Malware analysis passportwebclientdigitalcheck (2).exe Malicious activity

Add for printing

File name:	passportwebclientdigitalcheck (2).exe
Full analysis:	https://app.any.run/tasks/84fc0b64-a50a-42ff-8d67-f2fc9f83972b
Verdict:	Malicious activity
Analysis date:	October 25, 2024, 17:40:44
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	7C47F95A3F0A3866B31E759267CAF386
SHA1:	5F9379AACF5FC7C426AE63A2C355627CEBD1621C
SHA256:	7EA80E1E0D6A6212689C53427DB1C70B5BB4A1898344249E24D32975B16818CA
SSDEEP:	98304:GjXVk7YQv5y5tVVBEZ8+y6eLoYd+ZIQyKxHzJ7BI8jY6vo0MuGt037oeKpU9iwja:L2r9pvoYVi10gXvRWTD6yn7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Malware-specific behavior (creating "System.dll" in Temp)
  - passportwebclientdigitalcheck (2).exe (PID: 608)
- Creates file in the systems drive root
  - passportwebclientdigitalcheck (2).exe (PID: 608)
- The process creates files with name similar to system file names
  - passportwebclientdigitalcheck (2).exe (PID: 608)
- The process drops C-runtime libraries
  - passportwebclientdigitalcheck (2).exe (PID: 608)
- Executable content was dropped or overwritten
  - passportwebclientdigitalcheck (2).exe (PID: 608)
  - DPInst.exe (PID: 5984)
  - drvinst.exe (PID: 3764)
  - drvinst.exe (PID: 6204)
- Uses ICACLS.EXE to modify access control lists
  - passportwebclientdigitalcheck (2).exe (PID: 608)
- Process drops legitimate windows executable
  - passportwebclientdigitalcheck (2).exe (PID: 608)
  - DPInst.exe (PID: 5984)
  - drvinst.exe (PID: 3764)
- Drops a system driver (possible attempt to evade defenses)
  - passportwebclientdigitalcheck (2).exe (PID: 608)
  - DPInst.exe (PID: 5984)
  - drvinst.exe (PID: 3764)
  - drvinst.exe (PID: 6204)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - passportwebclientdigitalcheck (2).exe (PID: 608)
INFO
- Create files in a temporary directory
  - passportwebclientdigitalcheck (2).exe (PID: 608)
- Checks supported languages
  - passportwebclientdigitalcheck (2).exe (PID: 608)
- Reads the computer name
  - passportwebclientdigitalcheck (2).exe (PID: 608)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2016:07:25 00:55:47+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	24064
InitializedDataSize:	118784
UninitializedDataSize:	1024
EntryPoint:	0x322b
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	3.32.0.7
ProductVersionNumber:	3.32.0.7
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	ASCII
FileDescription:	Passport Web Client Driver
FileVersion:	03.32.00.07
LegalCopyright:	NCR
LegalTrademarks:	NCR
OriginalFileName:	PassportWebClientDigitalCheck.exe
ProductName:	PassportWebClientDigitalCheck
ProductVersion:	03.32.00.07

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

155

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

608

"C:\Users\admin\AppData\Local\Temp\passportwebclientdigitalcheck (2).exe"

C:\Users\admin\AppData\Local\Temp\passportwebclientdigitalcheck (2).exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Description:

Passport Web Client Driver

Exit code:

Version:

03.32.00.07

Modules

Images
c:\users\admin\appdata\local\temp\passportwebclientdigitalcheck (2).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

1700

"C:\Program Files (x86)\NCR\Passport Web Edition\pwecSBlog.exe" -install

C:\Program Files (x86)\NCR\Passport Web Edition\pwecsblog.exe

—

passportwebclientdigitalcheck (2).exe

User:

admin

Company:

NCR Corporation

Integrity Level:

HIGH

Description:

Passport Web Edition Client SB Log Hold

Exit code:

Version:

3, 32, 0, 7

Modules

Images
c:\program files (x86)\ncr\passport web edition\pwecsblog.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

3076

certutil -f -addstore root s5ps.

