189eb5421edcbfa543e3c91d5a011e0af2618aacf46ecc24d0a437551ac82f832fd | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\1FE7A4A0984F10046CE3007D24E135C0828683A1 | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\4FFD0EC66CD554F2DB6140BF9DA26CEB3AD12948 | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8582B4AF7491B3D16636EEB32D44993D7DEE6C40 | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\4FFD0EC66CD554F2DB6140BF9DA26CEB3AD12948\Blob = 0300000001000000140000004ffd0ec66cd554f2db6140bf9da26ceb3ad1294820000000010000001902000030820215308201b8a003020102020600dbbc432b89300c06082a811ccf5501837505003035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f54301e170d3135303432353039323130305a170d3335303432303039323130305a3036310b300906035504061302434e310f300d060355040a0c06434342534d323116301406035504030c0d434342534d3243414348494c443059301306072a8648ce3d020106082a811ccf5501822d03420004c70b30cfe6cf7d6d13369d3a432bed01e845f842e0c203a4c4ef5587f5f77f584e97bc72e37f9f751e60e97fa2b2889b4226751578e0f0f0dea496492ff51616a381b03081ad301f0603551d230418301680142e96d3f701920b15b70a2e691847d85eddb0354e300f0603551d130101ff040530030101ff304d0603551d1f044630443042a040a03ea43c303a310c300a06035504030c0361726c310c300a060355040b0c0361726c310f300d060355040a0c06434342534d32310b300906035504061302434e300b0603551d0f040403020106301d0603551d0e04160414872e0a1ce624719dc394fcdb3bc0ed67f27166c0300c06082a811ccf550183750500034900304602210093ac13593bb415c727b2cac2055770781ad6fa4387d23ef46e8e51476e4d5c08022100e22cb6ffb9a357d9b864413d514f3f593a30fae07c4d9db74a5be06a11156e20 | C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\HDZB\USBKeyTools.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CCBComponents\Plugins\CARoot\WDPKCSUtil.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Windows\system32\CCBSignCom.ocx"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\CCBSignCom.ocx"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Windows\system32\CCBNetSignCom.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\CCBNetSignCom.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBSignCom.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBSignCom.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Windows\system32\CCB_GMSignCom.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\CCB_GMSignCom.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Program Files\CCBComponents\Detector\InfoScan.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Program Files\CCBComponents\Detector\InfoScan.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBEnckey.ocx"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Program Files\CCBComponents\Detector\CCBEnckey.ocx"
C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_DM_LCD_32_silent.exe
"C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_DM_LCD_32_silent.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe"
C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe
"C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe"
C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_DM_LCD_x64_silent.exe
"C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_DM_LCD_x64_silent.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c regsvr32 /s "C:\Windows\system32\CCBKCSPV2.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\CCBKCSPV2.dll"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c regsvr32 /s "C:\Windows\system32\CCBKCSP.dll"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\CCBKCSP.dll"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c regsvr32 /s "C:\Windows\system32\GetID.ocx"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\GetID.ocx"
C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe
"C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_2G_Setup_S64.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C C:\Windows\system32\sc.exe STOP "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe STOP "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\cmd.exe
cmd /C C:\Windows\system32\sc.exe delete "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe delete "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C cmd /C sc.exe create HDZB_DeviceService_For_CCB_2G binPath= "C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe" type= own start= auto DisplayName= "HDZB Comm Service For CCB 2G MASS"
C:\Windows\SysWOW64\cmd.exe
cmd /C sc.exe create HDZB_DeviceService_For_CCB_2G binPath= "C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe" type= own start= auto DisplayName= "HDZB Comm Service For CCB 2G MASS"
C:\Windows\SysWOW64\sc.exe
sc.exe create HDZB_DeviceService_For_CCB_2G binPath= "C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe" type= own start= auto DisplayName= "HDZB Comm Service For CCB 2G MASS"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C cmd /C sc.exe start "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\cmd.exe
cmd /C sc.exe start "HDZB_DeviceService_For_CCB_2G"
C:\Windows\SysWOW64\sc.exe
