File name: | PBCCRCPassGuardEdge.exe |
Full analysis: | https://app.any.run/tasks/78b6f6cf-2ec1-4fc1-8f5f-a4b7197dae0a |
Verdict: | Malicious activity |
Analysis date: | July 11, 2019, 13:42:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | CC2844F22C8EA369022B9A876C00011C |
SHA1: | D747F4360BB0ABDBD01C0734D672043BFFB48011 |
SHA256: | 7042D4B77440C8FB28F8FC8F44C703D3DD91CE0834FB3EF4CEBC1D2F492AF7BA |
SSDEEP: | 196608:cTMw4fG7JNhMCFnFsOOsOJBfUoD1M0wKaMRefVrATZ:iJz9FnOM8M0NC1aZ |
.exe | | | NSIS - Nullsoft Scriptable Install System (91.9) |
---|---|---|
.exe | | | Win32 Executable MS Visual C++ (generic) (3.3) |
.exe | | | Win64 Executable (generic) (3) |
.dll | | | Win32 Dynamic Link Library (generic) (0.7) |
.exe | | | Win32 Executable (generic) (0.4) |
ProductVersion: | 1.0.0.1 |
---|---|
ProductName: | 人行征信中心密码控件 |
LegalCopyright: | (C) 2018 中国人民银行征信中心 所有权利保留 |
FileVersion: | 1.0.0.1 |
FileDescription: | 人行征信中心密码控件 |
CompanyName: | 中国人民银行征信中心 |
CharacterSet: | Windows, Chinese (Simplified) |
LanguageCode: | Chinese (Simplified) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 1.0.0.1 |
FileVersionNumber: | 1.0.0.1 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | 6 |
OSVersion: | 4 |
EntryPoint: | 0x30b6 |
UninitializedDataSize: | 1024 |
InitializedDataSize: | 117760 |
CodeSize: | 23552 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2014:05:11 22:03:30+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 11-May-2014 20:03:30 |
Detected languages: |
|
CompanyName: | 中国人民银行征信中心 |
FileDescription: | 人行征信中心密码控件 |
FileVersion: | 1.0.0.1 |
LegalCopyright: | (C) 2018 中国人民银行征信中心 所有权利保留 |
ProductName: | 人行征信中心密码控件 |
ProductVersion: | 1.0.0.1 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000C8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 11-May-2014 20:03:30 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00005A68 | 0x00005C00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.4187 |
.rdata | 0x00007000 | 0x000011CE | 0x00001200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.23558 |
.data | 0x00009000 | 0x0001A7B8 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.87123 |
.ndata | 0x00024000 | 0x00011000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00035000 | 0x00004E18 | 0x00005000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.40911 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.26024 | 1013 | UNKNOWN | English - United States | RT_MANIFEST |
103 | 1.91924 | 20 | UNKNOWN | English - United States | RT_GROUP_ICON |
105 | 2.62576 | 492 | UNKNOWN | English - United States | RT_DIALOG |
106 | 2.86626 | 228 | UNKNOWN | English - United States | RT_DIALOG |
111 | 2.9304 | 218 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
VERSION.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3936 | "C:\Users\admin\AppData\Local\Temp\PBCCRCPassGuardEdge.exe" | C:\Users\admin\AppData\Local\Temp\PBCCRCPassGuardEdge.exe | — | explorer.exe |
User: admin Company: 中国人民银行征信中心 Integrity Level: MEDIUM Description: 人行征信中心密码控件 Exit code: 3221226540 Version: 1.0.0.1 | ||||
2860 | "C:\Users\admin\AppData\Local\Temp\PBCCRCPassGuardEdge.exe" | C:\Users\admin\AppData\Local\Temp\PBCCRCPassGuardEdge.exe | explorer.exe | |
User: admin Company: 中国人民银行征信中心 Integrity Level: HIGH Description: 人行征信中心密码控件 Exit code: 0 Version: 1.0.0.1 | ||||