C:\Windows\SysWOW64\certutil.exe

—

pwecsrvc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

CertUtil.exe

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

3108

pwecpccheck.exe -silent

C:\Program Files (x86)\NCR\Passport Web Edition\pwecpccheck.exe

passportwebclientdigitalcheck (2).exe

User:

admin

Company:

NCR Corporation

Integrity Level:

HIGH

Description:

Passport Web Edition Client PC Check Application

Exit code:

Version:

3, 32, 0, 7

Modules

Images
c:\program files (x86)\ncr\passport web edition\pwecpccheck.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\crypt32.dll

3600

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

netsh.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3604

netsh firewall add allowedprogram "C:\Program Files (x86)\NCR\Passport Web Edition\pwecsrvc.exe" "PassportWebClient" ENABLE All

C:\Windows\SysWOW64\netsh.exe

—

passportwebclientdigitalcheck (2).exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

3608

netsh firewall add allowedprogram "C:\Program Files (x86)\NCR\Passport Web Edition\pwecpccheck.exe" "PassportWebClientPCCheck" ENABLE All

C:\Windows\SysWOW64\netsh.exe

—

passportwebclientdigitalcheck (2).exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

3764

DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{e4c9d365-dd20-ef4c-b9a0-86b4b724e039}\dccst3.inf" "9" "418b9c4ab" "00000000000001D8" "WinSta0\Default" "00000000000001F0" "208" "c:\program files (x86)\ncr\passport web edition\ranger\rangercore\scanner plug-ins\digitalcheck\driver"

C:\Windows\System32\drvinst.exe

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Driver Installation Module

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll

3964

certutil -delstore -enterprise root NCRlocalhost

C:\Windows\SysWOW64\certutil.exe

—

pwecsrvc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

CertUtil.exe

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

4208

"icacls.exe" "C:\Program Files (x86)\NCR\Passport Web Edition\config" /grant *S-1-5-32-545:(OI)(CI)F

C:\Windows\SysWOW64\icacls.exe

—

passportwebclientdigitalcheck (2).exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

Add for printing

Total events

20 605

Read events

20 569

Write events

Delete events

Modification events


(PID) Process:	(5984) DPInst.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
Operation:	write	Name:	setupapi.dev.log
Value: 4096
(PID) Process:	(5984) DPInst.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EDEBED721804A78459C0480CDDD9CF75A522F674
Operation:	write	Name:	UninstallString
Value: C:\PROGRA~1\DIFX\F4092DA208C2C970\DPInst.exe /u C:\WINDOWS\System32\DriverStore\FileRepository\dccst3.inf_amd64_747f774669c43344\dccst3.inf
(PID) Process:	(5984) DPInst.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EDEBED721804A78459C0480CDDD9CF75A522F674
Operation:	write	Name:	DisplayName
Value: Windows Driver Package - DCC Digital Check Corp. (DccSt3) USB (01/21/2015 1.0.0.0)
(PID) Process:	(5984) DPInst.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EDEBED721804A78459C0480CDDD9CF75A522F674
Operation:	write	Name:	DisplayIcon
Value: C:\PROGRA~1\DIFX\F4092DA208C2C970\DPInst.exe,0
(PID) Process:	(5984) DPInst.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EDEBED721804A78459C0480CDDD9CF75A522F674
Operation:	write	Name:	DisplayVersion
Value: 01/21/2015 1.0.0.0
(PID) Process:	(5984) DPInst.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EDEBED721804A78459C0480CDDD9CF75A522F674
Operation:	write	Name:	Publisher
Value: DCC Digital Check Corp.
(PID) Process:	(5984) DPInst.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1BCFCB58CAD0C622A504194B76156A833DE92C31
Operation:	write	Name:	UninstallString
Value: C:\PROGRA~1\DIFX\F4092DA208C2C970\DPInst.exe /u C:\WINDOWS\System32\DriverStore\FileRepository\tsusb2.inf_amd64_2a1f24991565bfb3\tsusb2.inf
(PID) Process:	(5984) DPInst.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1BCFCB58CAD0C622A504194B76156A833DE92C31
Operation:	write	Name:	DisplayName
Value: Windows Driver Package - Digital Check Corporation (TsUsb2) USB (04/01/2010 2.0.0.0)
(PID) Process:	(5984) DPInst.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1BCFCB58CAD0C622A504194B76156A833DE92C31
Operation:	write	Name:	DisplayIcon
Value: C:\PROGRA~1\DIFX\F4092DA208C2C970\DPInst.exe,0
(PID) Process:	(5984) DPInst.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1BCFCB58CAD0C622A504194B76156A833DE92C31
Operation:	write	Name:	DisplayVersion
Value: 04/01/2010 2.0.0.0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
608	passportwebclientdigitalcheck (2).exe	C:\Users\admin\AppData\Local\Temp\nsbBCD3.tmp\ioSpecial.ini		text
		MD5:E2D5070BC28DB1AC745613689FF86067	SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
608	passportwebclientdigitalcheck (2).exe	C:\PassportClientInstallation.log		text
		MD5:9F4475DA0DE45090785D7F6BAB4FDF71	SHA256:B217CB928A4FEB630435F325B0EDB1BB8BEE6932B0687B8F71477E13828DBB19
608	passportwebclientdigitalcheck (2).exe	C:\Users\admin\AppData\Local\Temp\nsbBCD3.tmp\modern-wizard.bmp		image
		MD5:CBE40FD2B1EC96DAEDC65DA172D90022	SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
608	passportwebclientdigitalcheck (2).exe	C:\Users\admin\AppData\Local\Temp\nsbBCD3.tmp\System.dll		executable
		MD5:2AE993A2FFEC0C137EB51C8832691BCB	SHA256:681382F3134DE5C6272A49DD13651C8C201B89C247B471191496E7335702FA59
608	passportwebclientdigitalcheck (2).exe	C:\Program Files (x86)\NCR\Passport Web Edition\client.txt		text
		MD5:802C0329C37C4055A5AA058B3AAB1D3C	SHA256:097CE591C716DB82F2D77668D54BB0FD8049458CA59CF00A7DBBAB6E6B5AA499
608	passportwebclientdigitalcheck (2).exe	C:\Program Files (x86)\NCR\Passport Web Edition\pwecdrvr.dll		executable
		MD5:ED9408D292F8D2741CFBC16022659BFE	SHA256:00846E5786CFEAE6E754464C00F9E4F15DAED56FD4033E7BB38D112F76F5CCDD
608	passportwebclientdigitalcheck (2).exe	C:\Program Files (x86)\NCR\Passport Web Edition\pweccertupd.exe		executable
		MD5:7AAF539F7093A6018B4936F635623126	SHA256:E89793E5FAB996598C19030B334288CF41859E2F2B26F721B02CCAD822D99897
608	passportwebclientdigitalcheck (2).exe	C:\Program Files (x86)\NCR\Passport Web Edition\pwecsrvc.exe		executable
		MD5:EA30A3F97ECE8F80CA5EB323181785DA	SHA256:129FC2278E0EBD6C9BE8F41EB825F292FA199615BBF7EC4CB0AFA657FF0F474D
608	passportwebclientdigitalcheck (2).exe	C:\Program Files (x86)\NCR\Passport Web Edition\pwecpccheck.exe		executable
		MD5:8317D5CC9543803EA42B4AD9622F6A1F	SHA256:B03C4520E2CEFA4BA1F2D274A54495509E452783684CABE85632B708167CA441
608	passportwebclientdigitalcheck (2).exe	C:\Program Files (x86)\NCR\Passport Web Edition\license-openssl.txt		text
		MD5:F475368924827D06D4B416111C8BDB77	SHA256:C8F60F4842BBAD0353F5D81620E72B168B5638CA3A0A999F5DA113B22491612E