sc.exe start "HDZB_DeviceService_For_CCB_2G"
C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe
"C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe"
C:\Program Files\Mozilla Firefox\InstallP11_2G.exe
"C:\Program Files\Mozilla Firefox\InstallP11_2G.exe" /install "HDZB USBKEY 2G" "C:\Windows\system32\CCB_HDZB_2G_P11.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32.exe C:\Windows\system32\CCBHDSNCtrl.dll -s
C:\Windows\system32\regsvr32.exe
regsvr32.exe C:\Windows\system32\CCBHDSNCtrl.dll -s
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C C:\Windows\system32\sc.exe config SCardSvr start= auto
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config SCardSvr start= auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C C:\Windows\system32\sc.exe start SCardSvr
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe start SCardSvr
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C C:\Windows\system32\sc.exe start CertPropSvc
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe start CertPropSvc
C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe
"C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_HDZB_USBKEY_1G_Setup_S64.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C C:\Windows\system32\net.exe STOP "HZ_CommSrv"
C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe STOP "HZ_CommSrv"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP "HZ_CommSrv"
C:\Windows\SysWOW64\cmd.exe
cmd /C "C:\Windows\system32\HZ_CommSrv.exe" /uninstall
C:\Windows\SysWOW64\cmd.exe
cmd /C "C:\Windows\system32\HZ_CommSrv.exe" /install
C:\Windows\SysWOW64\HZ_CommSrv.exe
C:\Windows\system32\HZ_CommSrv.exe /install
C:\Windows\SysWOW64\cmd.exe
cmd /C C:\Windows\system32\net.exe START "HZ_CommSrv"
C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe START "HZ_CommSrv"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 START "HZ_CommSrv"
C:\Windows\SysWOW64\HZ_CommSrv.exe
C:\Windows\SysWOW64\HZ_CommSrv.exe
C:\Program Files\Mozilla Firefox\InstallP11_HDZB.exe
"C:\Program Files\Mozilla Firefox\InstallP11_HDZB.exe" /install "HDZB USBKEY" "C:\Windows\system32\HDCCBpkcs11.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C regsvr32.exe C:\Windows\system32\HDCCBCtrl.dll -s
C:\Windows\system32\regsvr32.exe
regsvr32.exe C:\Windows\system32\HDCCBCtrl.dll -s
C:\Program Files (x86)\CCBComponents\HDZB\USBKeyTools.exe
"C:\Program Files (x86)\CCBComponents\HDZB\USBKeyTools.exe"
C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe
"C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\Tendyron_Install_Silent.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /u /s C:\Windows\system32\CCBSignCom.ocx
C:\Windows\system32\regsvr32.exe
regsvr32.exe /u /s C:\Windows\system32\CCBSignCom.ocx
C:\Windows\system32\regsvr32.exe
regsvr32.exe /i /s C:\Windows\system32\CCBSignCom.ocx
C:\Windows\system32\regsvr32.exe
regsvr32.exe /u /s ccb_tdrmanager.dll
C:\Windows\system32\regsvr32.exe
regsvr32.exe /i /s C:\Windows\system32\ccb_tdrmanager.dll
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /i /s C:\Windows\system32\CCBSignCom.ocx
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /u /s ccb_tdrmanager.dll
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe" RegSecurity
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe" RegCCBP11
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\modutil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\modutil.exe" -force -add "CCB-TDR-PKCS11" -libfile "C:\Windows\system32\D4CSP_CCB.dll" -dbdir "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/9bot8sq2.Admin"
C:\Windows\SysWOW64\D4Svr_CCB.exe
D4Svr_CCB.exe restart
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe" RegCCBPlugin
C:\Windows\SysWOW64\D4Svr_CCB.exe
C:\Windows\system32/D4Svr_CCB.exe kill
C:\Windows\SysWOW64\regedit.exe
regedit.exe /S C:\Windows\system32/ie_tdr.reg
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /i /s C:\Windows\system32\ccb_tdrmanager.dll
C:\Windows\SysWOW64\regedit.exe
regedit.exe /S C:\Windows\system32\CCB_AUTO_RUN.reg
C:\Windows\SysWOW64\regedit.exe
regedit.exe /S C:\Windows\system32\CCB_RootCert.reg
C:\Windows\SysWOW64\regedit.exe
regedit.exe /S C:\Windows\system32\CCB_IESECLEVER.reg
C:\Windows\SysWOW64\regedit.exe
regedit.exe /S C:\Windows\system32\Trust.reg
C:\Windows\SysWOW64\D4Svr_CCB.exe
C:\Windows\system32\D4Svr_CCB.exe
C:\Windows\SysWOW64\D4Ser_CCB.exe
C:\Windows\system32\D4Ser_CCB.exe -i -s
C:\Windows\SysWOW64\D4Ser_CCB.exe
C:\Windows\SysWOW64\D4Ser_CCB.exe
C:\Windows\SysWOW64\D4MON_CCB.exe
C:\Windows\SysWOW64\D4MON_CCB.exe
C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\WDCCB_32+64bit.exe
"C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\WDCCB_32+64bit.exe"
C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe
"C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe"
C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCID.exe
"C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCID.exe"
C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCIDCom.exe
