General Info

File name

CDDDesktopEdition.exe

Full analysis
https://app.any.run/tasks/ce3751eb-1357-4489-a9b8-8bf1798afdee
Verdict
Malicious activity
Analysis date
2/11/2019, 11:54:39
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

installer

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5

17d6b6e8d515f4bcc7f20502c4b71f74

SHA1

3e8590d2e2cd3e000597770a092daa4bcead64f5

SHA256

bb80746883a15c964b4e5be0800fd13cdbe4d61dd0f200944d0424ea4a4505bf

SSDEEP

196608:H5myKKjuqgHn1qjfnLHTqCbVYIJXeJpZKhxtxJGsGG0tWtzvW3+8YDk:LK+uZHADmSXOpZKhxtqgtzv6Yo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • CDD.CCSearchIntegration.exe (PID: 2572)
  • regsvr32.exe (PID: 2748)
Application was dropped or rewritten from another process
  • CDD.CCSearchIntegration.exe (PID: 2572)
Registers / Runs the DLL via REGSVR32.EXE
  • CDD.CCSearchIntegration.exe (PID: 2572)
Changes settings of System certificates
  • CDDDesktopEdition.exe (PID: 3504)
Actions looks like stealing of personal data
  • CDD.CCSearchIntegration.exe (PID: 2572)
Uses IPCONFIG.EXE to discover IP address
  • CDD.CCSearchIntegration.exe (PID: 2572)
Executable content was dropped or overwritten
  • CDDDesktopEdition.exe (PID: 3504)
  • CDD.CCSearchIntegration.exe (PID: 2572)
Adds / modifies Windows certificates
  • CDDDesktopEdition.exe (PID: 3504)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.ax
|   DirectShow filter (39.3%)
.exe
|   InstallShield setup (8.4%)
.exe
|   Win32 EXE PECompact compressed (generic) (8.1%)
.exe
|   Win64 Executable (generic) (5.3%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2015:12:01 17:44:45+01:00
PEType:
PE32
LinkerVersion:
11
CodeSize:
15224832
InitializedDataSize:
6144
UninitializedDataSize:
null
EntryPoint:
0xe86ede
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
6.5.0.0
ProductVersionNumber:
6.5.0.0
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
Neutral
CharacterSet:
Unicode
CompanyName:
ControlCase
FileDescription:
CDD Desktop
FileVersion:
6.5.0.0
InternalName:
CDDDesktopEdition.exe
LegalCopyright:
Copyright © ControlCase 2015
OriginalFileName:
CDDDesktopEdition.exe
ProductName:
CDD
ProductVersion:
6.5.0.0
AssemblyVersion:
6.5.0.0
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
01-Dec-2015 16:44:45
Debug artifacts
D:\Installer Creation\Desktop CDD v6\CDD\obj\x86\Debug\CDDDesktopEdition.pdb
CompanyName:
ControlCase
FileDescription:
CDD Desktop
FileVersion:
6.5.0.0
InternalName:
CDDDesktopEdition.exe
LegalCopyright:
Copyright © ControlCase 2015
OriginalFilename:
CDDDesktopEdition.exe
ProductName:
CDD
ProductVersion:
6.5.0.0
Assembly Version:
6.5.0.0
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000080
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
3
Time date stamp:
01-Dec-2015 16:44:45
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00002000 0x00E84EE4 0x00E85000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.9601
.rsrc 0x00E88000 0x000014C0 0x00001600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.41662
.reloc 0x00E8A000 0x0000000C 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 0.10191
Resources
1

2

32512

Imports
    mscoree.dll

Exports

    No exports.

