cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30/03/2023, 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Size

3.2MB
MD5

aabd0123bb50d8e1a975b83cc7abb051
SHA1

4fa7c7d5b333d2bf44d4e4290f7fe012d433acfa
SHA256

cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641
SHA512

812afc4a004b60ab53c6e29fbf041a8882ef65049e374eced93e03cf6fadcee82a61d416cd82b364e7bb64bd028247d00c021d377b32d1d8372ad17b6ccd21e4
SSDEEP

98304:dlcGMKNkqS5tBqra2KV716Fl2a4FcA5aUcU:dlcGPCqS4a2o1GPA5fcU

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\HDZB_DeviceService_For_CCB_2G\ImagePath = "\"C:\\Program Files (x86)\\CCBComponents\\HDZB\\CCB_HDZB_2G_DeviceService.exe\""	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
1880	CCB_HDZB_2G_DeviceService.exe

Loads dropped DLL 21 IoCs

pid	Process
624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
980	regsvr32.exe
980	regsvr32.exe
624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32\ = "C:\\Windows\\system32\\CCBHDSNCtrl.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32	regsvr32.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_TokenV2.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HDZB_CSP_Imp.ini	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HD_LibUI.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\DisplayK54K100.gif	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\DisplayK151.gif	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\system32\CCB_HD_TokenV2.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_DetectCert2G.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_DetectCertGM.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HDZB_CSP.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HDZB_CSP_Imp.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HD_CCB_GM_SSL.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HD_DetectCertGM.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HDZB_CSP_Imp.ini	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\DisplayKeyA18.gif	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_2G_P11.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\DisplayK33.gif	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\DisplayK151.gif	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HDZB_CSP_Imp.mac	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HDZB_CSP.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\DisplayK33.gif	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\system32\CCBHDSNCtrl.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\SysWOW64\CCB_HD_TokenV2.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\SysWOW64\CCBHDSNCtrl.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HDZB_CSP_Imp.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HDZB_CSP_Imp.mac	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\system32\CCB_HDZB_2G_P11.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\DisplayK54K100.gif	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\DisplayKeyA18.gif	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_CCB_GM_SSL.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\DisplayK43.gif	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_LibUI.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\DisplayK43.gif	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HD_TokenV2.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\CCBComponents\HDZB\log\20230330.log	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\cert\ca_sm2_root.cer	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\DisplayK151.gif	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\usbccid.cat	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\Plugins\CARoot\Cert_HDZB_2G_Firefox.exe	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\CCIDDriverInstall64.exe	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\lang\x64\ChineseTraditional.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\lang\ChineseTraditional.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\cert\ca_sm2_child.cer	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\FileOccupiedProcess.exe	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\FileOccupiedProcess_x64.exe	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\lang\x64\ChineseSimple.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\Plugins\npHDZB2gCertCtrl.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\Plugins\npHDZB2gSNCtrl.