"C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCIDCom.exe"
C:\Program Files\CCBComponents\WATCHDATA\registCCID.exe
"C:\Program Files\CCBComponents\WATCHDATA\registCCID.exe"
C:\Program Files\CCBComponents\WATCHDATA\registerocx.exe
"C:\Program Files\CCBComponents\WATCHDATA\registerocx.exe"
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\wdccb.dll
C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe
"C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe"
C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe
"C:\Windows\system32\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\WDPKCSUtil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\WDPKCSUtil.exe" -install
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\AddCert.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\AddCert.exe"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe" -A -n "CCB ROOT" -t "TC,TC,TC" -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/9bot8sq2.Admin" -i "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\ccbcert.cer"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe" -A -n "CCBRSACAROOT" -t "TC,TC,TC" -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/9bot8sq2.Admin" -i "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\rsa2048ca.cer"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe" -A -n "CCBSM2CAROOT" -t "TC,TC,TC" -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/9bot8sq2.Admin" -i "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBSM2CAROOT.cer"
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe
"C:\Program Files (x86)\CCBComponents\Plugins\CARoot\certutil.exe" -A -n "CCBSM2CACHILD" -t "TC,TC,TC" -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/9bot8sq2.Admin" -i "C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBSM2CACHILD.cer"
Network
Files
\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\System.dll
| MD5 | 00a0194c20ee912257df53bfe258ee4a |
| SHA1 | d7b4e319bc5119024690dc8230b9cc919b1b86b2 |
| SHA256 | dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3 |
| SHA512 | 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667 |
\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\SkinBtn.dll
| MD5 | e4ec95271ff1bcebab49bdfed6817a22 |
| SHA1 | 2c03e97f4773aea80ecdb98a1482e5896fe4677b |
| SHA256 | ee1c06692a757473737b0ebdef16f77b63afac864d0890022d905e4873737dd6 |
| SHA512 | 771a527133806307a1b17b7e956d6a3c16e9bc675bf084b43204ae784a057dac2726dbf90645692876043a4e7365ba8825c167621fde4760c79cd84679e2aa3d |
\Windows\SysWOW64\WDGetDeviceCaps.dll
| MD5 | 69bdf8e85baf7c14cd96b5803e91623b |
| SHA1 | ba9f5667b9ae1cf559fc2c5c7c1dfb236d6c4701 |
| SHA256 | 770f76c518a0246a16b698e647f0e61caa61cc48249f9f58a03ed3d09cf7381c |
| SHA512 | 9ba7c4889659ef26f7e13ee2016e75c63fdf04f073763607546a09f799f035bff946370053f3258964c86e5f1e330f422154979699cf180cde8021da293b5a97 |
\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\UserInfo.dll
| MD5 | 1e8e11f465afdabe97f529705786b368 |
| SHA1 | ea42bed65df6618c5f5648567d81f3935e70a2a0 |
| SHA256 | 7d099352c82612ab27ddfd7310c1aa049b58128fb04ea6ea55816a40a6f6487b |
| SHA512 | 16566a8c1738e26962139aae893629098dc759e4ac87df3e8eb9819df4e0e422421836bb1e4240377e00fb2f4408ce40f40eee413d0f6dd2f3a4e27a52d49a0b |
\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\nsDialogs.dll
| MD5 | ab73c0c2a23f913eabdc4cb24b75cbad |
| SHA1 | 6569d2863d54c88dcf57c843fc310f6d9571a41e |
| SHA256 | 3d0060c5c9400a487dbefe4ac132dd96b07d3a4ba3badab46a7410a667c93457 |
| SHA512 | 99d287b5152944f64edc7ce8f3ebcd294699e54a5b42ac7a88e27dff8a68278a5429f4d299802ee7ddbe290f1e3b6a372a5f3bb4ecb1a3c32e384bca3ccdb2b8 |
\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\WndProc.dll
| MD5 | f0cb331dd4bd92a6ebce45e7cd1cf5ef |
| SHA1 | b66ea0c10b08750295f2dc7c170b370402393214 |
| SHA256 | e7b3115fa2ce4a8fa09beeefa4fb634a474197f38a2854ce9be60d0a26016458 |
| SHA512 | 7c33418f39b91ae0d4cc8b560f516bac293593eef539832815028878c2058bf1691c2d767a039cf312989839071f2f6f0b6d9d59835acdfff6b448bf1ffea271 |
\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\SkinProgress.dll
| MD5 | cc037c4703d3ec257efeef2ce0a1a20e |
| SHA1 | b3d6cc8f687a31fb2c1a5921a38de9429af20502 |
| SHA256 | 888b32ecbc37ce67d4edc28d894cba0a4f4e2488cfc2212d1af011bd0bfe97ff |
| SHA512 | 120bfa0a68775bef04c1863023b0e73a41982284fb36da7f497fbb7d5ed8631ad02fa09951424d339f6fefaa90a17c12f949dd68bb33bad64b1b7cace489d2a7 |
\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\nsProcess.dll
| MD5 | 05450face243b3a7472407b999b03a72 |
| SHA1 | ffd88af2e338ae606c444390f7eaaf5f4aef2cd9 |
| SHA256 | 95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89 |
| SHA512 | f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b |
\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\KillProcDLL.dll
| MD5 | 99f345cf51b6c3c317d20a81acb11012 |
| SHA1 | b3d0355f527c536ea14a8ff51741c8739d66f727 |
| SHA256 | c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93 |