Screenshots

Processes

Total processes
39
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

+
drop and start start cdddesktopedition.exe cdd.ccsearchintegration.exe hostname.exe no specs hostname.exe no specs ipconfig.exe no specs ipconfig.exe no specs regsvr32.exe no specs regsvr32.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3504
CMD
"C:\Users\admin\AppData\Local\Temp\CDDDesktopEdition.exe"
Path
C:\Users\admin\AppData\Local\Temp\CDDDesktopEdition.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
ControlCase
Description
CDD Desktop
Version
6.5.0.0
Modules
Image
c:\users\admin\appdata\local\temp\cdddesktopedition.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorsec.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\system32\windowscodecs.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\security.dll
c:\windows\system32\secur32.dll
c:\windows\system32\schannel.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\tof5aulv.aen\cdd.ccsearchintegration.exe

PID
2572
CMD
"C:\Users\admin\AppData\Local\Temp\tof5aulv.aen\CDD.CCSearchIntegration.exe" --input=C:/ --config=CDD.config.sdb
Path
C:\Users\admin\AppData\Local\Temp\tof5aulv.aen\CDD.CCSearchIntegration.exe
Indicators
Parent process
CDDDesktopEdition.exe
User
admin
Integrity Level
MEDIUM
Exit code
200
Version:
Company
ControlCase LLC
Description
Version
6.0
Modules
Image
c:\users\admin\appdata\local\temp\tof5aulv.aen\cdd.ccsearchintegration.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\p2xtmp-2572\p2x5142.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\users\admin\appdata\local\temp\p2xtmp-2572\auto\cwd\cwd.dll
c:\users\admin\appdata\local\temp\p2xtmp-2572\auto\list\util\util.dll
c:\users\admin\appdata\local\temp\p2xtmp-2572\auto\dbi\dbi.dll
c:\users\admin\appdata\local\temp\p2xtmp-2572\auto\dbd\sqlite\sqlite.dll
c:\users\admin\appdata\local\temp\p2xtmp-2572\auto\encode\encode.dll
c:\users\admin\appdata\local\temp\p2xtmp-2572\auto\io\io.dll
c:\users\admin\appdata\local\temp\p2xtmp-2572\auto\fcntl\fcntl.dll
c:\users\admin\appdata\local\temp\p2xtmp-2572\auto\compress\raw\zlib\zlib.dll
c:\users\admin\appdata\local\temp\p2xtmp-2572\auto\posix\posix.dll
c:\users\admin\appdata\local\temp\p2xtmp-2572\auto\win32\ole\ole.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\users\admin\appdata\local\temp\p2xtmp-2572\auto\xml\parser\expat\expat.dll
c:\users\admin\appdata\local\temp\p2xtmp-2572\auto\file\glob\glob.dll
c:\users\admin\appdata\local\temp\p2xtmp-2572\auto\win32\process\process.dll
c:\users\admin\appdata\local\temp\p2xtmp-2572\auto\data\dumper\dumper.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\hostname.exe
c:\windows\system32\ipconfig.exe
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\version.dll
c:\windows\system32\sxs.dll
c:\windows\system32\regsvr32.exe
c:\users\admin\appdata\local\temp\p2xtmp-2572\auto\win32\win32.dll
c:\windows\system32\mswsock.dll

PID
1436
CMD
hostname
Path
C:\Windows\system32\hostname.exe
Indicators
No indicators
Parent process
CDD.CCSearchIntegration.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Hostname APP
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\hostname.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\sechost.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll

PID
2836
CMD
hostname
Path
C:\Windows\system32\hostname.exe
Indicators
No indicators
Parent process
CDD.CCSearchIntegration.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Hostname APP
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\hostname.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\sechost.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll

PID
3280
CMD
ipconfig
Path
C:\Windows\system32\ipconfig.exe
Indicators
No indicators
Parent process
CDD.CCSearchIntegration.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
IP Configuration Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ipconfig.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3940
CMD
ipconfig
Path
C:\Windows\system32\ipconfig.exe
Indicators
No indicators
Parent process
CDD.CCSearchIntegration.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
IP Configuration Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ipconfig.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2748
CMD
regsvr32.exe /s C:\Users\admin\AppData\Local\Temp/p2xtmp-2572/a2tallcom.dll
Path
C:\Windows\system32\regsvr32.exe
Indicators
No indicators
Parent process
CDD.CCSearchIntegration.exe
User
admin
Integrity Level
MEDIUM
Exit code
5
Version:
Company
Microsoft Corporation
Description
Microsoft(C) Register Server
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\users\admin\appdata\local\temp\p2xtmp-2572\a2tallcom.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\sxs.dll