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\lang\ChineseSimple.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\usbccid.sys	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\cert\ccbcert.cer	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\usbccid.inf	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\uninst_2g.exe	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\cert\rsa2048ca.cer	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\lang\x64\English.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\DisplayK33.gif	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\DisplayK43.gif	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\DisplayKeyA18.gif	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\DisplayK54K100.gif	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\lang\English.dll	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1276	sc.exe
1840	sc.exe
832	sc.exe
1956	sc.exe
1304	sc.exe
984	sc.exe
1780	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\CurVer	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\VersionIndependentProgID	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\TypeLib	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\TypeLib\ = "{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}"	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl.1	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\MiscStatus\1\ = "131473"	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\0\win32	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\HELPDIR\ = "C:\\Windows\\system32"	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\0\win64\ = "C:\\Windows\\system32\\CCBHDSNCtrl.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\CLSID\ = "{391E41FF-1CE1-493F-9B34-8BC53FB7914C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl.1\ = "SNCtrl Class"	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\CLSID\ = "{391E41FF-1CE1-493F-9B34-8BC53FB7914C}"	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\TypeLib\Version = "1.0"	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Insertable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\MiscStatus\1\ = "131473"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ = "SNCtrl Class"	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Control	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ = "SNCtrl Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\VersionIndependentProgID\ = "GDCCBCtrl.SNCtrl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Insertable	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\CurVer\ = "GDCCBCtrl.SNCtrl.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Programmable	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\ProxyStubClsid32	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\ = "SNCtrl Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\HELPDIR	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\ProxyStubClsid32	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\TypeLib\Version = "1.0"	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32\ = "C:\\Windows\\system32\\CCBHDSNCtrl.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32\ = "C:\\Windows\\SysWow64\\CCBHDSNCtrl.dll"	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\MiscStatus\ = "0"	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Version	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\VersionIndependentProgID\ = "GDCCBCtrl.SNCtrl"	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\ = "ISNCtrl"	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\CCBHDSNCtrl.dll, 101"	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl.1\CLSID\ = "{391E41FF-1CE1-493F-9B34-8BC53FB7914C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\ = "GDCCBCtrl 1.0 Type Library"	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\TypeLib\ = "{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}"	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\CurVer\ = "GDCCBCtrl.SNCtrl.1"	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32\ThreadingModel = "Apartment"	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\TypeLib\ = "{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}"	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ProgID\ = "GDCCBCtrl.SNCtrl.