| SHA512 | 937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef |
memory/2732-83-0x0000000002271000-0x0000000002272000-memory.dmp
memory/2732-82-0x0000000002270000-0x0000000002273000-memory.dmp
memory/2732-84-0x0000000002270000-0x0000000002273000-memory.dmp
memory/2732-85-0x0000000002271000-0x0000000002272000-memory.dmp
\Windows\SysWOW64\CCBSignCom.ocx
| MD5 | e4f5e04513036f0ddca8452f6b88981c |
| SHA1 | a31c11631df92f0bf4d79e90bdb5769e856d79c0 |
| SHA256 | 2b3d9e41ee6faac2964f185fc9db6da191beeb2a6e55fe551761d2c0b3d891cc |
| SHA512 | b1a491f8b25bdf51577a38b683b3d67fd652bfaf90aa9ef8332a35d33403cc889838b72a3ec1f15c424a5284ec182b22110514b58e94e8d55c8a329556153949 |
memory/2732-109-0x00000000022A0000-0x00000000022B4000-memory.dmp
\Windows\SysWOW64\CCBNetSignCom.dll
| MD5 | 6e273d4a6e9c7d903c7bab06d236a8d5 |
| SHA1 | aa16f5fae95970c25512302f735e1ef17f207ad1 |
| SHA256 | ab9ecb56a434c27d7d7759f292107ca96247cd695886e6df7715be7645f468ab |
| SHA512 | 4e9b1f28377d6b335db37d7d84cecdf70e8ca34dd3082c1e06c3731e32c578b8073e5f25e395319a55b0a96c1c6b216600e1350129190ee1b5706853b7c6efa4 |
memory/2732-113-0x0000000002440000-0x000000000246B000-memory.dmp
\Program Files (x86)\CCBComponents\Detector\InfoScan.dll
| MD5 | 5cb64d5b941ec3d20ac6d7857684c2bb |
| SHA1 | f2bfe5aaaad94eda13af0539ecc77e9bdc1f0934 |
| SHA256 | 1860b4b05a00601804c1dcaff6be842b793439415856dc15ee8a4ba919ae4e81 |
| SHA512 | 0ad989eca15e8a02c7add455ee5e302f060644c040aaab4be453df1638a64986f61a1f18e4ec82d671f0903b6d2a820a2d1ccfc34aff7f6dec823a92c18c889d |
memory/2732-121-0x0000000002500000-0x0000000002549000-memory.dmp
\Program Files (x86)\CCBComponents\Detector\CCBSignCom.dll
| MD5 | f6a368156833b41c599b20abb170c311 |
| SHA1 | 81e37a72ac80b0241316d307f0fe1fae12cb1292 |
| SHA256 | cfff2006afce81335b920cdc79f891400fb58e8bac8849a7cfc3af1395c9cff3 |
| SHA512 | 1105ec1d006ca02462f803da3b5a8fcd663f7efc4f3ff900d796f4aa1b1a0da4879d2f283c6f6c6d83207fd3bc54ebca592f8b7ddbb3090a0b42636212320537 |
memory/2732-128-0x00000000022A0000-0x00000000022BA000-memory.dmp
\Windows\SysWOW64\CCB_GMSignCom.dll
| MD5 | 5ff73145e92972b7bc676eb7e417b90f |
| SHA1 | f8fd6f624453240dce8c4d9753ddc63323a92d1a |
| SHA256 | 1ca4326bceb304111af72eb3db6a3149b49bc389bab8fae02ae8d40cbbd45f1d |
| SHA512 | 68fcae61701da5190a10ec8e04406d881a64422029a3146fa1c54558bc88e8e51150baf2db821bf01a02864afc3630bbb23b9d3e415349fc77f94f536387dd4c |
\Windows\SysWOW64\CCB_SwxCryptSimple.ocx
| MD5 | e1201caf7fb3afdb374d3b920861a44d |
| SHA1 | 9bd5a5d32d54b50a9977da72d30081585402795f |
| SHA256 | 3b1fead7a903b7e130ff4bd13984af2c7f6709f452cb2900052a8fac92ea9208 |
| SHA512 | f4fdd73be7e08fe82fdb43b8813593053e5e4a5c62e2575a005b8b85e7d30a3bee091c66b6d9c73e5dc6b0fee81898b6c03dee4da14bcdd0ee1194ab5ca9a86d |
memory/2732-132-0x0000000002270000-0x000000000227D000-memory.dmp
\Windows\SysWOW64\CCB_B2B_NetSign.dll
| MD5 | 2ff34fe3f36fbfa2a294e74d697c2a08 |
| SHA1 | ed380eb82606ca061ad41e6f0adbab336a8a31db |
| SHA256 | 37cadf96f82b728536f4d3ac646d7431826118c0f3549ad1fa45a81c653e4647 |
| SHA512 | 7de686d6b906458af4e05adce4a7cea793d2e77e0f9ee7dd909f3c45fd8d47f997ea8e7677fcc3c85e1fb3cee6fa480acbcc67596b33fc90a4f69f409d7ba316 |
memory/2732-137-0x0000000002500000-0x0000000002544000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\nsExec.dll
| MD5 | e54eb27fb5048964e8d1ec7a1f72334b |
| SHA1 | 2b76d7aedafd724de96532b00fbc6c7c370e4609 |
| SHA256 | ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824 |
| SHA512 | c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4 |
C:\Windows\system32\CCBSignCom.ocx
| MD5 | 2128d0b70caa153947174f138dc11946 |
| SHA1 | a21e6e153135b820c685c57b0c6337ed9f6dafda |
| SHA256 | 6c33be6e11ba387c662d25982dd9098a587b9b6906094596c65ca6e8442e6d98 |
| SHA512 | 87f953cf9e4fa8756702f7b9524fa019ae56320267d3b15ac5862f8ef3f233a6681975ca4857f8a90b75991f4dacd4a7ba35bcd61f044bd36a0a87c605b26761 |
C:\Windows\system32\CCBNetSignCom.dll
| MD5 | 069063b19534f2699e4d353fbe72fe42 |
| SHA1 | 6ded747a28f7bd791bd8166c89d265ec68545d4a |
| SHA256 | 68a4f6faf5e733a6a532e36a93764198592cc0c35b0891145048c0c3c394c08c |
| SHA512 | 663d0bd9d46118807d6904f679d3206befd77da33983f73050ef6319c66b358c76da0833fcc61bdf1e4749f5343b1962dca3127e1be13eb7c8f4404a0a4e9929 |
C:\Program Files\CCBComponents\Detector\CCBSignCom.dll
| MD5 | d0b6647ef3102b155dc6101bf6a27120 |
| SHA1 | 62df487fcac03d6596b9100f2eb7a85e965f0cb9 |
| SHA256 | b78ed7af92fbd47167ec57e451b7490056a243866ce491dab1097df89ed79186 |
| SHA512 | 1c2b1b6da76e323c340863b0fc0c860e1251b2bc48082136cd0e1a571219d73f796b1c483c361fddafd2ffd05d24d669a04a38fc43faeae9fa0d398668a5ccf4 |
C:\Windows\system32\CCB_GMSignCom.dll
| MD5 | 515a7c20b95a3c55eb490a54d82d33b5 |
| SHA1 | 68638eae1f06d1ef94841a7b3deee46dd8db8a9d |
| SHA256 | 4fdd8bfc2980ba057a0b7e44fea8e0457bcc12ab0c5a639a0f0855e059cb674c |
| SHA512 | ba66d906fe187abcde5e4d045cd4a9abc2ec60ac4c7c680310261cc637cee47b7b1f75f1c8bf1504438f4110197c52e7cec4aff499366c054d22eda77616830c |
C:\Program Files\CCBComponents\Detector\InfoScan.dll