PID
3688
CMD
regsvr32.exe /u /s C:\Users\admin\AppData\Local\Temp/p2xtmp-2572/a2tallcom.dll
Path
C:\Windows\system32\regsvr32.exe
Indicators
No indicators
Parent process
CDD.CCSearchIntegration.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft(C) Register Server
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\users\admin\appdata\local\temp\p2xtmp-2572\a2tallcom.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\sxs.dll

Registry activity

Total events
84
Read events
53
Write events
28
Delete events
3

Modification events

PID
Process
Operation
Key
Name
Value
3504
CDDDesktopEdition.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3504
CDDDesktopEdition.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
0F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C06200000001000000200000008D722F81A9C113C0791DF136A2966DB26C950A971DB46B4199F4EA54B78BFB9F1400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B812000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
3504
CDDDesktopEdition.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
3504
CDDDesktopEdition.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
190000000100000010000000DC73F9B71E16D51D26527D32B11A6A3D09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C06200000001000000200000008D722F81A9C113C0791DF136A2966DB26C950A971DB46B4199F4EA54B78BFB9F1400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B812000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
3504
CDDDesktopEdition.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
0400000001000000100000008CCADC0B22CEF5BE72AC411A11A8D81209000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C06200000001000000200000008D722F81A9C113C0791DF136A2966DB26C950A971DB46B4199F4EA54B78BFB9F1400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B812000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
3504
CDDDesktopEdition.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CDDDesktopEdition_RASAPI32
EnableFileTracing
0
3504
CDDDesktopEdition.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CDDDesktopEdition_RASAPI32
EnableConsoleTracing
0
3504
CDDDesktopEdition.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CDDDesktopEdition_RASAPI32
FileTracingMask
4294901760
3504
CDDDesktopEdition.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CDDDesktopEdition_RASAPI32
ConsoleTracingMask
4294901760
3504
CDDDesktopEdition.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CDDDesktopEdition_RASAPI32
MaxFileSize
1048576
3504
CDDDesktopEdition.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CDDDesktopEdition_RASAPI32
FileDirectory
%windir%\tracing
3504
CDDDesktopEdition.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CDDDesktopEdition_RASMANCS
EnableFileTracing
0
3504
CDDDesktopEdition.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CDDDesktopEdition_RASMANCS
EnableConsoleTracing
0
3504
CDDDesktopEdition.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CDDDesktopEdition_RASMANCS
FileTracingMask
4294901760
3504
CDDDesktopEdition.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CDDDesktopEdition_RASMANCS
ConsoleTracingMask
4294901760
3504
CDDDesktopEdition.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CDDDesktopEdition_RASMANCS
MaxFileSize
1048576
3504
CDDDesktopEdition.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CDDDesktopEdition_RASMANCS
FileDirectory
%windir%\tracing