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\TypeLib\ = "{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl.1\CLSID	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl.1\CLSID\ = "{391E41FF-1CE1-493F-9B34-8BC53FB7914C}"	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\FLAGS\ = "0"	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ProgID	regsvr32.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\10C88517844DD2AD24497FD5D35369E4F9873F1A\Blob = 03000000010000001400000010c88517844dd2ad24497fd5d35369e4f9873f1a200000000100000048030000308203443082022ca003020102020600a3331aa57b300d06092a864886f70d01010b05003032310b300906035504061302434e310c300a060355040a0c034343423115301306035504030c0c4343425253414341524f4f54301e170d3135313031373131333130385a170d3338303131373131333130385a3032310b300906035504061302434e310c300a060355040a0c034343423115301306035504030c0c4343425253414341524f4f5430820122300d06092a864886f70d01010105000382010f003082010a0282010100c211c0db81d7e4ca7600f06ee8dfd294f80beacf9a957230bf481c99eccd5a00fe0df8b25368e56f7a8f472469a6ba677b4bb0b6318024ea0c73fca6ff9d98ecf41d401e6027f0c208fff4ff316a3c88745ca457d040b419f482e14650f2a589c9793e06c6d993dff64839321b2fbb8c2abf687cd607b6fb4f3bcaaa85d4a11028c6fafef60afff91ea871351e5b5027d1a705ae2acb687bb0c41797deb470339472b5a0c14800a6f9d2f03b391e0d539d012930d277567a6dc3de80cb49815a9132f7bce249affb521fc4e2264048aa2e26f039b2a7106aea9a2754d3aedb20050e4b30a4d02fece3a75ef33f77765a46692eac8123c87550d959f0fc8f6b250203010001a360305e301f0603551d23041830168014295e7487d5004a13cf5eee03414db5bcae0ef6db300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e04160414295e7487d5004a13cf5eee03414db5bcae0ef6db300d06092a864886f70d01010b05000382010100b32e9655553ab411c295f22708845afe806d48ae80516d9c474e354db48ca59765a69486877d448dfd5f8bd3308d8fedc0d20af2ff2734ef41f07e31a53567ac626856c4d98e7c5c7216e23b71b783b19b5776d50cb28ecc2c1a16059a824712cebda36909f1ba6e44697f58679b2e1a1fc28a9b99ed46dede56482bbbdf1b35da79152083c9fc4a21c456b95aa65992c3160c8fb2e4403463169862067cf4650defd117dfbea1a051b083ab3062216a69deed3129f3d8eef23528edeabc708bbdb951abb1b75b24cad73410b06e194516b9641852f1ef6db6ae560cb4428189eb5421edcbfa543e3c91d5a011e0af2618aacf46ecc24d0a437551ac82f832fd	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\4FFD0EC66CD554F2DB6140BF9DA26CEB3AD12948	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\4FFD0EC66CD554F2DB6140BF9DA26CEB3AD12948\Blob = 0300000001000000140000004ffd0ec66cd554f2db6140bf9da26ceb3ad1294820000000010000001902000030820215308201b8a003020102020600dbbc432b89300c06082a811ccf5501837505003035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f54301e170d3135303432353039323130305a170d3335303432303039323130305a3036310b300906035504061302434e310f300d060355040a0c06434342534d323116301406035504030c0d434342534d3243414348494c443059301306072a8648ce3d020106082a811ccf5501822d03420004c70b30cfe6cf7d6d13369d3a432bed01e845f842e0c203a4c4ef5587f5f77f584e97bc72e37f9f751e60e97fa2b2889b4226751578e0f0f0dea496492ff51616a381b03081ad301f0603551d230418301680142e96d3f701920b15b70a2e691847d85eddb0354e300f0603551d130101ff040530030101ff304d0603551d1f044630443042a040a03ea43c303a310c300a06035504030c0361726c310c300a060355040b0c0361726c310f300d060355040a0c06434342534d32310b300906035504061302434e300b0603551d0f040403020106301d0603551d0e04160414872e0a1ce624719dc394fcdb3bc0ed67f27166c0300c06082a811ccf550183750500034900304602210093ac13593bb415c727b2cac2055770781ad6fa4387d23ef46e8e51476e4d5c08022100e22cb6ffb9a357d9b864413d514f3f593a30fae07c4d9db74a5be06a11156e20	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1FE7A4A0984F10046CE3007D24E135C0828683A1	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1FE7A4A0984F10046CE3007D24E135C0828683A1\Blob = 0300000001000000140000001fe7a4a0984f10046ce3007d24e135c0828683a12000000001000000c7010000308201c330820166a003020102020600dbbc432b86300c06082a811ccf5501837505003035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f54301e170d3135303432353039303330315a170d3435303432353039303330315a3035310b300906035504061302434e310f300d060355040a0c06434342534d323115301306035504030c0c434342534d324341524f4f543059301306072a8648ce3d020106082a811ccf5501822d034200047108bd2781def82a96655bb818265771a839bf32812b7cc4623b21f44d1c0e517fb15bdc3435a94d989a3476369aa105faefd53ae2bddf9263d518bfa2065c4aa360305e301f0603551d230418301680142e96d3f701920b15b70a2e691847d85eddb0354e300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604142e96d3f701920b15b70a2e691847d85eddb0354e300c06082a811ccf55018375050003490030460221008a45416d9cb81de03028c53168f89dc85dc197c6c498545f7ac708721baed189022100e8e47cc8dc138b915e3a15fd10f87d08d0c877b70ee5725af971ee31fca58666	