Malware Analysis Report

2024-10-16 06:47

Sample ID 240616-jr8c3szblr
Target TouchEn_nxKey_32bit.exe
SHA256 a5a5cf58d399b5f31d34286d078ec6cc3a2bf34bef2bed8d1fbaa2d3b8058339
Tags
upx discovery execution persistence spyware stealer themida
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a5a5cf58d399b5f31d34286d078ec6cc3a2bf34bef2bed8d1fbaa2d3b8058339

Threat Level: Likely malicious

The file TouchEn_nxKey_32bit.exe was found to be: Likely malicious.

Malicious Activity Summary

upx discovery execution persistence spyware stealer themida

Creates new service(s)

Sets service image path in registry

Themida packer

UPX packed file

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Checks computer location settings

Drops file in Program Files directory

Executes dropped EXE

Loads dropped DLL

Launches sc.exe

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

NSIS installer

Modifies data under HKEY_USERS

Suspicious behavior: LoadsDriver

Modifies system certificate store

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 07:55

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 07:55

Reported

2024-06-16 07:57

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe

"C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe"

Network

N/A

Files

memory/1312-0-0x0000000000400000-0x00000000014F8000-memory.dmp

memory/1312-1-0x0000000000400000-0x00000000014F8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 07:55

Reported

2024-06-16 07:59

Platform

win10v2004-20240508-en

Max time kernel

269s

Max time network

58s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe"

Signatures

Creates new service(s)

persistence execution

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\JRSKD24\ImagePath = "\\??\\C:\\Windows\\system32\\JRSKD24.SYS" C:\Windows\SysWOW64\CKSetup64.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrossEXService = "C:\\Program Files (x86)\\iniLINE\\CrossEX\\crossex\\CrossEXService.exe" C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\CKAgentNXE_t.exe C:\Windows\SysWOW64\CKSetup64.exe N/A
File created C:\Windows\SysWOW64\jrsoftcp.dll C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
File created C:\Windows\system32\temp_JRSKD24.SYS C:\Windows\SysWOW64\CKSetup64.exe N/A
File created C:\Windows\SysWOW64\CKAgentNXE_t.exe C:\Windows\SysWOW64\CKSetup32.exe N/A
File created C:\Windows\SysWOW64\CKAgent_t.exe C:\Windows\SysWOW64\CKSetup32.exe N/A
File created C:\Windows\system32\CKAgentNXE_t.exe C:\Windows\SysWOW64\CKSetup64.exe N/A
File created C:\Windows\system32\CKAgentNXE.dat C:\Windows\SysWOW64\CKSetup64.exe N/A
File opened for modification C:\Windows\system32\CKAgent.exe C:\Windows\SysWOW64\CKSetup64.exe N/A
File created C:\Windows\system32\temp_JRSUKD25.SYS C:\Windows\SysWOW64\CKSetup64.exe N/A
File created C:\Windows\SysWOW64\CKSetup32.exe C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
File created C:\Windows\system32\temp_JRSKD24.SYS C:\Windows\SysWOW64\CKSetup64.exe N/A
File created C:\Windows\system32\CKAgentNXE.dat C:\Windows\SysWOW64\CKSetup32.exe N/A
File opened for modification C:\Windows\SysWOW64\CKSetup64.exe C:\Windows\SysWOW64\CKSetup32.exe N/A
File created C:\Windows\system32\CKAgentNXE.dat C:\Windows\SysWOW64\CKSetup32.exe N/A
File created C:\Windows\system32\CKAgentNXE.dat C:\Windows\SysWOW64\CKSetup32.exe N/A
File opened for modification C:\Windows\SysWOW64\CKAgent.exe C:\Windows\SysWOW64\CKSetup32.exe N/A
File opened for modification C:\Windows\system32\JRSKD24.SYS C:\Windows\SysWOW64\CKSetup64.exe N/A
File opened for modification C:\Windows\system32\CKAgent.exe C:\Windows\SysWOW64\CKSetup32.exe N/A
File created C:\Windows\system32\CKAgent.dat C:\Windows\SysWOW64\CKSetup32.exe N/A
File opened for modification C:\Windows\SysWOW64\CKAgentNXE.exe C:\Windows\SysWOW64\CKSetup32.exe N/A
File created C:\Windows\system32\CKAgent.dat C:\Windows\SysWOW64\CKSetup64.exe N/A
File created C:\Windows\system32\CKAgent.dat C:\Windows\SysWOW64\CKSetup64.exe N/A
File created C:\Windows\SysWOW64\CKAgentNXE_t.exe C:\Windows\SysWOW64\CKSetup32.exe N/A
File opened for modification C:\Windows\system32\CKAgentNXE.exe C:\Windows\SysWOW64\CKSetup32.exe N/A
File opened for modification C:\Windows\system32\CKAgent.exe C:\Windows\SysWOW64\CKSetup32.exe N/A
File created C:\Windows\system32\temp_JRSKD24.SYS C:\Windows\SysWOW64\CKSetup64.exe N/A
File opened for modification C:\Windows\system32\CKAgentNXE.exe C:\Windows\SysWOW64\CKSetup64.exe N/A
File opened for modification C:\Windows\SysWOW64\CKSetup64.exe C:\Windows\SysWOW64\CKSetup32.exe N/A
File opened for modification C:\Windows\system32\CKAgentNXE.exe C:\Windows\SysWOW64\CKSetup64.exe N/A
File created C:\Windows\system32\temp_JRSUKD25.SYS C:\Windows\SysWOW64\CKSetup64.exe N/A
File created C:\Windows\system32\CKAgent.dat C:\Windows\SysWOW64\CKSetup64.exe N/A
File created C:\Windows\SysWOW64\CKAgentNXE.dat C:\Windows\SysWOW64\CKSetup32.exe N/A
File created C:\Windows\system32\CKAgent.dat C:\Windows\SysWOW64\CKSetup32.exe N/A
File opened for modification C:\Windows\SysWOW64\CKAgent.exe C:\Windows\SysWOW64\CKSetup32.exe N/A
File opened for modification C:\Windows\system32\CKAgent.exe C:\Windows\SysWOW64\CKSetup64.exe N/A
File opened for modification C:\Windows\system32\CKAgentNXE.exe C:\Windows\SysWOW64\CKSetup64.exe N/A
File created C:\Windows\system32\CKAgent_t.exe C:\Windows\SysWOW64\CKSetup64.exe N/A
File opened for modification C:\Windows\system32\CKAgent.exe C:\Windows\SysWOW64\CKSetup64.exe N/A
File opened for modification C:\Windows\system32\JRSKD24.SYS C:\Windows\SysWOW64\CKSetup64.exe N/A
File created C:\Windows\system32\CKAgent_t.exe C:\Windows\SysWOW64\CKSetup64.exe N/A
File opened for modification C:\Windows\system32\CKAgentNXE.exe C:\Windows\SysWOW64\CKSetup32.exe N/A
File created C:\Windows\SysWOW64\CKAgent.dat C:\Windows\SysWOW64\CKSetup32.exe N/A
File created C:\Windows\system32\temp_JRSUKD25.SYS C:\Windows\SysWOW64\CKSetup64.exe N/A
File opened for modification C:\Windows\system32\JRSUKD25.SYS C:\Windows\SysWOW64\CKSetup64.exe N/A
File created C:\Windows\SysWOW64\CKAgent.dat C:\Windows\SysWOW64\CKSetup32.exe N/A
File created C:\Windows\SysWOW64\CKSetup64.exe C:\Windows\SysWOW64\CKSetup32.exe N/A
File opened for modification C:\Windows\system32\JRSKD24.SYS C:\Windows\SysWOW64\CKSetup64.exe N/A
File opened for modification C:\Windows\system32\CKAgent.dat C:\Windows\SysWOW64\CKSetup64.exe N/A
File opened for modification C:\Windows\SysWOW64\CKAgentNXE.dat C:\Windows\SysWOW64\CKSetup32.exe N/A
File created C:\Windows\system32\temp_JRSKD24.SYS C:\Windows\SysWOW64\CKSetup64.exe N/A
File created C:\Windows\system32\temp_JRSUKD25.SYS C:\Windows\SysWOW64\CKSetup64.exe N/A
File opened for modification C:\Windows\System32\services.msc C:\Windows\system32\mmc.exe N/A
File opened for modification C:\Windows\SysWOW64\CKSetup32.exe C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
File opened for modification C:\Windows\SysWOW64\CKAgentNXE.exe C:\Windows\SysWOW64\CKSetup32.exe N/A
File created C:\Windows\system32\CKAgent.dat C:\Windows\SysWOW64\CKSetup32.exe N/A
File created C:\Windows\SysWOW64\CKAgentNXE_t.exe C:\Windows\SysWOW64\CKSetup32.exe N/A
File created C:\Windows\SysWOW64\CKAgent_t.exe C:\Windows\SysWOW64\CKSetup32.exe N/A
File opened for modification C:\Windows\SysWOW64\CKAgent.exe C:\Windows\SysWOW64\CKSetup32.exe N/A
File opened for modification C:\Windows\system32\JRSKD24.SYS C:\Windows\SysWOW64\CKSetup64.exe N/A
File opened for modification C:\Windows\SysWOW64\CKAgentNXE.exe C:\Windows\SysWOW64\CKSetup32.exe N/A
File created C:\Windows\system32\CKAgentNXE_t.exe C:\Windows\SysWOW64\CKSetup64.exe N/A
File opened for modification C:\Windows\system32\JRSKD24.SYS C:\Windows\SysWOW64\CKSetup64.exe N/A
File created C:\Windows\SysWOW64\CKAgentNXE.dat C:\Windows\SysWOW64\CKSetup32.exe N/A
File opened for modification C:\Windows\SysWOW64\CKSetup32.exe C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\npraontouchenex.dll C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe N/A
File created C:\Program Files (X86)\RaonSecure\TouchEn nxKey\KeySharpCryptoV15_32.dll C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
File created C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\digicert_root_g4.cer C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe N/A
File opened for modification C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\CrossEXFirefox.dll C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe N/A
File opened for modification C:\Program Files (X86)\RaonSecure\TouchEn nxKey\KeySharpCryptoV15_32.dll C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
File opened for modification C:\Program Files (X86)\RaonSecure\TouchEn nxKey\TKMain.dll C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
File created C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\CrossEXChrome.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
File created C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe N/A
File created C:\Program Files (X86)\RaonSecure\TouchEn nxKey\TKMain.dll C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
File opened for modification C:\Program Files (X86)\RaonSecure\TouchEn nxKey\TKMain.dll C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
File opened for modification C:\Program Files (x86)\iniLINE\CrossEX\crossex\rootCA.crt C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe N/A
File created C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\kr.co.raon.touchenex.firefox.json C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
File opened for modification C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\CrossEXChrome.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe N/A
File opened for modification C:\Program Files (X86)\RaonSecure\TouchEn nxKey\TKAppi.dll C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
File opened for modification C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\kr.co.raon.touchenex.firefox.json C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe N/A
File opened for modification C:\Program Files (x86)\iniLINE\CrossEX\crossex\rootCA.crt C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\CrossEX_LocalService_Install.exe N/A
File created C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\digicert_root_g4.cer C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
File created C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\CrossEXFirefox.dll C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
File created C:\Program Files (x86)\iniLINE\CrossEX\crossex\UnInstallCrossEXLocal.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe N/A
File opened for modification C:\Program Files (X86)\RaonSecure\TouchEn nxKey\TKAppm.dll C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
File opened for modification C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\CrossEX.sig C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe N/A
File opened for modification C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\CrossEXProtocol.dll C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe N/A
File opened for modification C:\Program Files (X86)\RaonSecure\TouchEn nxKey\KeySharpCryptoV15_32.dll C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
File opened for modification C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\kr.co.raon.touchenex.json C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe N/A
File created C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\UnInstallCrossEX.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe N/A
File opened for modification C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe.sig C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\CrossEX_LocalService_Install.exe N/A
File opened for modification C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\CrossEXFirefox.dll C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe N/A
File opened for modification C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\kr.co.raon.touchenex.json C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe N/A
File created C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\UnInstallCrossEX.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
File created C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe.sig C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe N/A
File created C:\Program Files (X86)\RaonSecure\TouchEn nxKey\TKAppm.dll C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
File opened for modification C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\npraontouchenex.dll C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe N/A
File created C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\digicert_root_g4.cer C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe N/A
File created C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\CrossEXProtocol.dll C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
File opened for modification C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\digicert_root_g4.cer C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
File created C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\CrossEX.sig C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
File created C:\Program Files (x86)\iniLINE\CrossEX\crossex\rootCA.crt C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe N/A
File opened for modification C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\CrossEX.sig C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe N/A
File created C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\npraontouchenex.dll C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
File opened for modification C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\UnInstallCrossEX.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe N/A
File opened for modification C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\kr.co.raon.touchenex.firefox.json C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe N/A
File opened for modification C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\digicert_root_g4.cer C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe N/A
File opened for modification C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\CrossEXProtocol.dll C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe N/A
File opened for modification C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\CrossEXChrome.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe N/A