| MD5 | 71f74b17f453246c7d88126cd80068f3 |
| SHA1 | dbe6b9b6a95cab190d66de7f0375a2ec88286359 |
| SHA256 | ba3ad663e1f5cb810db1c34dc9cca21190500979e15e1641215cd8437b2f6fca |
| SHA512 | f8d91aa100275bad79e5272efc083240d316182b91e7534a84806b21cb9047eaffc39f405a7d3f9acc39791c30d1e8aa86fc344e293554926f11af128328d2d6 |
\Program Files (x86)\CCBComponents\Detector\CCBEnckey.ocx
| MD5 | 62837d39d1936664809ae7adc52b5d0e |
| SHA1 | 5f79dd73ed525ae182a60a039fc3d06288e8fd44 |
| SHA256 | e53e3ce9e2185bc0a2f80f8a8d860b199a4a312bd7f3db0a147d9dc5e92d520d |
| SHA512 | ee888f9ae9e8f78195a67bb5d4404b86e7c5bff13141d179f9e34372a2323b1eec1668a917d81c9b717565fda11e161aa752485610e4b1db2865d0631c631c80 |
memory/2732-223-0x0000000002490000-0x00000000024C0000-memory.dmp
C:\Program Files\CCBComponents\Detector\CCBEnckey.ocx
| MD5 | a4311aa2526e1ce8ce888b4eebf5ba63 |
| SHA1 | 278e9c6377a0039db286030cdac82112cef4f0e6 |
| SHA256 | ed953b3cbbbde0291f7e27244560c7ed65e5517c358f3049eb2ed938a11afa35 |
| SHA512 | 6316c32b732c7cbdcaaf41c7e23676392cee1728f716fdf3405a84e99426710c59107f3db3957024afe138bc2bb12a960e3e5c889b4d3d0d94626be3f9186832 |
\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\CCB_DM_LCD_32_silent.exe
| MD5 | 41eb203bdc4ad6aecac9ea2ccac4afd9 |
| SHA1 | b6c35b4171581fc61a6c39cc8d2ccd54b22f4c86 |
| SHA256 | d87e85a1cebd90e0fc680c5487488fe93a66d0c8b2f73c37705759a5f67a6bd2 |
| SHA512 | ff15025671e5df2c75b315bdf81bd9de10d833c5189d35437cb38a38c80b4afcc24e060b05fe0d3e370b90ebe099afd930876a72a6c23ef57a473ffb94cf0e68 |
\Users\Admin\AppData\Local\Temp\nsi3D9E.tmp\GetVersion.dll
| MD5 | b4cec45a9909c10a8d387c8eb72e8d0d |
| SHA1 | 609e1ff7627aa88db0adbf79897fc8c786f42be5 |
| SHA256 | aea495c63eb5aef15961c03a73213ac586830ced769f489b147e8076e59eb8c8 |
| SHA512 | 337e84ec8b5acec83091833d70ffb4828442467d82a044ec6986547d4d55c9e39a861f3d06fd76289dad81b98f44ef7fe70f449db5baa51699464a7d95cc301a |
memory/2136-289-0x0000000000720000-0x000000000072D000-memory.dmp
\Windows\SysWOW64\CCBKCSPV2.dll
| MD5 | 1c9bbec0fb2356025abfbe9e5ab2389e |
| SHA1 | 1afcb5b13146983c981c3e069c0af41102e4b7de |
| SHA256 | 2e51dde6b79f7cd4655b716b8560d368a4728af50c8cad4f14378937948033fd |
| SHA512 | 814b0f195978d35f7b101881033a82f0628e9d02d345b5053db0afe4bf8b7b69f14f9c7e0119a49d9c043bbade944b2a787c5297dce7c0bcc016e34908441724 |
\Windows\SysWOW64\CCBKCSP.dll
| MD5 | 635c71f7a76a2917bdc642d3fe726e59 |
| SHA1 | f48ede1e746c83daa4362147b5e9bd00a3b0b012 |
| SHA256 | 2321e45539ce5d286aa8ecdbb5a402e8ee11a3d29d1ee8aed784bcb47b8df129 |
| SHA512 | 4e948e351d7ad587aab8813aa1159095687f10a4b8dc19218e5d827ceaf1d77ff946b32977560debf5e6dedf32cfd7eadc3d4197c1f5c35c3dba0f2f692ab6f7 |
memory/2136-293-0x0000000000720000-0x000000000072D000-memory.dmp
\Windows\SysWOW64\GetID.ocx
| MD5 | 5e46a2ab8198982de8b4a432e9b1ffa5 |
| SHA1 | 4605855364ce1f5cca174b0a721be8f4ad539816 |
| SHA256 | d128f2f8863db79ca5ad1f18ecb07c56b9f194ca5d9c049e0e53fa4916f83a93 |
| SHA512 | 6981db8de870c1f13c87155d97ac650b7d1805c03d66d9d567d1561e1ee5cd001f3d7251fb7361eea4a92e65373f52816218cab023e92977746ff094ff55b0b5 |
memory/2136-297-0x0000000002F50000-0x0000000002FB5000-memory.dmp
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\InstallP11.exe
| MD5 | 4cf8946b95aaacc7397528f87f544931 |
| SHA1 | ea453cca204512982e0f60d848e434e5f069bc94 |
| SHA256 | 690eca7ebb28c4839e2971b5d268eab080c84a34eefff6a3ed1c80bd38b618b1 |
| SHA512 | f4cc9da0a33760daa331da1c5d8c73f8cdd69b5c9ad76db4a76252b4898fb1ab01a35d9aa856d07a9771e0d8da175ccb569c1f17cb7986ecc599fbd3a4408207 |
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\nss3.dll
| MD5 | 2ba192cdd158267b0a62a514220ec21e |
| SHA1 | bffcaba4f7a3cda6d426c3bc94f3e4fc0b4e8f14 |
| SHA256 | fcba9dc618fb63804e977ddba96103c05e5a5f8bef9b2e78f48247b9463dd2b6 |
| SHA512 | 3fbc5e7b126dee0aefe5cf36d64699357f6cf88ea3b4748063d969e4484c4d868a204462670d566c879781b0446ef49f50466c4a7f774f535cd49bc1d053f9c0 |
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\libplc4.dll
| MD5 | 3f272e5e11ee246c749be22e032d8ecc |
| SHA1 | 59ee06cd5a4f7eebb155f7afbececa31f028fcc0 |
| SHA256 | c8703b949959875ef89048e28bc5dc0d852ea2e4b71f0561a751d478c514ea39 |
| SHA512 | 1f1c70ff62cf3d1eea05493e32065d5093c0123591cc0862a18ed4b12d2fedbe8ca5625bb2910b71e6f54728322e4e0f0472ff1523fd0c87039a81ed89364eca |
\Program Files (x86)\CCBComponents\Plugins\CARoot\nssutil3.dll
| MD5 | 0b45d4cd1ed4f840e8419e3523442f07 |
| SHA1 | d99617ab9b24b9b87481a2a00a6d72ce639e5611 |
| SHA256 | 313885db0aa185cd91eb516d9649276382c41bbf7dcafe30f87c80c9a3c0743e |
| SHA512 | cff35acaed89b3a44e62f73ae5c6ac97cac9d505a6b8d8eb9c7d62298b227844a3fd99bd9cd03087b682a3c2a6e83175670faaadfa5b5e1e4dc87c18fa2ee6e0 |
\Program Files (x86)\CCBComponents\Plugins\CARoot\libnspr4.dll
| MD5 | b23f114ea3c7d763f27c26e5836c3b57 |
| SHA1 | afa5720eb883c7c4dce115701ccaaa59a09fb9eb |
| SHA256 | 8e3476f28c540d4dee38890cbc05834866930b8a08b3034f8ada5528321f8890 |
| SHA512 | 3640e7f94b327e4ab9b0e205c1c35807b851342caa352febc2ebeba128a7a7f755f08fb2df6cd166a65d7b4183bab11299d7af9bb8050149b81189c7f87705e1 |