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\9B72DB9067F28F077AB47572E5D9115D14E50C2C	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\9B72DB9067F28F077AB47572E5D9115D14E50C2C\Blob = 0300000001000000140000009b72db9067f28f077ab47572e5d9115d14e50c2c2000000001000000bb020000308202b730820220a003020102020116300d06092a864886f70d010104050030818c310b300906035504061302434e310c300a060355040a130343434231143012060355040b130b4343425f4e657462616e6b310b300906035504081302424a311430120603550403130b43434220434120524f4f543111300f060355040713085869204368656e673123302106092a864886f70d010901161463612f7a682f636362406363622e636f6d2e636e301e170d3939303632393030303030305a170d3439303632393030303030305a30818c310b300906035504061302434e310c300a060355040a130343434231143012060355040b130b4343425f4e657462616e6b310b300906035504081302424a311430120603550403130b43434220434120524f4f543111300f060355040713085869204368656e673123302106092a864886f70d010901161463612f7a682f636362406363622e636f6d2e636e30819f300d06092a864886f70d010101050003818d0030818902818100a23f2503f132999d842fa2a865e6df59102f6e58f83414b79645bd301141ce1ad034dd3a17cfdfa3455be443c4636419c8eec65faa0271a186384b824e4ca640bec1212817dd5a9c5597a6104f1e11beb25227418bfbe2039168b99f725c077b5df50e008f6b51ed55c690e48858833ec98c0ea8ec3bf2a540e47a94bf8eb1870203010001a327302530120603551d130101ff040830060101ff020102300f0603551d0f0101ff04050303000600300d06092a864886f70d0101040500038181009b59c545937e1cfd655c6c211b797b191503290b45d76e3802162aeb00d131149c071ca1c151ebc7928cf737a7cc8f5bc2bc462df5fc8c9487ca42b56d3402501eaabbda40960a54b78749ab6ecdcb4870fed69bba1707518abfc585ae178651fad51569689e17b33bc450aaaa1ea163a0b7548cab7f28ce7b52e5bcca22a05f	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\10C88517844DD2AD24497FD5D35369E4F9873F1A	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
980	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 592	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	28
PID 624 wrote to memory of 592	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	28
PID 624 wrote to memory of 592	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	28
PID 624 wrote to memory of 592	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	28
PID 592 wrote to memory of 984	592	cmd.exe	30
PID 592 wrote to memory of 984	592	cmd.exe	30
PID 592 wrote to memory of 984	592	cmd.exe	30
PID 592 wrote to memory of 984	592	cmd.exe	30
PID 624 wrote to memory of 1168	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	31
PID 624 wrote to memory of 1168	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	31
PID 624 wrote to memory of 1168	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	31
PID 624 wrote to memory of 1168	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	31
PID 1168 wrote to memory of 1780	1168	cmd.exe	33
PID 1168 wrote to memory of 1780	1168	cmd.exe	33
PID 1168 wrote to memory of 1780	1168	cmd.exe	33
PID 1168 wrote to memory of 1780	1168	cmd.exe	33
PID 624 wrote to memory of 1052	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	34
PID 624 wrote to memory of 1052	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	34
PID 624 wrote to memory of 1052	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	34
PID 624 wrote to memory of 1052	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	34
PID 1052 wrote to memory of 1276	1052	cmd.exe	36
PID 1052 wrote to memory of 1276	1052	cmd.exe	36
PID 1052 wrote to memory of 1276	1052	cmd.exe	36
PID 1052 wrote to memory of 1276	1052	cmd.exe	36
PID 624 wrote to memory of 1016	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	37
PID 624 wrote to memory of 1016	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	37
PID 624 wrote to memory of 1016	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	37
PID 624 wrote to memory of 1016	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	37
PID 1016 wrote to memory of 1840	1016	cmd.exe	39
PID 1016 wrote to memory of 1840	1016	cmd.exe	39
PID 1016 wrote to memory of 1840	1016	cmd.exe	39
PID 1016 wrote to memory of 1840	1016	cmd.exe	39
PID 624 wrote to memory of 1960	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	41
PID 624 wrote to memory of 1960	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	41