3504 | "C:\Windows\system32\PBCCRCNew\PBCCRCPassGuardXInputService.exe" "-install" | C:\Windows\system32\PBCCRCNew\PBCCRCPassGuardXInputService.exe | — | PBCCRCPassGuardEdge.exe |
User: admin Company: PBCCRC Integrity Level: HIGH Description: PBCCRCPassGuardXInputService Exit code: 0 Version: 1.0.1.0 | ||||
4024 | C:\Windows\system32\PBCCRCNew\PBCCRCPassGuardXInput.exe | C:\Windows\system32\PBCCRCNew\PBCCRCPassGuardXInput.exe | PBCCRCPassGuardEdge.exe | |
User: admin Company: PBCCRC Integrity Level: HIGH Description: PBCCRCPassGuardXInput Version: 1.0.0.1 | ||||
1376 | "C:\Windows\system32\PBCCRCNew\PBCCRCPassGuardXInputService.exe" "-control" "PBCCRCPassGuardXInputService" "start" | C:\Windows\system32\PBCCRCNew\PBCCRCPassGuardXInputService.exe | — | PBCCRCPassGuardEdge.exe |
User: admin Company: PBCCRC Integrity Level: HIGH Description: PBCCRCPassGuardXInputService Exit code: 0 Version: 1.0.1.0 | ||||
2912 | C:\Windows\system32\PBCCRCNew\PBCCRCPassGuardXInputService.exe | C:\Windows\system32\PBCCRCNew\PBCCRCPassGuardXInputService.exe | — | services.exe |
User: SYSTEM Company: PBCCRC Integrity Level: SYSTEM Description: PBCCRCPassGuardXInputService Version: 1.0.1.0 | ||||
3472 | C:\Windows\system32\schtasks.exe /delete /tn "ÈËÐÐÕ÷ÐÅ°²È«¿Ø¼þ°²È«ÊäÈë³ÌÐò" /f | C:\Windows\system32\schtasks.exe | — | PBCCRCPassGuardXInput.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2432 | C:\Windows\system32\schtasks.exe /create /tn "ÈËÐÐÕ÷ÐÅ°²È«¿Ø¼þ°²È«ÊäÈë³ÌÐò" /tr "C:\Windows\system32\PBCCRCNew\PBCCRCPassGuardXInput.exe" /sc onlogon | C:\Windows\system32\schtasks.exe | — | PBCCRCPassGuardXInput.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3448 | certutil.exe -A -d "C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default" -i .\root_bundle.crt -n "Certum Domain Validation CA SHA2" -t "C,," | C:\Windows\system32\PBCCRCNew\certutil.exe | — | PBCCRCPassGuardXInput.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3124 | "C:\Users\admin\AppData\Local\Temp\certmgr.exe" -add "C:\Users\admin\AppData\Local\Temp\wosign.cer" -c -s -r localMachine Root | C:\Users\admin\AppData\Local\Temp\certmgr.exe | — | PBCCRCPassGuardEdge.exe |
User: admin Integrity Level: HIGH Exit code: 0 |
(PID) Process: | (2860) PBCCRCPassGuardEdge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2860) PBCCRCPassGuardEdge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3124) certmgr.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E |
Operation: | write | Name: | Blob |
Value: 03000000010000001400000007E032E020B72C3F192F0628A2593A19A70F069E2000000001000000BF030000308203BB308202A3A00302010202030444C0300D06092A864886F70D0101050500307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B204341301E170D3038313032323132303733375A170D3239313233313132303733375A307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B20434130820122300D06092A864886F70D01010105000382010F003082010A0282010100E3FB7DA372BAC2F0C91487F56B014EE16E4007BA6D275D7FF75B2DB35AC7515FABA432A66187B66E0F86D2300297F8D76957A118395D6A6479C60159AC3C314A387CD204D24B28E8205F3B07A2CC4D73DBF3AE4FC756D55AA79689FAF3AB68D423865927CF0927BCAC6E72831C3072DFE0A2E9D2E1747519BD2A9E7B1554041BD74339AD5528C5E21ABBF4C0E4AE384933CC76859F3945D2A49EF2128C51F87CE42D7FF5AC5FEB169FB12DD1BACC9142774C25C990386FDBF0CCFB8E1E97593ED5604EE60528ED4979134BBA48DB2FF972D339CAFE1FD83472F5B440CF3101C3ECDE112D175D1FB850D15E19A769DE073328CA5095F9A754CB54865045A9F9490203010001A3423040300F0603551D130101FF040530030101FF301D0603551D0E041604140876CDCB07FF24F6C5CDEDBB90BCE284374675F7300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100A6A8AD22CE013DA6A3FF62D0489D8B5E72B07844E3DC1CAF09FD2348FABD2AC4B95504B510A38D27DE0B8263D0EEDE0C3779415B22B2B09A415CA670E0D4D077CB23D300E06C562FE1690D0DD9AABF218150D906A5A8FF9537D0AAFEE2B3F5992D45848AE54209D774022FF789D899E9BC27D4478DBA0D461C77CF14A41CB9A431C49C28740334FF331926A5E90D74B73E97C676E82796A366DDE1AEF2415BCA9856837370E4861AD23141BA2FBE2D135A766F4EE84E810E3F5B0322A012BE6658114ACB03C4B42A2A2D9617E03954BC48D376279D9A2D06A6C9EC39D2ABDB9F9A0B27023529B14095E7F9E89C55881946D6B734F57ECE399AD938F151F74F2C | |||
(PID) Process: | (3480) certmgr.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FF9CEB13C83F15B800E6EFF987B2C72E01B4B320 |
Operation: | write | Name: | Blob |
Value: 030000000100000014000000FF9CEB13C83F15B800E6EFF987B2C72E01B4B3202000000001000000D2040000308204CE308203B6A003020102021026DDD22B46C9C44D5A694D39807E72AD300D06092A864886F70D01010B0500307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B204341301E170D3134303931313132303030305A170D3237303630393130343633395A308185310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312930270603550403132043657274756D20446F6D61696E2056616C69646174696F6E204341205348413230820122300D06092A864886F70D01010105000382010F003082010A0282010100A12563DF8DE42007D954D1D104F617E23E47FBC37425B8C4BF1212BCE070D13905C217B3F78270A04E07FE102AFFDB0D465E2494A38B459F189BCE42C4AEDB8333BCC2BBB430B6A73787787B48CB252C82BB0A4812607689EC8ECC8F1E5248E986025AC2B08A7C853DD9FF604F336CA6A1A085E1D753F2EA273D65A972C10883CCB0259C114624E03EF4A7EFED51B1659342B4F6E6860A1079323658B26BA8DCD57A1E9D14EE40E7B2464CBD9A29C2ECF830C162022AE21C8362D085361A83DE12842965EFD232BE316042A8CFF8DDEAD056471DBD76962413E7BED9992BFA3064F18A387AA6E12A9602B09DBAD88F6D4E7A94697DB093AA74E5939013FAA2990203010001A382013E3082013A300F0603551D130101FF040530030101FF301D0603551D0E04160414E531ADBF3A1196F483BC503CD4B7909B90EEDE25301F0603551D230418301680140876CDCB07FF24F6C5CDEDBB90BCE284374675F7300E0603551D0F0101FF040403020106302F0603551D1F042830263024A022A020861E687474703A2F2F63726C2E63657274756D2E706C2F63746E63612E63726C306B06082B06010505070101045F305D302806082B06010505073001861C687474703A2F2F73756263612E6F6373702D63657274756D2E636F6D303106082B060105050730028625687474703A2F2F7265706F7369746F72792E63657274756D2E706C2F63746E63612E63657230390603551D2004323030302E0604551D20003026302406082B060105050702011618687474703A2F2F7777772E63657274756D2E706C2F435053300D06092A864886F70D01010B05000382010100BABFF0E1DD4D2B42436458DF64F3FF801A5F56BE3BA9B276F7547A4C30C199244B72D2CAD4FA08C690DE8812EDF890F9FCA984FD92F278E5DBC92257AB4130426B0B9FD77333FB01671C425C8F2767C76E07038D0E96CB0A03CC3EF8873C3530CD188CD571DDCDDD61B013A364464EFE714E6B65E91404F23FA8BD0C363D2A5D9E07F2C24F90C55E4D1837D1272880A436E5CA936A650EF893B9AF52584B7A71D8BAF3EFD2F3F6A297E45D14029ACBE5AEB693E1239F9B3F46F7EE8EA1005B66C31E6823860F5D77BA53ADF952FB7015C575EBCF79AD497CF27662AE442FC55F513425416A120A5F8EAE10C4438935FDECFF31E6EC1E87E93A7C29504541A314 | |||
(PID) Process: | (2860) PBCCRCPassGuardEdge.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÈËÐÐÕ÷ÐÅÖÐÐÄÃÜÂë¿Ø¼þ·Ç²å¼þ°æ |
Operation: | write | Name: | DisplayName |
Value: ÈËÐÐÕ÷ÐÅÖÐÐÄÃÜÂë¿Ø¼þ·Ç²å¼þ°æ | |||
(PID) Process: | (2860) PBCCRCPassGuardEdge.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÈËÐÐÕ÷ÐÅÖÐÐÄÃÜÂë¿Ø¼þ·Ç²å¼þ°æ |
Operation: | write | Name: | DisplayIcon |
Value: C:\Windows\system32\PBCCRCNew\uninst.exe | |||
(PID) Process: | (2860) PBCCRCPassGuardEdge.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÈËÐÐÕ÷ÐÅÖÐÐÄÃÜÂë¿Ø¼þ·Ç²å¼þ°æ |
Operation: | write | Name: | UninstallString |
Value: C:\Windows\system32\PBCCRCNew\uninst.exe | |||
(PID) Process: | (2860) PBCCRCPassGuardEdge.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÈËÐÐÕ÷ÐÅÖÐÐÄÃÜÂë¿Ø¼þ·Ç²å¼þ°æ |
Operation: | write | Name: | DisplayVersion |
Value: 1.0.0.1 | |||
(PID) Process: | (2860) PBCCRCPassGuardEdge.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÈËÐÐÕ÷ÐÅÖÐÐÄÃÜÂë¿Ø¼þ·Ç²å¼þ°æ |
Operation: | write | Name: | URLInfoAbout |
Value: | |||
(PID) Process: | (2860) PBCCRCPassGuardEdge.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÈËÐÐÕ÷ÐÅÖÐÐÄÃÜÂë¿Ø¼þ·Ç²å¼þ°æ |
Operation: | write | Name: | Publisher |
Value: ÖйúÈËÃñÒøÐÐÕ÷ÐÅÖÐÐÄ |
PID | Process | Filename | Type | |
---|---|---|---|---|
2860 | PBCCRCPassGuardEdge.exe | C:\Users\admin\AppData\Local\Temp\nso1A61.tmp\nsDialogs.dll | executable | |
MD5:E75AE7CFE06FF9692D98A934F6AA2D3C | SHA256:1F861AEB145EBBB9A2628414E6DCA6B06D0BFB252F2DE624B86814CFEC8097D0 | |||
2860 | PBCCRCPassGuardEdge.exe | C:\Users\admin\AppData\Local\Temp\nso1A61.tmp\modern-header.bmp | image | |
MD5:DD6C77C1262BCCB892F47D14241FC15F | SHA256:C48C40476B3B93688123B1F0AAED50D583BEB03EBEFD1295154007CA352D3439 | |||
2860 | PBCCRCPassGuardEdge.exe | C:\Users\admin\AppData\Local\Temp\nso1A61.tmp\KillProcDLL.dll | executable | |
MD5:99F345CF51B6C3C317D20A81ACB11012 | SHA256:C2689BA1F66066AFCE85CA6457ECD36370BE0FE351C58422E45EFD0948655C93 | |||
2860 | PBCCRCPassGuardEdge.exe | C:\Windows\system32\PBCCRCNew\smime3.dll | executable | |
MD5:E14DB78BC66D3DAEE2B3600E7B91E989 | SHA256:3173141BEC7496911EEFC07ACE7DE2F63CF78C785884564F4100299BA7C6F174 | |||
2860 | PBCCRCPassGuardEdge.exe | C:\Windows\system32\PBCCRCNew\sqlite3.dll | executable | |
MD5:2413E69E314AE461B2D84DA7FDA440DF | SHA256:94D7C8F60194C03BC9D54E484DF5D6E1DAC9B67886C79A43776D0A8AAD8C9510 | |||
2860 | PBCCRCPassGuardEdge.exe | C:\Windows\system32\PBCCRCNew\PBCCRCPassGuardX.exe | executable | |
MD5:45179154C91D8ADD35007A420FF2F927 | SHA256:01582DC91B295935C1FECE2716B0F661D12FA7E8E7485E1D730FC06E33854EC8 | |||
2860 | PBCCRCPassGuardEdge.exe | C:\Windows\system32\PBCCRCNew\nssutil3.dll | executable | |
MD5:B0F5738014BE133E5ED8E9EC4B730DD3 | SHA256:0C4000C19BF781B1B8087AFB562A9A75F6F397E695E306BDC785D771041E03F6 | |||
2860 | PBCCRCPassGuardEdge.exe | C:\Windows\system32\PBCCRCNew\root_bundle.crt | text | |
MD5:00275A8C42F1F8377B332ADFCE33E4CF | SHA256:AEFD1EC82C1B1EC04001139E84B966DE72DC7784C02E7D9826F536D1F99B5B45 | |||
2860 | PBCCRCPassGuardEdge.exe | C:\Windows\system32\PBCCRCNew\softokn3.dll | executable | |
MD5:0694C07CB9075F57235202C16EC92986 | SHA256:5CFF75C7E20C6036BBEA97BA5CC7F87D441D533213CBE31C2957B910CFFB46E5 | |||
2860 | PBCCRCPassGuardEdge.exe | C:\Windows\system32\PBCCRCNew\plds4.dll | executable | |
MD5:2CA927798DC32E6C97D35E40C5F19DFB | SHA256:BC5C468372754C561BE416AB381F25B1CDCAC5F4C341B709EF04D9BED5924628 |