\Program Files (x86)\CCBComponents\Plugins\CARoot\libplds4.dll
| MD5 | 49998f7c68e5ef9024ddfa95fc7f4861 |
| SHA1 | daea1862a3263d793df136d6d19e7cb5430ad0b7 |
| SHA256 | b420d5c6bd86f8fb14ce459340aea8b2ce1c1e382e56f7a1ab2b13b401b5a282 |
| SHA512 | 0ea4cf2329029b2c8df8d50d1a5af28b493f85f04dac1d163065d74c265f7261580a8673b3b730def725564d3a7c4eb8f0c0bb2c7ac1d5703739bea92b390387 |
\Program Files (x86)\CCBComponents\Plugins\CARoot\nspr4.dll
| MD5 | fe0d7456cb53476e4cce3c75ec03bbb9 |
| SHA1 | db27b7aba5aae04dde9e7c571c72fb16de2d2554 |
| SHA256 | dc066b51cb93562d3981bbd0dd8f824f191de66a311a2c181161074752c268fa |
| SHA512 | acac6690673e7d3e1c55efed8f9b888e32d4ba03597233af3d897e2fd36853e1a42697c2a5109fbb188e8b4d024eec1f9844cadc29b3001f269ad0b7416ee33e |
memory/896-321-0x0000000002970000-0x0000000002A7D000-memory.dmp
memory/2136-329-0x0000000002F70000-0x0000000002FAA000-memory.dmp
C:\Windows\SysWOW64\TerminateProcess_dmwz.dll
| MD5 | b8923aa4efbb7be1b46dae19947be9d8 |
| SHA1 | 13f411716c5c0020c1d7873ca06e2d0aa93898fe |
| SHA256 | 6448b4fac741623589cd16a8a26b97e17bb4fa37216138ec0ce34946b5e6fb27 |
| SHA512 | a775ea0e55e1b215b3cb9294a6edfdfc52a00624b07f2763fe34ff7d4f48b2bd6c091dee979a0909b05a16897db17e7d88dee320a67d0e7b002d664ae5b5abb4 |
memory/2472-423-0x00000000008E0000-0x0000000000A26000-memory.dmp
C:\Program Files (x86)\CCBComponents\DMWZ\CCBCertificate.exe
| MD5 | c63e5be9a5fff8a11eea35f7d18f74b0 |
| SHA1 | 76401ef3718f853cd523d49cc958978ec4eb729f |
| SHA256 | 0a82a83db2a3bc561542f437bc8aedfd210a47fd56be7f80990a9c53ea730c69 |
| SHA512 | 775445dfefb53efc841f026873016cd6e54567c0138b65d2da8e8b38af2dd9a6952cc69913dadb4df3fd57558394b6ff5256aa1951c1455c2b27011c6061741e |
C:\Program Files (x86)\CCBComponents\DMWZ\Log\202405.log
| MD5 | 61617b381cbbac9c65dc1860e3f6e0bb |
| SHA1 | a9ce8dc2ba2304889ee82f0597d35b7c7c854816 |
| SHA256 | 941dc9abb4c21423a5b2989411159f2204b6f5a7ab57e901571f741f335bc6d2 |
| SHA512 | fca6358065fa28b89674691ed34db35e07e7ed246565f52afe230faad53d9db18211a04b5d4955eb9bfe7542dd2e6b7f45da57a0233d4c4de7a18d47e1e427a6 |
memory/2472-424-0x00000000008E0000-0x0000000000A26000-memory.dmp
memory/2472-427-0x00000000740C0000-0x00000000741F5000-memory.dmp
memory/2472-428-0x00000000740C0000-0x00000000741F5000-memory.dmp
memory/2428-463-0x0000000002FF0000-0x000000000302A000-memory.dmp
C:\Program Files (x86)\CCBComponents\DMWZ\Log\202405.log
| MD5 | 9db5bac6b1a0124c2a1784bd70331c42 |
| SHA1 | 5ac7e7e566b42122f1a124ebcea47da4ac56f8aa |
| SHA256 | f4d09a8875f3f53183cd66043e2f2cfeaa9c4fb4afb6c4c82482b3b6a0b94da7 |
| SHA512 | b9ec6dfa5d7ff309deb9261aa3f61da03e055c7b90f715647942c7e26d729b5147f7deaae57685e0769d0aef84234193655591564bf3d270ce3b967c5fb9990a |
C:\Users\Admin\AppData\Local\Temp\nst626C.tmp\ExecCmd.dll
| MD5 | b9380b0bea8854fd9f93cc1fda0dfeac |
| SHA1 | edb8d58074e098f7b5f0d158abedc7fc53638618 |
| SHA256 | 1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244 |
| SHA512 | 45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c |
C:\Users\Admin\AppData\Local\Temp\nst626C.tmp\hzSrv.dll
| MD5 | f816b7dd6a58d7cd07ad9cb34f853032 |
| SHA1 | 28bec0775633c12d68cb8f8e6b4036c7375bf6b0 |
| SHA256 | 9794c36fc163fe0d2821fdd599d7940b3159d8856d62de3d4280f457439a4f61 |
| SHA512 | 7a483a42dc341f6ffd73f64020527940efc56dca5e629caceae5fd544b9c42fac361d7a15cd47a8b323053321c8eaf411b2b37af0bd432ba2bca7e981efd4b7d |
C:\Users\Admin\AppData\Local\Temp\nst626C.tmp\ThreadTimer.dll
| MD5 | 697f61a904654e9363e28c5223182994 |
| SHA1 | df916f7098e3f89a5cf100529ba3480feba71ce9 |
| SHA256 | 5ffc3354029e6c6ed0a7db4690fe74d453980a3f21dc8cf0fb94cb5bbd421ac1 |
| SHA512 | 3bfd89810bccb0d8b389988201f65b8823f138f763a1cc0cbeebdeee5a086c5c8dfb18e2a4d664648224bb96dce0ce7b6936ccc63b10f6f56fc1a4247a0d0eb4 |
C:\Users\Admin\AppData\Local\Temp\nst626C.tmp\InstDrv.dll
| MD5 | e33c90099612f1769abae7da48953731 |
| SHA1 | e111dfa793910b7a4c4c0a845415f4de839f5f41 |
| SHA256 | e513f09fa603941cf40bd76e458069966a616b3e125b772f85259ea2a9fbd937 |
| SHA512 | 1fa472a40c3bc05e2e970a7621ae0d40d5d86e6c75d28807d6780330a735254653c777f73aff5ae60af8e2030df3bd535bfa2ec0e9ddeb5b18303b3124169d8a |
memory/2732-714-0x0000000002271000-0x0000000002272000-memory.dmp
memory/2732-716-0x0000000002271000-0x0000000002272000-memory.dmp
memory/2732-715-0x0000000002271000-0x0000000002272000-memory.dmp
C:\Program Files\Mozilla Firefox\InstallP11_HDZB.exe
| MD5 | 2ee763536226ae317cabc8750fca6d2a |
| SHA1 | 25e644b246e810eb76abbce0ddd7a311ccc86599 |
| SHA256 | a5470f7f96567abda014d4507ecfb5ae682b5c6de3c3ee7d0ac1469f661fb2a3 |
| SHA512 | 9d31e0519c4d0e0167e779a35c225ebcdbc2441c49c5e1d946ace8a245b002fd1b1d717f963224ef4015cfa9c76eeb45bed3ce0dfa1c2ab2d14d6af8e59990ca |
C:\Users\Admin\AppData\Local\Temp\nso894E.tmp\UserInfo.dll
| MD5 | d16e06c5de8fb8213a0464568ed9852f |
| SHA1 | d063690dc0d2c824f714acb5c4bcede3aa193f03 |
| SHA256 | 728472ba312ae8af7f30d758ab473e0772477a68fcd1d2d547dafe6d8800d531 |