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
624	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4360	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	23.48.23.147:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6420	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6420	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6944	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1588	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5488	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6944	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6944	svchost.exe	23.48.23.147:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6944	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4360	SearchApp.exe	104.126.37.137:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4360	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.124.78.146	whitelisted
google.com	142.250.185.110	whitelisted
crl.microsoft.com	23.48.23.147 23.48.23.143	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
www.bing.com	104.126.37.137 104.126.37.155 104.126.37.179 104.126.37.170 104.126.37.123 104.126.37.177 104.126.37.186 104.126.37.136 104.126.37.153	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.23 20.190.159.71 20.190.159.4 40.126.31.71 20.190.159.73 40.126.31.73 20.190.159.2 40.126.31.69	whitelisted
th.bing.com	104.126.37.128 104.126.37.155 104.126.37.153 104.126.37.137 104.126.37.163 104.126.37.179 104.126.37.170 104.126.37.177	whitelisted
go.microsoft.com	23.218.210.69	whitelisted
slscr.update.microsoft.com	4.175.87.197	whitelisted

Threats

No threats detected

Add for printing

Process	Message
pwecpccheck.exe	590578 -- funcSetUpCallBack(-1,1354267168)
pwecpccheck.exe	590671 -- BUICExit Called
pwecsrvc.exe	596015 -- funcSetUpCallBack(-1,1364818464)
pwecsrvc.exe	596109 -- BUICExit Called

General Info

passportwebclientdigitalcheck (2).exe

7C47F95A3F0A3866B31E759267CAF386

5F9379AACF5FC7C426AE63A2C355627CEBD1621C

7EA80E1E0D6A6212689C53427DB1C70B5BB4A1898344249E24D32975B16818CA

98304:GjXVk7YQv5y5tVVBEZ8+y6eLoYd+ZIQyKxHzJ7BI8jY6vo0MuGt037oeKpU9iwja:L2r9pvoYVi10gXvRWTD6yn7

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

Creates file in the systems drive root

The process creates files with name similar to system file names

The process drops C-runtime libraries

Executable content was dropped or overwritten

Uses ICACLS.EXE to modify access control lists

Process drops legitimate windows executable

Drops a system driver (possible attempt to evade defenses)

Uses NETSH.EXE to add a firewall rule or allowed programs

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings