URL:

http://file.zhongdengwang.com/ocx/PBCCRCPassGuardEdge.exe

Full analysis: https://app.any.run/tasks/4ca9ad4e-4330-400c-be68-2c36ad6f94a4
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 21, 2019, 16:45:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

715BB18A46671A63A3C356F42D8E4A70

SHA1:

222125715A6B850CECC6102BCAF8C8D2109AAB75

SHA256:

3ABAEC1CC188E75F3D0BC482FCED42C9C494AE691226EF0DB75C452648B31733

SSDEEP:

3:N1KYL8RddIRGdKtR32JgVACn:CYgjsKKtnVAC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • PBCCRCPassGuardEdge[1].exe (PID: 2360)
      • PBCCRCPassGuardEdge[1].exe (PID: 3408)
      • PBCCRCPassGuardXInputService.exe (PID: 2304)
      • PBCCRCPassGuardXInputService.exe (PID: 2964)
      • PBCCRCPassGuardXInputService.exe (PID: 3728)
      • certutil.exe (PID: 2420)
      • PBCCRCPassGuardXInput.exe (PID: 2872)
      • certmgr.exe (PID: 2160)
      • certmgr.exe (PID: 2412)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 2148)

    • Loads dropped or rewritten executable

      • PBCCRCPassGuardEdge[1].exe (PID: 3408)
      • certutil.exe (PID: 2420)

    • Uses Task Scheduler to run other applications

      • PBCCRCPassGuardXInput.exe (PID: 2872)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2424)
      • schtasks.exe (PID: 3396)

    • Changes settings of System certificates

      • certmgr.exe (PID: 2412)
      • certmgr.exe (PID: 2160)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3688)
      • iexplore.exe (PID: 2148)
      • PBCCRCPassGuardEdge[1].exe (PID: 3408)

    • Creates files in the Windows directory

      • PBCCRCPassGuardEdge[1].exe (PID: 3408)

    • Creates a software uninstall entry

      • PBCCRCPassGuardEdge[1].exe (PID: 3408)

    • Creates files in the user directory

      • certutil.exe (PID: 2420)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3688)
      • iexplore.exe (PID: 2148)

    • Changes internet zones settings

      • iexplore.exe (PID: 3688)

    • Application launched itself

      • iexplore.exe (PID: 3688)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
13
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe pbccrcpassguardedge[1].exe no specs pbccrcpassguardedge[1].exe pbccrcpassguardxinputservice.exe no specs pbccrcpassguardxinput.exe pbccrcpassguardxinputservice.exe no specs pbccrcpassguardxinputservice.exe no specs schtasks.exe no specs schtasks.exe no specs certutil.exe no specs certmgr.exe no specs certmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2148"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3688 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2160"C:\Users\admin\AppData\Local\Temp\certmgr.exe" -add "C:\Users\admin\AppData\Local\Temp\mysign.cer" -c -s -r localMachine CAC:\Users\admin\AppData\Local\Temp\certmgr.exePBCCRCPassGuardEdge[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
ECM Certificate Manager
Exit code:
0
Version:
6.2.9200.16384 (win8_rtm.120725-1247)
Modules
Images
c:\users\admin\appdata\local\temp\certmgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2304"C:\Windows\system32\PBCCRCNew\PBCCRCPassGuardXInputService.exe" "-install"C:\Windows\system32\PBCCRCNew\PBCCRCPassGuardXInputService.exePBCCRCPassGuardEdge[1].exe
User:
admin
Company:
PBCCRC
Integrity Level:
HIGH
Description:
PBCCRCPassGuardXInputService
Exit code:
0
Version:
1.0.1.0
Modules
Images
c:\windows\system32\pbccrcnew\pbccrcpassguardxinputservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2360"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\PBCCRCPassGuardEdge[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\PBCCRCPassGuardEdge[1].exeiexplore.exe
User:
admin
Company:
中国人民银行征信中心
Integrity Level:
MEDIUM
Description:
人行征信中心密码控件
Exit code:
3221226540
Version:
1.0.0.1
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\0uu90r59\pbccrcpassguardedge[1].exe
c:\systemroot\system32\ntdll.dll
2412"C:\Users\admin\AppData\Local\Temp\certmgr.exe" -add "C:\Users\admin\AppData\Local\Temp\wosign.cer" -c -s -r localMachine RootC:\Users\admin\AppData\Local\Temp\certmgr.exePBCCRCPassGuardEdge[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
ECM Certificate Manager
Exit code:
0
Version:
6.2.9200.16384 (win8_rtm.120725-1247)
Modules
Images
c:\users\admin\appdata\local\temp\certmgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2420certutil.exe -A -d "C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default" -i .\root_bundle.crt -n "Certum Domain Validation CA SHA2" -t "C,," C:\Windows\system32\PBCCRCNew\certutil.exePBCCRCPassGuardXInput.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\system32\pbccrcnew\certutil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\pbccrcnew\nssutil3.dll
c:\windows\system32\pbccrcnew\plc4.dll
c:\windows\system32\pbccrcnew\nspr4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2424C:\Windows\system32\schtasks.exe /delete /tn "ÈËÐÐÕ÷ÐÅ°²È«¿Ø¼þ°²È«ÊäÈë³ÌÐò" /f C:\Windows\system32\schtasks.exePBCCRCPassGuardXInput.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
2872C:\Windows\system32\PBCCRCNew\PBCCRCPassGuardXInput.exeC:\Windows\system32\PBCCRCNew\PBCCRCPassGuardXInput.exe
PBCCRCPassGuardEdge[1].exe
User:
admin
Company:
PBCCRC
Integrity Level:
HIGH
Description:
PBCCRCPassGuardXInput
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\windows\system32\pbccrcnew\pbccrcpassguardxinput.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2964"C:\Windows\system32\PBCCRCNew\PBCCRCPassGuardXInputService.exe" "-control" "PBCCRCPassGuardXInputService" "start"C:\Windows\system32\PBCCRCNew\PBCCRCPassGuardXInputService.exePBCCRCPassGuardEdge[1].exe
User:
admin
Company:
PBCCRC
Integrity Level:
HIGH
Description:
PBCCRCPassGuardXInputService
Exit code:
0
Version:
1.0.1.0
Modules
Images
c:\windows\system32\pbccrcnew\pbccrcpassguardxinputservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
3396C:\Windows\system32\schtasks.exe /create /tn "ÈËÐÐÕ÷ÐÅ°²È«¿Ø¼þ°²È«ÊäÈë³ÌÐò" /tr "C:\Windows\system32\PBCCRCNew\PBCCRCPassGuardXInput.exe" /sc onlogon C:\Windows\system32\schtasks.exePBCCRCPassGuardXInput.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
Total events
1 034
Read events
972
Write events
58
Delete events
4

Modification events

(PID) Process:(3688) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3688) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3688) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3688) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(3688) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3688) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3688) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{1520B0BD-35F8-11E9-BEEC-5254004A04AF}
Value:
0
(PID) Process:(3688) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(3688) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
3
(PID) Process:(3688) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E30702000400150010002D001800C602
Executable files
23
Suspicious files
4
Text files
11
Unknown types
2

Dropped files

PID
Process
Filename
Type
3688iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico
MD5:
SHA256:
3688iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3688iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF8C788AD10C696CCF.TMP
MD5:
SHA256:
3688iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF90FC72B4676F2744.TMP
MD5:
SHA256:
3688iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{1520B0BD-35F8-11E9-BEEC-5254004A04AF}.dat
MD5:
SHA256:
3688iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[2].pngimage
MD5:9FB559A691078558E77D6848202F6541
SHA256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
3688iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{1520B0BE-35F8-11E9-BEEC-5254004A04AF}.datbinary
MD5:
SHA256:
3688iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019022120190222\index.datdat
MD5:
SHA256:
3688iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\PBCCRCPassGuardEdge[1].exeexecutable
MD5:CC2844F22C8EA369022B9A876C00011C
SHA256:7042D4B77440C8FB28F8FC8F44C703D3DD91CE0834FB3EF4CEBC1D2F492AF7BA
2148iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019022120190222\index.datdat
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
3
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2148
iexplore.exe
GET
200
27.148.208.208:80
http://file.zhongdengwang.com/ocx/PBCCRCPassGuardEdge.exe
CN
executable
6.52 Mb
suspicious
3688
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3688
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2148
iexplore.exe
27.148.208.208:80
file.zhongdengwang.com
Fuzhou
CN
suspicious

DNS requests

Domain
IP
Reputation
file.zhongdengwang.com
  • 180.97.82.149
  • 223.111.15.202
  • 183.146.17.45
  • 183.146.16.107
  • 27.148.208.208
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

PID
Process
Class
Message
2148
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://file.zhongdengwang.com/ocx/PBCCRCPassGuardEdge.exe