PID 624 wrote to memory of 1960	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	41
PID 624 wrote to memory of 1960	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	41
PID 1960 wrote to memory of 980	1960	cmd.exe	43
PID 1960 wrote to memory of 980	1960	cmd.exe	43
PID 1960 wrote to memory of 980	1960	cmd.exe	43
PID 1960 wrote to memory of 980	1960	cmd.exe	43
PID 1960 wrote to memory of 980	1960	cmd.exe	43
PID 624 wrote to memory of 1804	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	44
PID 624 wrote to memory of 1804	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	44
PID 624 wrote to memory of 1804	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	44
PID 624 wrote to memory of 1804	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	44
PID 1804 wrote to memory of 832	1804	cmd.exe	46
PID 1804 wrote to memory of 832	1804	cmd.exe	46
PID 1804 wrote to memory of 832	1804	cmd.exe	46
PID 1804 wrote to memory of 832	1804	cmd.exe	46
PID 624 wrote to memory of 1732	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	47
PID 624 wrote to memory of 1732	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	47
PID 624 wrote to memory of 1732	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	47
PID 624 wrote to memory of 1732	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	47
PID 1732 wrote to memory of 1956	1732	cmd.exe	49
PID 1732 wrote to memory of 1956	1732	cmd.exe	49
PID 1732 wrote to memory of 1956	1732	cmd.exe	49
PID 1732 wrote to memory of 1956	1732	cmd.exe	49
PID 624 wrote to memory of 928	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	50
PID 624 wrote to memory of 928	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	50
PID 624 wrote to memory of 928	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	50
PID 624 wrote to memory of 928	624	cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe	50
PID 928 wrote to memory of 1304	928	cmd.exe	52
PID 928 wrote to memory of 1304	928	cmd.exe	52
PID 928 wrote to memory of 1304	928	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe
"C:\Users\Admin\AppData\Local\Temp\cdc78c0483d93592b21eab286aeb2a726b306768b339020722b259169d7e2641.exe"
1⤵
- Sets service image path in registry
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Windows\system32\sc.exe STOP "HDZB_DeviceService_For_CCB_2G"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe STOP "HDZB_DeviceService_For_CCB_2G"
    3⤵
    - Launches sc.exe
    PID:984
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Windows\system32\sc.exe delete "HDZB_DeviceService_For_CCB_2G"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe delete "HDZB_DeviceService_For_CCB_2G"
    3⤵
    - Launches sc.exe
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Windows\system32\sc.exe create HDZB_DeviceService_For_CCB_2G binPath= "C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe" type= own type= interact start= auto DisplayName= "HDZB Comm Service For CCB 2G MASS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe create HDZB_DeviceService_For_CCB_2G binPath= "C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe" type= own type= interact start= auto DisplayName= "HDZB Comm Service For CCB 2G MASS"
    3⤵
    - Launches sc.exe
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Windows\system32\sc.exe start "HDZB_DeviceService_For_CCB_2G"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe start "HDZB_DeviceService_For_CCB_2G"
    3⤵
    - Launches sc.exe
    PID:1840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /C regsvr32.exe C:\Windows\system32\CCBHDSNCtrl.dll -s
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\system32\regsvr32.exe
    regsvr32.exe C:\Windows\system32\CCBHDSNCtrl.dll -s
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C C:\Windows\system32\sc.exe config SCardSvr start= auto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe config SCardSvr start= auto
    3⤵
    - Launches sc.exe
    PID:832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C C:\Windows\system32\sc.exe start SCardSvr
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe start SCardSvr
    3⤵
    - Launches sc.exe
    PID:1956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C C:\Windows\system32\sc.exe start CertPropSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe start CertPropSvc
    3⤵
    - Launches sc.exe
    PID:1304