Files activity

Executable files
35
Suspicious files
4
Text files
90
Unknown types
5

Dropped files

PID
Process
Filename
Type
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\DBD\SQLite\SQLite.dll
executable
MD5: 971fc985c1b02e198c82253aa1ca97f9
SHA256: 1c72be70132488d78904e35464d7d3b578de177f5d6608560bb273252a3b1988
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\Win32API\File\File.dll
executable
MD5: b9e707f995878970f7a2547c149029f8
SHA256: dd418f99faebc879bb02f03d754336e506aa01831ed4b2056c2b46aa4296ebe0
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\Data\Dumper\Dumper.dll
executable
MD5: cb00203042fb754ba6724dfd793f5a2e
SHA256: b74e4c6cd425c86dd7f2e10b9b335e98079099040f439242a0835cd2e05e2a4c
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\List\Util\Util.dll
executable
MD5: 145328871c4a006454aae7aa488b8046
SHA256: 691c8058f32ff45743fe304037cf34d2fce68b80972e1982084ebadef50948eb
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\XML\Parser\Expat\Expat.dll
executable
MD5: b40487968cbd69738a410caeadbd0fa7
SHA256: 0658a4dd5c4b5dce634c366d27dc715d91291e3dfb542e65a05ae1555bc9a7d6
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\Storable\Storable.dll
executable
MD5: a79a772c4c511fdaae9cc033da5c4f09
SHA256: 65b320cbdae94a8f35508686f162fa195d4a848d1076f9dc4de8991824d2c133
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\PerlIO\encoding\encoding.dll
executable
MD5: a6b1d17d9d2e234f11c75573e4aa5ad2
SHA256: 10379ab14fddfedeff5c52ee0ff963850382a047542429a3a76ded34c3c86143
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\B\B.dll
executable
MD5: 816a4ceb578a98e901d1cce85ef2d4cd
SHA256: 020396c69a307fbaa63f99bc0fbf0ada0c72eab2ad2a91363f90a7afcc54b590
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\Socket\Socket.dll
executable
MD5: 1739d801423c39a51e0e2b0e9787b7c5
SHA256: 1a4581c6d4adf6a95714cafb834c82d121a6a9b406c50db266358c1145edceb9
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\Win32\Win32.dll
executable
MD5: 47c0425e967cddb1282969b351e4c825
SHA256: dffedd602073fd75b039b5874eec12cae0e3dbbb26d1c4a5e9e25c4e8ecad76c
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\Win32\Console\Console.dll
executable
MD5: 0fa19fcc3ca65e29ad16fa65864a148d
SHA256: e21b0a5c56166a26b8068d1f86d397016bfd93211e00ad1b8ac96e114353e5f9
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\Encode\Unicode\Unicode.dll
executable
MD5: d1758db696b97caaef00966234809683
SHA256: 631706c9db2bba219b16ef5ea423d56b55a7e5c46ce756c6297230151de5def3
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\Encode\Encode.dll
executable
MD5: 0aadc8af9e5e24d7a7638b1e392de0d8
SHA256: 4b410b3c94d2e31804af42b7d189c862f3ca462313323dfdbc02703d0ec24fad
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\Fcntl\Fcntl.dll
executable
MD5: c8a681d4a48f1342cb5a96e4aca491b4
SHA256: e4b619f7a54f6a06b206a4d3c055a188454754121b56ec9cfc699c0bca801cea
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\DBI\DBI.dll
executable
MD5: 15d121bb6887b35b373bacffe67cc7aa
SHA256: 1013dfafb1b8bab8ad7f5d5b2fdf0d949efc5eb3547c02085210ddc7ef28f6b2
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\pdftotext.exe
executable
MD5: 23580737299dbf88a6af6214de5e244a
SHA256: 5b65a069b089491487a906c98d504ef76023300e3edfa388a508c51d5f31d25f
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\Text\CSV_XS\CSV_XS.dll
executable
MD5: 1107070c6e847de0af87f79631253ee5
SHA256: 23c2b36c315fec6ab716df8eb71a5a6a4f9b35a1d0ab0d997d0d0309c0257a5a
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\Cwd\Cwd.dll