File opened for modification C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe.sig C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe N/A
File created C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\UnInstallCrossEX.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe N/A
File opened for modification C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\digicert_root_g4.cer C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe N/A
File opened for modification C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\UnInstallCrossEX.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe N/A
File opened for modification C:\Program Files (X86)\RaonSecure\TouchEn nxKey\TKAppi.dll C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
File created C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\kr.co.raon.touchenex.json C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
File created C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe N/A
File created C:\Program Files (X86)\RaonSecure\TouchEn nxKey\TKAppi.dll C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
File opened for modification C:\Program Files (X86)\RaonSecure\TouchEn nxKey\TKAppm.dll C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\CKSetup32.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup64.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\FFCert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup32.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup64.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe N/A
N/A N/A C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\UninstallCrossEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\FFCert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup32.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup64.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe N/A
N/A N/A C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\UninstallCrossEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\CrossEX_LocalService_Install.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\FFCert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup64.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup64.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6CE20149-ABE3-462E-A1B4-5B549971AA39} C:\Windows\SysWOW64\CKSetup32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6CE20149-ABE3-462E-A1B4-5B549971AA39}\AppName = "CKAgentNXE.exe" C:\Windows\SysWOW64\CKSetup32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6CE20149-ABE3-462E-A1B4-5B549971AA38}\Compatibility Flags = "0" C:\Windows\SysWOW64\CKSetup32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8FD68F8A-641E-4204-AE47-DD835C1AE756}\Compatibility Flags = "0" C:\Windows\SysWOW64\CKSetup32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8FD68F8A-641E-4204-AE47-DD835C1AE756}\Compatibility Flags = "0" C:\Windows\SysWOW64\CKSetup32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6CE20149-ABE3-462E-A1B4-5B549971AA38}\Compatibility Flags = "0" C:\Windows\SysWOW64\CKSetup32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6CE20149-ABE3-462E-A1B4-5B549971AA39}\AppName = "CKAgentNXE.exe" C:\Windows\SysWOW64\CKSetup32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6CE20149-ABE3-462E-A1B4-5B549971AA39}\Policy = "3" C:\Windows\SysWOW64\CKSetup32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6CE20149-ABE3-462E-A1B4-5B549971AA38}\Compatibility Flags = "0" C:\Windows\SysWOW64\CKSetup32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6CE20149-ABE3-462E-A1B4-5B549971AA39}\AppName = "CKAgentNXE.exe" C:\Windows\SysWOW64\CKSetup32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6CE20149-ABE3-462E-A1B4-5B549971AA39}\AppPath = "C:\\Windows\\system32" C:\Windows\SysWOW64\CKSetup32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6CE20149-ABE3-462E-A1B4-5B549971AA39}\Policy = "3" C:\Windows\SysWOW64\CKSetup32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8FD68F8A-641E-4204-AE47-DD835C1AE756} C:\Windows\SysWOW64\CKSetup32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6CE20149-ABE3-462E-A1B4-5B549971AA39}\AppPath = "C:\\Windows\\system32" C:\Windows\SysWOW64\CKSetup32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6CE20149-ABE3-462E-A1B4-5B549971AA39}\Policy = "3" C:\Windows\SysWOW64\CKSetup32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8FD68F8A-641E-4204-AE47-DD835C1AE756} C:\Windows\SysWOW64\CKSetup32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6CE20149-ABE3-462E-A1B4-5B549971AA38} C:\Windows\SysWOW64\CKSetup32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6CE20149-ABE3-462E-A1B4-5B549971AA39}\AppPath = "C:\\Windows\\system32" C:\Windows\SysWOW64\CKSetup32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6CE20149-ABE3-462E-A1B4-5B549971AA39} C:\Windows\SysWOW64\CKSetup32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6CE20149-ABE3-462E-A1B4-5B549971AA38} C:\Windows\SysWOW64\CKSetup32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6CE20149-ABE3-462E-A1B4-5B549971AA38} C:\Windows\SysWOW64\CKSetup32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8FD68F8A-641E-4204-AE47-DD835C1AE756}\Compatibility Flags = "0" C:\Windows\SysWOW64\CKSetup32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6CE20149-ABE3-462E-A1B4-5B549971AA39} C:\Windows\SysWOW64\CKSetup32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8FD68F8A-641E-4204-AE47-DD835C1AE756} C:\Windows\SysWOW64\CKSetup32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\CrossEXService = "C:\\Program Files (x86)\\iniLINE\\CrossEX\\crossex\\CrossEXService.exe" C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\CrossEX_LocalService_Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\CrossEXService = "C:\\Program Files (x86)\\iniLINE\\CrossEX\\crossex\\CrossEXService.exe" C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\CrossEXService = "C:\\Program Files (x86)\\iniLINE\\CrossEX\\crossex\\CrossEXService.exe" C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\CrossEX_LocalService_Install.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f}\Programmable C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f}\Programmable C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8FD68F8A-641E-4204-AE47-DD835C1AE756}\Compatibility Flags = "0" C:\Windows\SysWOW64\CKSetup32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\touchenexProtocol.ProtocolMain\CLSID\ = "{9415226c-a06d-11ed-8767-000c2936bd4f}" C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\VirtualStore C:\Windows\SysWOW64\CKSetup32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f} C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BCC3963A-8284-48E1-9E44-72429E752393} C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\touchenexProtocol.ProtocolMain\CLSID C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\touchenexProtocol.ProtocolMain\CurVer C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f}\VersionIndependentProgID\ = "touchenexProtocol.ProtocolMain" C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\touchenexProtocol.ProtocolMain\CurVer\ = "touchenexProtocol.ProtocolMain.1" C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Microsoft C:\Windows\SysWOW64\CKSetup32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f}\Programmable C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\UninstallCrossEX.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9544A71-CBFA-4CE0-A01B-28F39B976CC9}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C3ED391-18E2-461F-9CFF-7F3C679AB560} C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BCC3963A-8284-48E1-9E44-72429E752393}\ = "CrossExProtocol" C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C3ED391-18E2-461F-9CFF-7F3C679AB560}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\touchenex\ C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f}\VersionIndependentProgID\ = "touchenexProtocol.ProtocolMain" C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f} C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9544A71-CBFA-4CE0-A01B-28F39B976CC9}\1.0\0\win32\ = "C:\\Program Files (x86)\\RaonSecure\\bridge\\CrossEX\\touchenex\\1.0.1.1529\\CrossEXProtocol.dll" C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6CE20149-ABE3-462E-A1B4-5B549971AA38}\Compatibility Flags = "0" C:\Windows\SysWOW64\CKSetup32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\touchenexProtocol.ProtocolMain.1\ = "ProtocolMain Class" C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f}\VersionIndependentProgID\ = "touchenexProtocol.ProtocolMain" C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f}\InprocServer32\ = "C:\\Program Files (x86)\\RaonSecure\\bridge\\CrossEX\\touchenex\\1.0.1.1529\\CrossEXProtocol.dll" C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f}\TypeLib C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\touchenex C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f}\ProgID C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8FD68F8A-641E-4204-AE47-DD835C1AE756} C:\Windows\SysWOW64\CKSetup32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\touchenex C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f}\TypeLib\ = "{E9544A71-CBFA-4CE0-A01B-28F39B976CC9}" C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\touchenexProtocol.ProtocolMain.1 C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\touchenexProtocol.ProtocolMain\CurVer\ = "touchenexProtocol.ProtocolMain.1" C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\touchenex C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f} C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f} C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\UninstallCrossEX.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f}\Programmable C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\touchenex C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\touchenexProtocol.ProtocolMain\CurVer\ = "touchenexProtocol.ProtocolMain.1" C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f}\TypeLib C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6CE20149-ABE3-462E-A1B4-5B549971AA38}\Compatibility Flags = "0" C:\Windows\SysWOW64\CKSetup32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\touchenexProtocol.ProtocolMain\CLSID\ = "{9415226c-a06d-11ed-8767-000c2936bd4f}" C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8FD68F8A-641E-4204-AE47-DD835C1AE756} C:\Windows\SysWOW64\CKSetup32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f}\ = "ProtocolMain Class" C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f}\VersionIndependentProgID\ = "touchenexProtocol.ProtocolMain" C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9544A71-CBFA-4CE0-A01B-28F39B976CC9}\1.0\0 C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C3ED391-18E2-461F-9CFF-7F3C679AB560}\TypeLib C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f} C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6CE20149-ABE3-462E-A1B4-5B549971AA38} C:\Windows\SysWOW64\CKSetup32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\touchenexProtocol.ProtocolMain\ = "ProtocolMain Class" C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\touchenex C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f}\ProgID C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\touchenex\CLSID = "{9415226c-a06d-11ed-8767-000c2936bd4f}" C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f}\ProgID C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C3ED391-18E2-461F-9CFF-7F3C679AB560}\ = "IProtocolMain" C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\touchenexProtocol.ProtocolMain\ = "ProtocolMain Class" C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f}\Programmable C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\UninstallCrossEX.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9415226c-a06d-11ed-8767-000c2936bd4f} C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DC2F16A0E1AF8FAF0D3E93EAC9ACA7315A409C79 C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DC2F16A0E1AF8FAF0D3E93EAC9ACA7315A409C79 C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\CrossEX_LocalService_Install.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DC2F16A0E1AF8FAF0D3E93EAC9ACA7315A409C79\Blob = 030000000100000014000000dc2f16a0e1af8faf0d3e93eac9aca7315a409c792000000001000000b6030000308203b23082029aa003020102020101300d06092a864886f70d01010b05003070310b3009060355040613024b523113301106035504080c0a536f6d652d5374617465310e300c06035504070c0553656f756c311a3018060355040a0c11696e694c494e4520436f2e2c204c74642e3120301e06035504030c17696e694c494e452043726f7373455820526f6f744341323020170d3138313031303038323831355a180f32303939313233313038323831355a3070310b3009060355040613024b523113301106035504080c0a536f6d652d5374617465310e300c06035504070c0553656f756c311a3018060355040a0c11696e694c494e4520436f2e2c204c74642e3120301e06035504030c17696e694c494e452043726f7373455820526f6f7443413230820122300d06092a864886f70d01010105000382010f003082010a0282010100c74641aea9b5c3ac70c760c8b9b4d913239c9f1f2ba22ec168ddf87c291a6f7bf65039a350a4df32666610daeef39f518c94566fb0883e95d5954bb6fa77fb741d85321d4779043dfae7530d23f0834bd602eac8380298c246d0ab9d8ad4c1b11fdfe8dac89f57872151fb07494e2611db05fd7a911b2072731304b583a100a8346d3e75aee2bc90fc82eda089b475919abc33f9c44b4d1642d059e6818d723c6a725bdbf3f1b0936580a6fe2cf8009d382e5e6bc1e8f16869c153d0cd1f58359761f250b8f2f28227acbb6d7467e60cc441618cf1805f4e5eccc4a0caf8b6b6f627e264f92ed3bcdde2899d7035145576c3d2e4b2f95ca5eb2bbaca8d0ea4d90203010001a355305330120603551d130101ff040830060101ff020100301d0603551d0e04160414baf05eca432879dc5a9fe9f563d90721fa1a504b300b0603551d0f040403020106301106096086480186f8420101040403020007300d06092a864886f70d01010b05000382010100c08cf619a76feef45d47324122595199e2825f963d4afdee811f2038e5d5fc369518cdb0fb4d0412499417a7f4f7308955370c7f1aa84a5806884b78817924ef7d5332214c70f0411d4434bdd009b6094fe5e1ec61a380058abfde0eb6f66f0727e74d6109266a36b2d563fdd9999d8eecd752271286e605247ef552ace03bb93550440002423e129308f4aeb1f416f33f8c4969abf2af6bcb33f5833e14aa51cb2194e9978cfe9f4158b2964faf0233841ddb09bac430b32981e65ef39611521e45b0188b549541d1188317fa287b987b9fc312613b63b218eafbe1d7152e175d58b313d67e59a3a691b73c0addf8eb2a2d8778392ff28b25faa6ff9145b080 C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\CrossEX_LocalService_Install.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DC2F16A0E1AF8FAF0D3E93EAC9ACA7315A409C79\Blob = 030000000100000014000000dc2f16a0e1af8faf0d3e93eac9aca7315a409c792000000001000000b6030000308203b23082029aa003020102020101300d06092a864886f70d01010b05003070310b3009060355040613024b523113301106035504080c0a536f6d652d5374617465310e300c06035504070c0553656f756c311a3018060355040a0c11696e694c494e4520436f2e2c204c74642e3120301e06035504030c17696e694c494e452043726f7373455820526f6f744341323020170d3138313031303038323831355a180f32303939313233313038323831355a3070310b3009060355040613024b523113301106035504080c0a536f6d652d5374617465310e300c06035504070c0553656f756c311a3018060355040a0c11696e694c494e4520436f2e2c204c74642e3120301e06035504030c17696e694c494e452043726f7373455820526f6f7443413230820122300d06092a864886f70d01010105000382010f003082010a0282010100c74641aea9b5c3ac70c760c8b9b4d913239c9f1f2ba22ec168ddf87c291a6f7bf65039a350a4df32666610daeef39f518c94566fb0883e95d5954bb6fa77fb741d85321d4779043dfae7530d23f0834bd602eac8380298c246d0ab9d8ad4c1b11fdfe8dac89f57872151fb07494e2611db05fd7a911b2072731304b583a100a8346d3e75aee2bc90fc82eda089b475919abc33f9c44b4d1642d059e6818d723c6a725bdbf3f1b0936580a6fe2cf8009d382e5e6bc1e8f16869c153d0cd1f58359761f250b8f2f28227acbb6d7467e60cc441618cf1805f4e5eccc4a0caf8b6b6f627e264f92ed3bcdde2899d7035145576c3d2e4b2f95ca5eb2bbaca8d0ea4d90203010001a355305330120603551d130101ff040830060101ff020100301d0603551d0e04160414baf05eca432879dc5a9fe9f563d90721fa1a504b300b0603551d0f040403020106301106096086480186f8420101040403020007300d06092a864886f70d01010b05000382010100c08cf619a76feef45d47324122595199e2825f963d4afdee811f2038e5d5fc369518cdb0fb4d0412499417a7f4f7308955370c7f1aa84a5806884b78817924ef7d5332214c70f0411d4434bdd009b6094fe5e1ec61a380058abfde0eb6f66f0727e74d6109266a36b2d563fdd9999d8eecd752271286e605247ef552ace03bb93550440002423e129308f4aeb1f416f33f8c4969abf2af6bcb33f5833e14aa51cb2194e9978cfe9f4158b2964faf0233841ddb09bac430b32981e65ef39611521e45b0188b549541d1188317fa287b987b9fc312613b63b218eafbe1d7152e175d58b313d67e59a3a691b73c0addf8eb2a2d8778392ff28b25faa6ff9145b080 C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DC2F16A0E1AF8FAF0D3E93EAC9ACA7315A409C79 C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DC2F16A0E1AF8FAF0D3E93EAC9ACA7315A409C79\Blob = 030000000100000014000000dc2f16a0e1af8faf0d3e93eac9aca7315a409c792000000001000000b6030000308203b23082029aa003020102020101300d06092a864886f70d01010b05003070310b3009060355040613024b523113301106035504080c0a536f6d652d5374617465310e300c06035504070c0553656f756c311a3018060355040a0c11696e694c494e4520436f2e2c204c74642e3120301e06035504030c17696e694c494e452043726f7373455820526f6f744341323020170d3138313031303038323831355a180f32303939313233313038323831355a3070310b3009060355040613024b523113301106035504080c0a536f6d652d5374617465310e300c06035504070c0553656f756c311a3018060355040a0c11696e694c494e4520436f2e2c204c74642e3120301e06035504030c17696e694c494e452043726f7373455820526f6f7443413230820122300d06092a864886f70d01010105000382010f003082010a0282010100c74641aea9b5c3ac70c760c8b9b4d913239c9f1f2ba22ec168ddf87c291a6f7bf65039a350a4df32666610daeef39f518c94566fb0883e95d5954bb6fa77fb741d85321d4779043dfae7530d23f0834bd602eac8380298c246d0ab9d8ad4c1b11fdfe8dac89f57872151fb07494e2611db05fd7a911b2072731304b583a100a8346d3e75aee2bc90fc82eda089b475919abc33f9c44b4d1642d059e6818d723c6a725bdbf3f1b0936580a6fe2cf8009d382e5e6bc1e8f16869c153d0cd1f58359761f250b8f2f28227acbb6d7467e60cc441618cf1805f4e5eccc4a0caf8b6b6f627e264f92ed3bcdde2899d7035145576c3d2e4b2f95ca5eb2bbaca8d0ea4d90203010001a355305330120603551d130101ff040830060101ff020100301d0603551d0e04160414baf05eca432879dc5a9fe9f563d90721fa1a504b300b0603551d0f040403020106301106096086480186f8420101040403020007300d06092a864886f70d01010b05000382010100c08cf619a76feef45d47324122595199e2825f963d4afdee811f2038e5d5fc369518cdb0fb4d0412499417a7f4f7308955370c7f1aa84a5806884b78817924ef7d5332214c70f0411d4434bdd009b6094fe5e1ec61a380058abfde0eb6f66f0727e74d6109266a36b2d563fdd9999d8eecd752271286e605247ef552ace03bb93550440002423e129308f4aeb1f416f33f8c4969abf2af6bcb33f5833e14aa51cb2194e9978cfe9f4158b2964faf0233841ddb09bac430b32981e65ef39611521e45b0188b549541d1188317fa287b987b9fc312613b63b218eafbe1d7152e175d58b313d67e59a3a691b73c0addf8eb2a2d8778392ff28b25faa6ff9145b080 C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup64.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup64.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup64.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup64.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup32.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup32.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup32.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup32.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup32.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup64.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup64.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup64.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup64.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup32.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup32.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup32.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup32.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup32.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\CKSetup32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\CKSetup32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\CKSetup32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup64.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\FFCert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\FFCert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\CrossEX_LocalService_Install.exe N/A
N/A N/A C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\FFCert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup64.exe N/A
N/A N/A C:\Windows\SysWOW64\CKSetup64.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1012 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe C:\Windows\SysWOW64\CKSetup32.exe
PID 1012 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe C:\Windows\SysWOW64\CKSetup32.exe
PID 1012 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe C:\Windows\SysWOW64\CKSetup32.exe
PID 1648 wrote to memory of 992 N/A C:\Windows\SysWOW64\CKSetup32.exe C:\Windows\SysWOW64\CKSetup64.exe
PID 1648 wrote to memory of 992 N/A C:\Windows\SysWOW64\CKSetup32.exe C:\Windows\SysWOW64\CKSetup64.exe
PID 1648 wrote to memory of 3704 N/A C:\Windows\SysWOW64\CKSetup32.exe C:\Windows\SysWOW64\CKSetup64.exe
PID 1648 wrote to memory of 3704 N/A C:\Windows\SysWOW64\CKSetup32.exe C:\Windows\SysWOW64\CKSetup64.exe
PID 1012 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe
PID 1012 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe
PID 1012 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe
PID 1012 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe
PID 1012 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe
PID 1012 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe
PID 4492 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe
PID 4492 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe
PID 4492 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe
PID 4492 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe C:\Windows\SysWOW64\sc.exe
PID 4492 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe C:\Windows\SysWOW64\sc.exe
PID 4492 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe C:\Windows\SysWOW64\sc.exe
PID 4492 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe C:\Windows\SysWOW64\sc.exe
PID 4492 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe C:\Windows\SysWOW64\sc.exe
PID 4492 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe C:\Windows\SysWOW64\sc.exe
PID 4492 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe C:\Windows\SysWOW64\sc.exe
PID 4492 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe C:\Windows\SysWOW64\sc.exe
PID 4492 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe C:\Windows\SysWOW64\sc.exe
PID 1012 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\FFCert.exe
PID 1012 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\FFCert.exe
PID 1012 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\FFCert.exe
PID 2064 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\FFCert.exe C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe
PID 2064 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\FFCert.exe C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe
PID 2064 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\FFCert.exe C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe
PID 2336 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe
PID 2336 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe
PID 2336 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe
PID 2336 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe
PID 2336 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe
PID 2336 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe
PID 1900 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe C:\Windows\SysWOW64\CKSetup32.exe
PID 1900 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe C:\Windows\SysWOW64\CKSetup32.exe
PID 1900 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe C:\Windows\SysWOW64\CKSetup32.exe
PID 2400 wrote to memory of 1804 N/A C:\Windows\SysWOW64\CKSetup32.exe C:\Windows\SysWOW64\CKSetup64.exe
PID 2400 wrote to memory of 1804 N/A C:\Windows\SysWOW64\CKSetup32.exe C:\Windows\SysWOW64\CKSetup64.exe
PID 2400 wrote to memory of 4156 N/A C:\Windows\SysWOW64\CKSetup32.exe C:\Windows\SysWOW64\CKSetup64.exe
PID 2400 wrote to memory of 4156 N/A C:\Windows\SysWOW64\CKSetup32.exe C:\Windows\SysWOW64\CKSetup64.exe
PID 1900 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe
PID 1900 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe
PID 1900 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe
PID 4112 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\UninstallCrossEX.exe
PID 4112 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\UninstallCrossEX.exe
PID 4112 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\UninstallCrossEX.exe
PID 1900 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe
PID 1900 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe
PID 1900 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe
PID 4632 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe
PID 4632 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe
PID 4632 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe
PID 4632 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe C:\Windows\SysWOW64\sc.exe
PID 4632 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe C:\Windows\SysWOW64\sc.exe
PID 4632 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe C:\Windows\SysWOW64\sc.exe
PID 4632 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe C:\Windows\SysWOW64\sc.exe
PID 4632 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe C:\Windows\SysWOW64\sc.exe
PID 4632 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe C:\Windows\SysWOW64\sc.exe
PID 4632 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe C:\Windows\SysWOW64\sc.exe
PID 4632 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe C:\Windows\SysWOW64\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe

"C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe"

C:\Windows\SysWOW64\CKSetup32.exe

C:\Windows\system32\CKSetup32.exe /install appm

C:\Windows\SysWOW64\CKSetup64.exe

"C:\Windows\SysWOW64\CKSetup64.exe" /update CKAgentNXE

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding

C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe

"C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\CKSetup64.exe

"C:\Windows\SysWOW64\CKSetup64.exe" /update CKAgent

C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe

"C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe" /S

C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe

"C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe" /S

C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe

"C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe"

C:\Windows\SysWOW64\sc.exe

sc create "CrossEX Live Checker" binpath= "\"C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe\"" start= auto

C:\Windows\SysWOW64\sc.exe

sc description "CrossEX Live Checker" "checking live status of CrossEXService"

C:\Windows\SysWOW64\sc.exe

sc start "CrossEX Live Checker"

C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe

"C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe"

C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\FFCert.exe

"C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\FFCert.exe" -noces

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe "C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\FFCert.exe" -noces

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe

"C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe" -A -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release" -i "C:\Program Files (X86)\iniLINE\CrossEX\crossex\rootCA.crt" -n "iniLINE CrossEX RootCA2" -t "CT,C,C"

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe

"C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe" -L -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release"

C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe

"C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe"

C:\Windows\SysWOW64\CKSetup32.exe

C:\Windows\system32\CKSetup32.exe /install appm

C:\Windows\SysWOW64\CKSetup64.exe

"C:\Windows\SysWOW64\CKSetup64.exe" /update CKAgentNXE

C:\Windows\SysWOW64\CKSetup64.exe

"C:\Windows\SysWOW64\CKSetup64.exe" /update CKAgent

C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe

"C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\raon_touchenex_Install.exe" /S

C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\UninstallCrossEX.exe

"C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\UninstallCrossEX.exe"

C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe

"C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\CrossEX_LocalService_Install.exe" /S

C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe

"C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe"

C:\Windows\SysWOW64\sc.exe

sc create "CrossEX Live Checker" binpath= "\"C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe\"" start= auto

C:\Windows\SysWOW64\sc.exe

sc description "CrossEX Live Checker" "checking live status of CrossEXService"

C:\Windows\SysWOW64\sc.exe

sc start "CrossEX Live Checker"

C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\FFCert.exe

"C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\FFCert.exe"

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe "C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\FFCert.exe"

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe

"C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe" -A -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release" -i "C:\Program Files (X86)\iniLINE\CrossEX\crossex\rootCA.crt" -n "iniLINE CrossEX RootCA2" -t "CT,C,C"

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe

"C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe" -L -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release"

C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe

"C:\Users\Admin\AppData\Local\Temp\TouchEn_nxKey_32bit.exe"

C:\Windows\SysWOW64\CKSetup32.exe

C:\Windows\system32\CKSetup32.exe /install appm

C:\Windows\SysWOW64\CKSetup64.exe

"C:\Windows\SysWOW64\CKSetup64.exe" /update CKAgentNXE

C:\Windows\SysWOW64\CKSetup64.exe

"C:\Windows\SysWOW64\CKSetup64.exe" /update CKAgent

C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe

"C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\raon_touchenex_Install.exe" /S

C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\UninstallCrossEX.exe

"C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\UninstallCrossEX.exe"