| SHA512 | 60502bb65d91a1a895f38bd0f070738152af58ffa4ac80bac3954aa8aad9fda9666e773988cbd00ce4741d2454bf5f2e0474ce8ea18cfe863ec4c36d09d1e27a |
C:\Users\Admin\AppData\Local\Temp\nso894E.tmp\Plugin_CCB.dll
| MD5 | 8aa990c680e54554fcdf1e07e59ed789 |
| SHA1 | fdbcb99c041d0453e99ddef11fa70d60a812120f |
| SHA256 | 4c2d967fde800c92e003c926cde1f166d987409b38b53e9371f6e72b0c1fb342 |
| SHA512 | c227bc1fcb07534d6d66e874cbe1a076569c8a8d30cfe42683ce94a7b4d8d3268dd74610d5af8cfa035f932ec056c9f466ebd04bcbf81fa78fffac83be536747 |
C:\Users\Admin\AppData\Local\Temp\nso894E.tmp\KillProcDLL.dll
| MD5 | 83142eac84475f4ca889c73f10d9c179 |
| SHA1 | dbe43c0de8ef881466bd74861b2e5b17598b5ce8 |
| SHA256 | ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729 |
| SHA512 | 1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1 |
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\CCBTDRFirefoxCtrl.exe
| MD5 | 1ef013aaae6f4427566f2bb3f6622042 |
| SHA1 | 327103615c471194ca9abaeefeef01fc36418161 |
| SHA256 | c203342227b8bc4161731d3a559a5c6f1358bbd7efca5546c23307257b7ff144 |
| SHA512 | f852128293b59faef4022e5bcefb9b819b0252020d0b3c2292c92700504fac3c2291d0623c903532fa8e4519af670b895e45ee9875b8609b3ba51987aab5f13c |
memory/2472-915-0x00000000008E0000-0x0000000000A26000-memory.dmp
memory/2444-917-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2588-916-0x0000000000280000-0x000000000029E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.Admin\key3.db
| MD5 | 5bd9e45eca6746d66172fb66f3175bdc |
| SHA1 | 5bbb48ad3a86f584ae13aeed12d0a50033986b3f |
| SHA256 | 6452d0d7c31bf5ce9bcb4563837d40034fbc645c005ee3a804b29b9b8f10b735 |
| SHA512 | 5053a614fe195afece93461900b11c9069d0a6d17a01378e307a086f07f8d34ed163a2642e88d707776b51e8f40cb13f6e4c624e61b5c1da7322058a147dd21f |
memory/2444-935-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2472-984-0x00000000740C0000-0x00000000741F5000-memory.dmp
C:\Windows\SysWOW64\D4Ser_CCB.exe
| MD5 | 77452d8362fab9706038e75733892401 |
| SHA1 | 53f1f15df446b161c1a004dd0816644f767141e7 |
| SHA256 | 92d63ef0a120a86b5d001ffce6592f8640294f36d6e114e0ee0449c10243083c |
| SHA512 | 551f30696aa98998a3d61de2dd9023e1e3172323c6f81fe9d9cc9efd43790cd819218150f3c528e4b6139051046e0a8999d5270b93715708bd1e5b03721d9aba |
C:\Users\Admin\AppData\Local\Temp\nso894E.tmp\System.dll
| MD5 | 959ea64598b9a3e494c00e8fa793be7e |
| SHA1 | 40f284a3b92c2f04b1038def79579d4b3d066ee0 |
| SHA256 | 03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b |
| SHA512 | 5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64 |
C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\DisplayKey.gif
| MD5 | b5cc4051adf7489a983c0655c27bc9f3 |
| SHA1 | f52d0a0e0e2dfedcab73a6328b8e413b4285a512 |
| SHA256 | ad86465eb3baca8d9457fe1bd15d76572a6c625a384d4f7b0ff542776245cbcb |
| SHA512 | 0d3c9778e5a87b1c01ec4898fe446222ca608f50ca04f689f7bcd5ca75d3449912fb5d9b4c99a1e332699c82bf0ba3590bb1a8f05e2bac1b408130182fecc320 |
C:\Program Files (x86)\CCBComponents\WATCHDATA\registerocx.exe
| MD5 | dcc5f09ea4d286545f8d6eefb05249ce |
| SHA1 | 38b4d09b4ac702d688bb40158c7ca7d46a51b0ed |
| SHA256 | 1a6eb9dd1f334870edadc5c0b6242e265a54082e8f0ba0a43f85fc5816859f1a |
| SHA512 | 68c1e19a46c98b127a7384b99358d08bae7a7934a8e4ea5a8fe1df0a2dc7fa7323c5e437fe9a4b155332b6d336429c5b78d3d17e439fb662dec6069393a332a5 |
C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCID.exe
| MD5 | 4d66c2f2e677527ea8f42e178d2c0e0e |
| SHA1 | 7e28476011e688ad5fe6f2fc156cd30c50edea76 |
| SHA256 | 719552f9f7eefc5ef48d7ce00520e065143e394abb35ad79b342d924d2bd6922 |
| SHA512 | 422ae109017f701c5032955d60204fbeb726d222fa8698825525762865c5f67cb2ac5752712413c00d91c31d3eef6a9985c2580ce4d51219934ea97ddf38cbde |
C:\Program Files (x86)\CCBComponents\WATCHDATA\registCCIDCom.exe
| MD5 | 54040ca0b9990110725492895c05a304 |
| SHA1 | 3acb15d8ca088e26a596fbba8a58c9102a2ce761 |
| SHA256 | 88201467a60914be9a96a8cc254c5c8786bfa1c49643ffcdcc8253217b7071d8 |
| SHA512 | 96193ea93fe918f0e010cd56988661c0fb27fa2c25bd99c1de132335e69aeac02c2ec72b126237056fd8d08715a73c848319439dccf56ea6caecc2b56e703254 |
C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDCertM_CCB.exe
| MD5 | 59d9a67cefcd269e81d9145443eb7bf8 |
| SHA1 | e18a8cdfb6e1496ca6139322b86d5d19e565a0f0 |
| SHA256 | 9f8b5710769760693edb94e54237c651f3bf6b9d04fe9d23213ae1bee0d508e2 |
| SHA512 | 06220da58448c9d1c5582a3d41950020ad82017602cb8eb4e3cdca7111ac6cb062a64f0bb676e1edbb770ed13a932bdc0595413067127e2cb3f16d23f118bed0 |
C:\Program Files (x86)\CCBComponents\WATCHDATA\log\202405_install.log
| MD5 | 6e9e828499abeb2a74f09aca4563351f |
| SHA1 | ec3264fdde771828339993f6e584f992bac1e8a5 |
| SHA256 | a0be898999255a01ffe4c1c91ba19357149eca2919b7a8824cbc7f34ab9ac4cc |
| SHA512 | d51bb322ed6ae72355d429e55b2b6a82cb132458b7dff4ce65b4dc7f8d83a13b625eb98e28c08645261a3d0aa3f6c6ab93ed88ce697efad3903d356021612456 |
memory/1732-1157-0x0000000010000000-0x0000000010097000-memory.dmp
memory/1732-1160-0x0000000002270000-0x00000000022D5000-memory.dmp
memory/1732-1165-0x0000000002490000-0x00000000024C9000-memory.dmp
memory/1732-1168-0x0000000002830000-0x00000000028C7000-memory.dmp
memory/896-1170-0x0000000000430000-0x0000000000495000-memory.dmp
C:\Program Files (x86)\CCBComponents\Plugins\CARoot\AddCert.exe
| MD5 | 4088bded78af790b3200d0ebb519901f |
| SHA1 | a4eccc39fa9516a51a1ff55ee01dbaf693a80d16 |
| SHA256 | 83b540939cabe0fbfb0e3fe7a5782be201cd5280c14d850df3249559999fc44d |
| SHA512 | 7550c776f08107dd43c9599ffedd0ed3a21d1541f2c594a9ab4b515d06140c4c42862ecd378c0bd419cd9cb6c9fb97e675ff2c2b049c1d1e2dae00e3cf693042 |
memory/1664-1180-0x0000000000520000-0x000000000053F000-memory.dmp
memory/2448-1191-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2588-1202-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3032-1213-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2888-1224-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1732-1261-0x0000000010000000-0x0000000010097000-memory.dmp
memory/1732-1262-0x0000000002270000-0x00000000022D5000-memory.dmp
memory/1732-1263-0x0000000002490000-0x00000000024C9000-memory.dmp
memory/1732-1264-0x0000000002830000-0x00000000028C7000-memory.dmp
memory/896-1265-0x0000000000430000-0x0000000000495000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win7-20240221-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmccbplugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmccbplugin.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 248
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1896 wrote to memory of 4160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1896 wrote to memory of 4160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1896 wrote to memory of 4160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4160 -ip 4160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win7-20231129-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmwritecert.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmwritecert.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 276
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3960 wrote to memory of 4668 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3960 wrote to memory of 4668 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3960 wrote to memory of 4668 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmwritecert.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmwritecert.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4668 -ip 4668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 652
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win10v2004-20240508-en
Max time kernel
124s
Max time network
127s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\CheckP11.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\CheckP11.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4268,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win7-20240220-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\InstallP11.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\InstallP11.exe"
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win7-20240419-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmccbplugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmccbplugin.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 248
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win7-20240221-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 220
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win7-20240221-en
Max time kernel
118s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 228
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win7-20240221-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1340 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1340 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1340 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1340 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1340 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1340 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1340 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmwritecert.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\$PROGRAMFILES\CCBComponents\Plugins\npdmwritecert.dll,#1
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win7-20240221-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\CheckP11.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\CCBComponents\Plugins\CARoot\$PROGRAMFILES\CCBComponents\Plugins\CARoot\CheckP11.exe"
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-12 17:36
Reported
2024-05-12 17:39
Platform
win7-20240215-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\CCBDMBDI.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\CCBDMBDI.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 248
Network
Files
memory/3016-0-0x0000000074780000-0x00000000748B5000-memory.dmp
memory/3016-2-0x0000000074640000-0x0000000074775000-memory.dmp
memory/3016-1-0x0000000074780000-0x00000000748B5000-memory.dmp
memory/3016-3-0x0000000074640000-0x0000000074775000-memory.dmp
memory/3016-6-0x0000000074640000-0x0000000074775000-memory.dmp