executable
MD5: 808bef01b1541f32947260dc1de92095
SHA256: d91d51bc6f703d1ad2e8fdc2ac8457274108b82c96625a96d9842906fe504b4f
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\re\re.dll
executable
MD5: ad3558c41dd213bf296f587e6b1c3a61
SHA256: db394427fc08e31b2bade49b25080731711ed158068c00d0703c7a70589be4a5
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\occ.dll
executable
MD5: ebdd094d9f13fc3abfae259f1eb4d28d
SHA256: 9f0b6b4fad5e45bea901f6cf85d2c843ee48327a303c55e4c30659759143ae2b
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\IO\IO.dll
executable
MD5: 733306b0daa3d7d7211e9d4a63be5fd1
SHA256: 5b38f45e2d0242262ac0e31e72c842aef8214abda2edfacd5ba4b96b9244d4a2
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\mro\mro.dll
executable
MD5: fc9981e0de14859bfa807fc2ad561417
SHA256: ce66342a794e0fbcd21ab377c5fd0a2aa37bdeae37a5a484c82c224fe7c2aa8e
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\HTML\Parser\Parser.dll
executable
MD5: 276a4582de5742a8b8dd05d774d1e63c
SHA256: 81178897f1929b6cea87c2dd9123d8c751bf67ccf3d9f46b54e9c0d905145aae
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\ppt2tcmd.exe
executable
MD5: f3d9ba7334a7061c66f26bc262473f16
SHA256: 0983f84afa43fbfa5ff39b9c59253a9a60c8948994e7eaba02b8e0a9a3e9ee74
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\POSIX\POSIX.dll
executable
MD5: 40d6e2f6fa1fc7e3f90e1a2434aed14a
SHA256: e53051da1700ae1bf2e757d4e9c14da049edc4322f5f1151149917094072107e
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\p2x5142.dll
executable
MD5: 3b2010d2584abae1b6afca0c0b1cf623
SHA256: 352553aa5cac3cb512cae12cbdca303e0c8a32c5a38046ca12ffe653098eea37
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\MIME\Base64\Base64.dll
executable
MD5: 32f3e27a3606f608123fcfc4c6d936b4
SHA256: 6dc1730dde35fa399b2420069aa921d5b9d503b7e520097b59e0df0bfb233787
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\a2tallcom.dll
executable
MD5: 3fb1eabbea736f19d55529df2114daf6
SHA256: 895ed7a9af7caed84d4c73f9a2cab77638ae33dd0a9abe1f69b755409399658e
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\Compress\Raw\Zlib\Zlib.dll
executable
MD5: 516cad7a7d94264ef75f4bf9a3a4bfa0
SHA256: 857ed1ab35ce96bee50822082a8b8da99fc64d07e5d6af95a8ecebb96b3e31a6
3504
CDDDesktopEdition.exe
C:\Users\admin\AppData\Local\Temp\tof5aulv.aen\CDD.CCSearchIntegration.exe
executable
MD5: e84e61043e9232308fbb5a506f3f7191
SHA256: de5de4f2c3fb66b4f592363e1bf8cfe3d13ce8d2d00d571ffcf4c64dc2cd204a
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\File\Glob\Glob.dll
executable
MD5: edb37aa455fb71dc6a06c30536bacdb9
SHA256: fb3c7c516f9b3d680a19be6c94ae5d1601a154094365536104e2b1d568c7be43
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\Win32\Process\Process.dll
executable
MD5: 1e5a6d195416e9e47a6b7772f6bdf780
SHA256: 474dee43b82fbb31ccee3de32d47f3fc3a82cbd1bb07ef2039f051221a1caa5d
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\Win32\API\API.dll
executable
MD5: 3ff95603ee8700de4c787684ed7afa05
SHA256: 1ea7e5fbba222e8c63fa82deac087497d6671ceadce0661a4f39bed7422b3edf
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\Compress\Raw\Bzip2\Bzip2.dll
executable
MD5: 5def6a80ba3ad17d68247858fc0ea4bd
SHA256: 3441aee36dc1b816d092fd6181f212bb2b7f3b9dfa16d570f2f7f594e57629bc
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\p2xtmp-2572\auto\Win32\OLE\OLE.dll
executable
MD5: e21eea4b9c217f0ac704d762fc7050e1
SHA256: 93ad024c7e1df445b4649da40fd89086325fe3a75aa34425b3366157b250a031