C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\CrossEX_LocalService_Install.exe

"C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\CrossEX_LocalService_Install.exe" /S

C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe

"C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe"

C:\Windows\SysWOW64\sc.exe

sc create "CrossEX Live Checker" binpath= "\"C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe\"" start= auto

C:\Windows\SysWOW64\sc.exe

sc description "CrossEX Live Checker" "checking live status of CrossEXService"

C:\Windows\SysWOW64\sc.exe

sc start "CrossEX Live Checker"

C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\FFCert.exe

"C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\FFCert.exe"

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe "C:\Users\Admin\AppData\Local\Temp\~RAPack1786593\FFCert.exe"

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe

"C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe" -A -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release" -i "C:\Program Files (X86)\iniLINE\CrossEX\crossex\rootCA.crt" -n "iniLINE CrossEX RootCA2" -t "CT,C,C"

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe

"C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe" -L -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release"

C:\Windows\SysWOW64\CKSetup64.exe

"C:\Windows\SysWOW64\CKSetup64.exe"

C:\Windows\SysWOW64\CKSetup64.exe

"C:\Windows\SysWOW64\CKSetup64.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

C:\Windows\system32\mmc.exe

"C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1012-0-0x0000000000400000-0x00000000014F8000-memory.dmp

C:\Windows\SysWOW64\CKSetup32.exe

MD5 c2d05ec6ab1c8e953784c9c72cd0c663
SHA1 ece41c48da7507621d215b8a13801662cf98cf69
SHA256 04fe4e4fc67bc2a98f934ef7cc4b8785c799a5b149bab9182db1d76314b491dc
SHA512 09b7171a93badb26f2eda813412ba194eeb1fd3dd49b69503f905b7859f1b27d142e7a30b33e8a2dda66e894a292e0e035b00cb25a17fd143862cd1e2eb171a9

C:\Windows\SysWOW64\CKSetup64.exe

MD5 1578529546bef262e67d5cd1b2bf256f
SHA1 18a996e75183c513b8c8cf9e13298ef4675ebd84
SHA256 5f3c9ffc72f33f56dd9706c20f3bc27469f94faf8c42eee9cdc7d1117b46154e
SHA512 a4b1f27fb1fe78aacf904b04016de14c42524c56a5ba3926df65280d08baa648298951de2f5b856a55e2534a87f656585be3b97331ddbd78d44ba3687fa35e80

C:\Windows\System32\CKAgentNXE.exe

MD5 4c94daea9957df6afba14daa4b0b44ff
SHA1 afb6f64e965ebea482336c7b549488e2b6db2b8b
SHA256 63f284d0253d3b69d52b247f2db002765c191d6f3d6f2827abee479c2652a12f
SHA512 c6059be0f10b93c55b90c69d29586db2d36fa409bd2528a7d07f2fe682d3149cc06e35dfbacf421034508bb6956de501fc1b02a0d7812504e2ae53102052e6bb

C:\Windows\System32\JRSKD24.SYS

MD5 00b020ba591f8844c02bacdaed83d4ea
SHA1 d0f8ac794a5daa5c6bb455ccb301f745cb6692e0
SHA256 229cbf7e662406d0babfad9652e5a7591a6f43d00f028bbb6eb9fd9ad86b904d
SHA512 06762ee1b325c42c60344fe199a429850f1747d3bfcc9680e93f2c2aeb2dce431a4f4c62bbd0809d50b2287cd695daf66eab18337b3f3244bd382affab4c4d2a

C:\Windows\System32\JRSUKD25.SYS

MD5 7be815e09606621986e428f2960c280f
SHA1 dd159d62817f529c9ab9fca415d0c54397531b34
SHA256 2e15f3c1470d9ae1ceba2a22569db1042893550370eab42412fddee9120217f8
SHA512 6fc11e85acaae07f90f1e6f5443b8bec02283f61322058b9693c3bd3e35c44ff8cb83000a70226f918ac82597b10a464d957a2542de50c87c43bddf646f68804

memory/2956-36-0x0000000000400000-0x00000000014F8000-memory.dmp

memory/2956-35-0x0000000000400000-0x00000000014F8000-memory.dmp

memory/1012-37-0x0000000000400000-0x00000000014F8000-memory.dmp

memory/1012-41-0x0000000000400000-0x00000000014F8000-memory.dmp

memory/1012-42-0x0000000000400000-0x00000000014F8000-memory.dmp

memory/1012-43-0x0000000000400000-0x00000000014F8000-memory.dmp

memory/1012-45-0x0000000000400000-0x00000000014F8000-memory.dmp

memory/1012-50-0x0000000000400000-0x00000000014F8000-memory.dmp

memory/1012-51-0x0000000000400000-0x00000000014F8000-memory.dmp

C:\Windows\System32\CKAgent.exe

MD5 10148c70d583efe33f5204ef0a309355
SHA1 7d3e2eb28a2c8fa3e915031980a0ed07bb694072
SHA256 986d4e4e0c9c45264425f738a045745a8b474317f91e130479208f5799d8e217
SHA512 c3b368dbff86e9fc9268acfd7fd2232a1a29ca17418a5f3ac31667032e9a8d6c5ab5cb527f089e4e4e5f664206d4f2b61ec65204989093007b40dee9ccab4d75

C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\raon_touchenex_Install.exe

MD5 10376405b43a3c99115e55632b11ea0b
SHA1 7e091142b67f6cbbf2b98e115a8596b436953102
SHA256 bd9ccd61acc6d23108c71d02cc5fe3107ee70658f60d9cfb3f434b389c8d1f7f
SHA512 df72961bfed0c6aa4e6fc6cc6a19a29bd74c3b61121085d487be95d918ba5eab6e562e07a3523d87d2dc61509b2addb4aa1b6d31c1f8a6f53c4b7a6e4a86c993

C:\Users\Admin\AppData\Local\Temp\nsjB156.tmp\System.dll

MD5 75ed96254fbf894e42058062b4b4f0d1
SHA1 996503f1383b49021eb3427bc28d13b5bbd11977
SHA256 a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA512 58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\CrossEXProtocol.dll

MD5 6ca62beb99a890b97d182e99d92434f7
SHA1 94f1bdc9e4efe1ab240e5246c8310b890b57a9d2
SHA256 61dc0565c2a1688ff033e80fe58441deecab2c480684b145e13fabbea71e9e57
SHA512 0128644f6c30ab3b14e54963df3b2985744d5d6948331bda781a4f967232dc8f831ed9a2f428156c92da86ec3678b3843e31b6ed8f8597f58a6ab7e56a0a636d

C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\CrossEX_LocalService_Install.exe

MD5 34e5c1a9704aeed443090405b6c15d69
SHA1 e77d3de0b7097b6553d6a06f7dc325f80d58279b
SHA256 0cf3d2026b0faa2711bdc527e1fa3997884630cadc931ed42998c4015e5aedf4
SHA512 5efe09d464a6d523a2cae5893c8bbb294cbc7433fd32a51f585ca1d20fb5e7b8129a52ed50daaaf56517306b4dcc7b0b8a2e435cedbcea058b0c5c473d39cd15

C:\Program Files (x86)\iniLINE\CrossEX\crossex\rootCA.crt

MD5 4b1b31388b4eb3b180e3139452dcf226
SHA1 9ec8eee9b03c73ecd42647b02fdbb97ab17d1e6e
SHA256 a938612c2c61b4dca94d64c7aae466b66114f67e0116d0104e1c2e34c10ae782
SHA512 750eccef84f7b527a59db3d2fd60c308685d7d48bbc581bd47d3422762f3bcc1fbf90293e7f0240ed028f6cd785729b1f5fd18e5f4af6fcf161e70546f8fe749

C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe

MD5 836f3052461d3d46f3a98682bedef1e5
SHA1 de9d6454932e56f5d21606ac437166fcbbbc992d
SHA256 024a98c3fca33743cff78513066d1bc8685d05cfa954a92fd0ff8cc71c3fbf9f
SHA512 dd2a112bfc866322a4dd2342ca71cb329b76aab9585a16b9c29605f076bb5e875d4013536c6cb954779ef8ba04e50590cd0a430be159e3e61364eb4fe20ad83c

C:\Users\Admin\AppData\Local\Temp\nseB3F5.tmp\nsExec.dll

MD5 3d366250fcf8b755fce575c75f8c79e4
SHA1 2ebac7df78154738d41aac8e27d7a0e482845c57
SHA256 8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6
SHA512 67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

C:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exe

MD5 98229852e33d0e39d88c1cc8955268ce
SHA1 659486b9f0d2cdc2ee5ff525c972ef49074bc2c0
SHA256 0170e2c84e4c6a182e4d7a749182edb4449d882365185cc9255462fe863c495a
SHA512 67f7ab8520cfff292ac573a1cf106aac203784de37165688f7233aee514d11447cfcab59a0c17732f1299387396ff4b696820fbdffc80c4d656c912a52177320

C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\FFCert.exe

MD5 1722924dc2aa30828221347020f4aa32
SHA1 0697fba169e80df58812f271650ea6dfed6034dd
SHA256 b42802a1fbce0d7c761693d86813f04a13386d8b05eb3f49d2f8c8ebcea6f1f9
SHA512 559cdaeafc59fa7dbca694902bd2e8b6d6845d13a3a16cf39f71f5f725aaa16a5d7db07d44c4ccdf385912b759c9bec1341816cb658459e50b3d9c2eb36f8c40

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe

MD5 b4968bf6adb62ea03519705caedcb842
SHA1 8c17c9f99ce163c931451773aaafa36282bb61c7
SHA256 e1b358325eb3d27395db248bc6a2bcc3f310c91e6d3ca9accefa50f41db62499
SHA512 847b40edfc8d08a76eb90c1629f721b950e2d1171613c8bf00f2c9a9424208a76ff0d554c49197fab9227769017c8dbe9c4b8c25964239483fde5080f7b7b201

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe

MD5 0c6b43c9602f4d5ac9dcf907103447c4
SHA1 7a77c7ae99d400243845cce0e0931f029a73f79a
SHA256 5950722034c8505daa9b359127feb707f16c37d2f69e79d16ee6d9ec37690478
SHA512 b21b34a5886a3058ce26a6a5a6ead3b1ebae62354540492fb6508be869e7d292b351c0913461b47c4cc0c6a73333aad33cd9399bcb1f83c7dacfdb7f2ee1f7a9

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\nssutil3.dll

MD5 c26e940b474728e728cafe5912ba418a
SHA1 7256e378a419f8d87de71835e6ad12faadaaaf73
SHA256 1af1ac51a92b36de8d85d1f572369815404912908c3a489a6cd7ca2350c2a93d
SHA512 bd8673facd416c8f2eb9a45c4deef50e53d0bc41e6b3941fc20cda8e2d88267205526dadb44bd89869bd333bf7d6f8db589c95997e1f3322f7a66a09d562b1df

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\libplds4.dll

MD5 9ae76db13972553a5de5bdd07b1b654d
SHA1 0c4508eb6f13b9b178237ccc4da759bff10af658
SHA256 38a906373419501966daf6ec19ca2f8db7b29609128ae5cb424d2aa511652c29
SHA512 db6fd98a2b27dd7622f10491bba08793d26ab59016d6862168aad278644f737dddbd312a690ded5091d5e999dc3c3518fd95b200124be8349829e5ce6685cf4b

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\smime3.dll

MD5 a5c670edf4411bf7f132f4280026137b
SHA1 c0e3cbdde7d3cebf41a193eeca96a11ce2b6da58
SHA256 aba2732c7a016730e94e645dd04e8fafcc173fc2e5e2aac01a1c0c66ead1983e
SHA512 acfcde89a968d81363ae1cd599a6a362b047ae207722fea8541577ac609bc5fefb2231ed946e13f0b4b3bcd56b947c13837c1b9e360d521ec7d580befcbb0f46

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\libnspr4.dll

MD5 6e84af2875700285309dd29294365c6a
SHA1 fc3cb3b2a704250fc36010e2ab495cdc5e7378a9
SHA256 1c158e680749e642e55f721f60a71314e26e03e785cd92e560bf650b83c4c3c8
SHA512 0add9479b2fd631bafc617c787bca331e915edc6a29dd72269b6a24490ec1c85e677698e07944f5ff3bd8d849d3d20ace61a194a044c697fefcf992c6f05e747

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\softokn3.dll

MD5 2ab31c9401870adb4e9d88b5a6837abf
SHA1 4f0fdd699e63f614d79ed6e47ef61938117d3b7a
SHA256 22ecece561510f77b100cff8109e5ed492c34707b7b14e0774aaa9ca813de4ad
SHA512 bc58c4da15e902351f1f161e9d8c1ee4d10aceb5eda7def4b4454cadf4cd9f437118ba9d63f25f4f0a5694e9d34a4def33d40ad51efb1cdebb6f02a81c481871

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\freebl3.dll

MD5 269beb631b580c6d54db45b5573b1de5
SHA1 64050c1159c2bcfc0e75da407ef0098ad2de17c8
SHA256 ffc7558a61a4e6546cf095bdeabea19f05247a0daa02dca20ea3605e7fc62c77
SHA512 649cd40f3e02c2f2711f56aa21f39ccbda9108143d4766a9728c9ad98f329d5f64f77090df769c55b66ab48fb9aa4a380944ebe54f2c450f96cf76e5a6add31e

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\sqlite3.dll

MD5 b58848a28a1efb85677e344db1fd67e6
SHA1 dad48e2b2b3b936efc15ac2c5f9099b7a1749976
SHA256 00db98ab4d50e9b26ecd193bfad6569e1dd395db14246f8c233febba93965f7a
SHA512 762b3bd7f1f1a5c3accde8c36406b9beadd4270c570eb95a05935c1f7731513938ae5e99950c648b1eacdd2a85f002319b78b7e4ea9577c72335a2fa54796b13

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\msvcr100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\nss3.dll

MD5 a1c4628d184b6ab25550b1ce74f44792
SHA1 c2c447fd2fda68c0ec44b3529a2550d2e2a8c3bc
SHA256 3f997d3f1674de9fd119f275638861bc229352f12c70536d8c83a70fcc370847
SHA512 07737ac24c91645d9b4d376327b84cb0b470cecbad60920d7ee0e9b11ef4eeb8ee68fb38bf74b5d1f8817d104cecc65e461950242d940e8ff9ca64ce9d3ffbb7

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\libplc4.dll

MD5 1fae68b740f18290b98b2f9e23313cc2
SHA1 fa3545dc8db38b3b27f1009e1d61dc2949df3878
SHA256 751c2156dc00525668dd990d99f7f61c257951c3fad01c0ee6359fcdff69f933
SHA512 5386aad83c76c625e2d64439b2b25bda8d0f8b1eb9344b58306883b66675d1f1e98e3189c1bc29cd4b2c98a9d4a594761488aae04d3748bba5775a51425b11ec

C:\Users\Admin\AppData\Local\Temp\~RAPack1611718\_Install.ini

MD5 d39db0a699f372cc11096855b63dfa37
SHA1 182146cd5d245255b6c03d0cbedecc5e449b2020
SHA256 42d66e0b1446fcf789cdc9e03bfab94d9cf22e65374bd472c9150a4cfb125079
SHA512 b7935d42bc28f861b2ae64fc6cb76ed96342d9e46c5d4ad507b53554db737ed40fed7c95f2f21d5d31e45ad8fe81053b79154c9399ee28249d20ff637b2dbbb6

C:\Program Files (x86)\RaonSecure\TouchEn nxKey\TKMain.dll

MD5 311ffce2e08daa5b5b5757cec46aaf56
SHA1 44c6a3269f0aa64f17748d562cff3cb14f7c9abd
SHA256 dd3140342ecf4c1e5034d75e9c3c3f5e5f7931271c99619efd9b904de02f991d
SHA512 919ffbede744ec27c0220779b05f4f5cc0c864ebb4fdb3b42612cabf3b5efbbdb079bb55d04a002cd3b4fcc98ebada4498e0cec9ce014453fb8292f7ef65f5ee

memory/1012-324-0x0000000000400000-0x00000000014F8000-memory.dmp

memory/1012-326-0x0000000000400000-0x00000000014F8000-memory.dmp

memory/1900-327-0x0000000000400000-0x00000000014F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~RAPack1766468\_Chunk.zip

MD5 55a1558570c30fd2c248ccc188f2375a
SHA1 485e710e1d24dcfc6fdc3729b101796ca09d2330
SHA256 aa26b6e818e1e7711c1dc9176fda4896c9986d3b9e08a4b8419db498ce098329
SHA512 4e77105293d3f53d94215dde4a41cff9df2d2583a27c1e499352d86098f7a0d3daa541f81de559d8dca441350585b61b1869137cb43840f556af245c8607e8ad

C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\digicert_root_g4.cer

MD5 78f2fcaa601f2fb4ebc937ba532e7549
SHA1 ddfb16cd4931c973a2037d3fc83a4d7d775d05e4
SHA256 552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988
SHA512 bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\nssckbi.dll

MD5 d1243817a1b22b855de0852cf5b53bf5
SHA1 c64f4851a2fcfe8d1e4a5b5743498870b676755e
SHA256 93e99cfba00348be3a102dc9f41acd39bba91d7f4e0149a9ea6c53fcc50adaee
SHA512 59abd87f8da58f0f4d8d3919a84b2e4fa853aa0e76dbfea3bc011e21267909ed7c3bb42a714f030773767329a8d3da0810e789ab5a061bc0e4452159849c4cc2

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\nssdbm3.dll

MD5 051652ba7ca426846e936bc5aa3f39f3
SHA1 0012007876dde3a2d764249ad86bc428300fe91e
SHA256 8eca993570fa55e8fe8f417143eea8128a58472e23074cbd2e6af4d3bb0f0d9a
SHA512 005b22bd5a4cca9930c5eca95af01fc034bb496f4e599cac3f20b0b9ce0957b4db685b8e47977e5b289dc5cf1c8a81f4dd7434d0347e41d008e2c8f7f12006f0

C:\Users\Admin\AppData\Local\Temp\ffcert_raon\bin\ssl3.dll

MD5 717dbdf0e1f616ea8a038259e273c530
SHA1 926ce8ec8f79b62202ed487c5fb0c3e1a18f5f70
SHA256 e3227ea4c39f5b44f685eea13d9f6663945e46b12cabe5d29daef28b6eef1a9b
SHA512 c09bf38ac93c350dfd0638beedd40fbcc9435a06b0013d214f57b181c1b4292e4b8a8310db2db48200bcfed872bc656ea92a207acb6f7b344e3f134226c2ab3f

C:\Users\Admin\AppData\Local\Temp\etilqs_KQ7OShLcHJYXONGaZsOf

MD5 d06bd9914ef1018aaba240d2f6dbfdee
SHA1 e205117a41a09be02e74aab0e755205f3555a3dd
SHA256 6cb28c61eb47e467d0153190b9ba88ac59265c44db782d274ea0d88e3930e5a1
SHA512 36d4c0dbc98f57f4c40508c571341fee93951bc983d624a86556ae4ec587e6b932944225b20bdbecdb9b69ce1347964bb7b4b4479c802df5e8b824e26ca14d53

C:\Program Files (x86)\RaonSecure\TouchEn nxKey\TKAppi.dll

MD5 80dc7b65ccb15e05d3fa14d2fb27190c
SHA1 4e7cbee258d94bd8ab367fe3fd9e3d2c760bd819
SHA256 947eb24022382a4379fdbcd27f79abc25147d7977ab456ba1d872207c9fc2738
SHA512 7e1781e7e5101f5a8909015384b0567c5a17cd810b558165bf372bc7386e43329cd9b2ff3ca290b73677cdaa85e22694e92e657309022a78db594be4acf1a4fe

memory/1900-557-0x0000000000400000-0x00000000014F8000-memory.dmp

memory/5044-558-0x0000000000400000-0x00000000014F8000-memory.dmp

memory/5044-606-0x0000000000400000-0x00000000014F8000-memory.dmp

C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\1.0.1.1529\CrossEX.sig

MD5 3c702b7139aee12949d7199dbf445868
SHA1 644a7d0efc05edc252896d97857503689e8098dc
SHA256 7aa9b664dde95f10f3026ad176c1dd144940964f1a4df499af16cb7eeb0f77fc
SHA512 7ce4846e4453e1d2d496327b7b331917983b5fcc84eac9ed8318e2e30438ea34fdc06f724d5698fd5a4f1cd7486879282ecebe72925e9dc2b824e167ad1e4084

C:\Program Files (x86)\RaonSecure\bridge\CrossEX\touchenex\UnInstallCrossEX.exe

MD5 a56398426fea88989c418edf39b8b2a4
SHA1 2cddfbceeb22cd62caacb6377af30982857df770
SHA256 e447a524aa355d4f0297fc961d5de369162ecf79552645641eccd911b7e1765f
SHA512 891db5dde2f57e51259ca1a76291725f6c0ce49ec7738ab89760426b5c1307efbbd2ab991734022980d8a9a2717e954c9531239b0069b91c7bee5e2a7e92e9e1

C:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exe.sig

MD5 fd3e1e321feebbb1d5ebeb85aeb687cd
SHA1 044721bc25727a3b6e175111c9820f993c2d1e51
SHA256 a3054093ae9c8ebb15a811c579472135c33eab277480500a67d54297fe2fed50
SHA512 313b488cb9ec381a781a66b9fe60d4bb91b3aa3668f5244a42129f4cfa813ea3d715306b5fafcc941e397b7a6bf7ec0c18b5e994900a0e43f0c46a0ef708cd4d

C:\Users\Admin\AppData\Local\Temp\etilqs_IAq8APo63ledZJ0dRF4T

MD5 bf619eac0cdf3f68d496ea9344137e8b
SHA1 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5
SHA256 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560
SHA512 df40d4a774e0b453a5b87c00d6f0ef5d753143454e88ee5f7b607134598294c7905ccbcf94bbc46e474db6eb44e56a6dbb6d9a1be9d4fb5d1b5f2d0c6ed34bfe

memory/5044-789-0x0000000000400000-0x00000000014F8000-memory.dmp

memory/3760-792-0x000002197D340000-0x000002197D341000-memory.dmp

memory/3760-794-0x000002197D340000-0x000002197D341000-memory.dmp

memory/3760-793-0x000002197D340000-0x000002197D341000-memory.dmp

memory/3760-803-0x000002197D340000-0x000002197D341000-memory.dmp

memory/3760-802-0x000002197D340000-0x000002197D341000-memory.dmp

memory/3760-801-0x000002197D340000-0x000002197D341000-memory.dmp

memory/3760-804-0x000002197D340000-0x000002197D341000-memory.dmp

memory/3760-800-0x000002197D340000-0x000002197D341000-memory.dmp

memory/3760-798-0x000002197D340000-0x000002197D341000-memory.dmp

memory/3760-799-0x000002197D340000-0x000002197D341000-memory.dmp