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\ziptemp-2572\tuejustice_1549882520.txt
––
MD5:  ––
SHA256:  ––
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\ziptemp-2572\potentialmethods_1549882520.txt
––
MD5:  ––
SHA256:  ––
3504
CDDDesktopEdition.exe
C:\Users\admin\AppData\Local\Temp\Cab1B5.tmp
––
MD5:  ––
SHA256:  ––
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\ziptemp-2572\itemos_1549882520.txt
––
MD5:  ––
SHA256:  ––
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\ziptemp-2572\gallerycomputer_1549882520.txt
––
MD5:  ––
SHA256:  ––
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\ziptemp-2572\businessesregarding_1549882520.txt
––
MD5:  ––
SHA256:  ––
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\ziptemp-2572\yellowtrading_1549882520.txt
––
MD5:  ––
SHA256:  ––
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\ziptemp-2572\solutionpage_1549882520.txt
––
MD5:  ––
SHA256:  ––
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\ziptemp-2572\pccommerce_1549882520.txt
––
MD5:  ––
SHA256:  ––
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\ziptemp-2572\grandalmost_1549882520.txt
––
MD5:  ––
SHA256:  ––
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\ziptemp-2572\followideas_1549882520.txt
––
MD5:  ––
SHA256:  ––
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\ziptemp-2572\brandsgift_1549882520.txt
––
MD5:  ––
SHA256:  ––
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\ziptemp-2572\analwireless_1549882520.txt
––
MD5:  ––
SHA256:  ––
3504
CDDDesktopEdition.exe
C:\Users\admin\AppData\Local\Temp\tof5aulv.aen\processing.bak
text
MD5: 08b87005c53b9a46dca1b6a9e02d4778
SHA256: 43685ed7bccbcf820fe3d978294b841df80746ca9384676b37ebc1ccdb32bd5d
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\tof5aulv.aen\processing.txt
text
MD5: 08b87005c53b9a46dca1b6a9e02d4778
SHA256: 43685ed7bccbcf820fe3d978294b841df80746ca9384676b37ebc1ccdb32bd5d
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\tof5aulv.aen\processing.txt
text
MD5: 0a25b846ec16115214725bbc672246d6
SHA256: 2e7d7513f79797fbde7afc5bff01d2605f2d495f296d7c928c781ec57ced0c4f
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\tof5aulv.aen\processing.txt
text
MD5: 814ffe463a2d6b91d72e5dc9230c1efa
SHA256: 944390984b3c909789469e86c72ae42a6de0e2bfa622d4af7cb4b4eaa42490d3
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\tof5aulv.aen\processing.txt
text
MD5: 7530fda1c0405a71c3c64b5ed9d168a5
SHA256: 4a818f2d279843a59a0b3ab2bc9ab8f42f0bc320e68d4ccadad88a0b4c50933f
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\tof5aulv.aen\processing.txt
text
MD5: 71ff6ca07e60f8680ce4ec43cb5885bd
SHA256: f07b4bbbf36c75f0197a51a12fec64510fe2f3fa11605d1c76a0b234d83adc59
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\tof5aulv.aen\processing.txt
text
MD5: 323d5c06b04db763c2fd78ebc1968a30
SHA256: d2e8fe7d7fe7431defe92c2b6a98bc991d3baf2029967ce3cf28f8bdef26ee68
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\tof5aulv.aen\processing.txt
text
MD5: 10c81b53bab6fd0877b4f8eb060f00f0
SHA256: de0ecacdaa30c0ae42f7d05a7aac419d28909708bcb9735d477644e2d2e59e3b
3504
CDDDesktopEdition.exe
C:\Users\admin\AppData\Local\Temp\tof5aulv.aen\processing.bak
text
MD5: b8e5c5e9d459716cd1f04dd63ea5fe1e
SHA256: 2868cca2ab50550628b2f045f98c78f4cfa7fb3736510569c834e562f69979a3
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\tof5aulv.aen\processing.txt
text
MD5: b8e5c5e9d459716cd1f04dd63ea5fe1e
SHA256: 2868cca2ab50550628b2f045f98c78f4cfa7fb3736510569c834e562f69979a3
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\tof5aulv.aen\processing.txt
text
MD5: 61924266902751f616ce1433938a5aff
SHA256: 2d96602dfbfc67c59838b13aa3c560e76d5b1fd62f9954c5aab7a30a9925c3ff
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\tof5aulv.aen\processing.txt
text
MD5: 93cbd20c21b8c807bcfe91befe8d297d
SHA256: f0235393b8bf000dc3a217d6fd9fb0c76c4417094db61075c8dec2740c56034f
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\tof5aulv.aen\CDD.config.sdb
sqlite
MD5: c41791d2b53449dcbadbb2e0a92082d1
SHA256: ac81bc37146d2e9d017203a703a9633d3d682097041ffdd8c736ca49f87fde1a
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\tof5aulv.aen\CDD.config.sdb.bak
sqlite
MD5: 30e63fc18ad26a052b8406600a80452c
SHA256: 5cf88fcf42b2486d61f88a39d04ef1145fb835361aa3d9c76efb18e73b1487b0
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\tof5aulv.aen\CDD.config.sdb
sqlite
MD5: 91003d6c1dfa8601709472c6e8ceec79
SHA256: 873b5e63a4a7f60c1bd27902ff9550cdbf3a540e1af72569437a1a48ebd508f2
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\tof5aulv.aen\processing.txt
text
MD5: 8ba7a9fb36d52591849ff28821afff9b
SHA256: 1d6744d1f772bc3c2da98d670d6504a4b49755513992b639f8a0718a7feb3456
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\tof5aulv.aen\processing.txt
text
MD5: 4edf7874afe7cc0f3b177cf46244ad63
SHA256: e373ef09dfb4d21c6dd190ee605637eb3e0e640d3e0a1af000b4a5b816d686af
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\tof5aulv.aen\processing.txt
text
MD5: 511aab892fe81582275db67a10cc493c
SHA256: 9ddb23f6782586bf7869e839f8f6ca7318c8a87a1d366e42cb292b91a3584d1c
3504
CDDDesktopEdition.exe
C:\Users\admin\AppData\Local\Temp\tof5aulv.aen\CDD.config.sdb
sqlite
MD5: 83149f5b2e0236cf6120d3eb3d554cde
SHA256: a8403ae004f06d82b3a69349c0392135374eec4df8dee44eb300408b391c5fed
3504
CDDDesktopEdition.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
binary
MD5: 5c3564eb64017bc866e2ca49dd7d44c8
SHA256: 7fa1002cfd206b5408265700cd5c0929af19c080fcc45e692f16d1d154d01dfc
3504
CDDDesktopEdition.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
compressed
MD5: bb377df27a55c05bb3793cd1e125c869
SHA256: 3c4ec495f17d21cc236bc7238bc02728bd945c07157fbf875cac340269afc207
3504
CDDDesktopEdition.exe
C:\Users\admin\AppData\Local\Temp\Tar2A4.tmp
––
MD5:  ––
SHA256:  ––
3504
CDDDesktopEdition.exe
C:\Users\admin\AppData\Local\Temp\Cab2A3.tmp
––
MD5:  ––
SHA256:  ––
3504
CDDDesktopEdition.exe
C:\Users\admin\AppData\Local\Temp\Cab1D6.tmp
––
MD5:  ––
SHA256:  ––
3504
CDDDesktopEdition.exe
C:\Users\admin\AppData\Local\Temp\Tar1D7.tmp
––
MD5:  ––
SHA256:  ––
3504
CDDDesktopEdition.exe
C:\Users\admin\AppData\Local\Temp\Tar1B6.tmp
––
MD5:  ––
SHA256:  ––
2572
CDD.CCSearchIntegration.exe
C:\Users\admin\AppData\Local\Temp\tof5aulv.aen\output_confirmed.txt
text
MD5: ea2873c0453da6e3d74ca715eff6cc39
SHA256: 37f5335ceaf6a27fcd187d6e940a546ed2968e807c9f1c78716d55efb4b44767

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3504 CDDDesktopEdition.exe GET 200 2.16.186.81:80 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab unknown
compressed
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3504 CDDDesktopEdition.exe 2.16.186.81:80 Akamai International B.V. –– whitelisted
3504 CDDDesktopEdition.exe 66.226.75.153:443 Codero US unknown

DNS requests

Domain IP Reputation
www.download.windowsupdate.com 2.16.186.81
2.16.186.56
whitelisted
cdd.controlcase.com 66.226.75.153
unknown

Threats

No threats detected.

Debug output strings

No debug info.