C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe
"C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe"
1⤵
- Executes dropped EXE
PID:1880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe

Filesize
258KB

MD5
edcfb5991d68d6b5d2a4caeaacbf0915

SHA1
21dd3bd5156d3b92e1d427f077b98949626d8898

SHA256
02bec26c7b54545002d360a39b9fbe4d88366dd72c6f0a299e0d0a73a7dc4ed5

SHA512
56a46ac19c45921fe7209507223f5909afa30e43953ae507df515b078438aa9b6e7f1f792a0dae293d3509238c2c7e96e668b16c3980430e9321e2764d0c644d

Download Submit
C:\Program Files (x86)\CCBComponents\HDZB\log\20230330.log

Filesize
4KB

MD5
8cdbfa5809c1b0c89cbf70a6367b5e8e

SHA1
590d141093ff3dbf94392e14b977b54c018c8cf6

SHA256
b31190337c7105912c49c6a622a0a76d4f41eac3076e1ff6b28a7bddf2100d7b

SHA512
7afa019e92dd4a155f7d3285c0d1a3ff12624e6575aad77b8431b4f4eed6c5873f9914cdea311b1dc69fb9e5973d3a5c24314c4fcd279f433b5405f265c1768e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\ExecCmd.dll

Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\InstDrv.dll

Filesize
10KB

MD5
e33c90099612f1769abae7da48953731

SHA1
e111dfa793910b7a4c4c0a845415f4de839f5f41

SHA256
e513f09fa603941cf40bd76e458069966a616b3e125b772f85259ea2a9fbd937

SHA512
1fa472a40c3bc05e2e970a7621ae0d40d5d86e6c75d28807d6780330a735254653c777f73aff5ae60af8e2030df3bd535bfa2ec0e9ddeb5b18303b3124169d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\ThreadTimer.dll

Filesize
9KB

MD5
697f61a904654e9363e28c5223182994

SHA1
df916f7098e3f89a5cf100529ba3480feba71ce9

SHA256
5ffc3354029e6c6ed0a7db4690fe74d453980a3f21dc8cf0fb94cb5bbd421ac1

SHA512
3bfd89810bccb0d8b389988201f65b8823f138f763a1cc0cbeebdeee5a086c5c8dfb18e2a4d664648224bb96dce0ce7b6936ccc63b10f6f56fc1a4247a0d0eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\hzSrv.dll

Filesize
91KB

MD5
b037232e7e160c23458ab2df4987150f

SHA1
d760cb6fb752993816f3ee7554755dd556145052

SHA256
555599bb71f3f1905fbe606b4b552814239971f2de7e4ee4a928d424d0063467

SHA512
591b10c1c493eba936060871b48a432f77a4efdba09c693d382f8e8c1b0087232bbbd8799c331efabaaa68b4353aa00b5c331c6adb11dd08dd1f0f61a40db8aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
C:\Windows\system32\CCBHDSNCtrl.dll

Filesize
217KB

MD5
097ebdb8a5274eeaeef26f301af786b2

SHA1
3aba6c7c51821cda98e3427db2026c3879a09341

SHA256
367db5d59bb4a622a25c7f182300bc0daa31bf92d0cf990e8c00fee45394a593

SHA512
c1dfc5cab5ce7dea74868bfeeaf0265d3c6156b87f90fedd042ee071d994d489421987e35c93382871dbb36d3fe5198164d8c1fc9abe4ba4afa4634b98e5ad22

Download Submit
C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HD_TokenV2.dll

Filesize
811KB

MD5
04db61611f80f57c83467cf74984bc22

SHA1
b9d3d7cb40732fc9608fcd968cfbcfbf8068f521

SHA256
52f84436d0c802de132d5cc18a74574b03a983ece9d6b89063b7c6a55e13079d

SHA512
923ad0a107e06ae1d39e9bd18d73861311553f2918df8b7536278f60a1a2549d89a20aaa0a6f5cf1c4d671d55bc2f3dbe8af360edb2a3107478920ec8a71a144

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\ExecCmd.dll

Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\ExecCmd.dll

Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\ExecCmd.dll

Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\InstDrv.dll

Filesize
10KB

MD5
e33c90099612f1769abae7da48953731

SHA1
e111dfa793910b7a4c4c0a845415f4de839f5f41

SHA256
e513f09fa603941cf40bd76e458069966a616b3e125b772f85259ea2a9fbd937

SHA512
1fa472a40c3bc05e2e970a7621ae0d40d5d86e6c75d28807d6780330a735254653c777f73aff5ae60af8e2030df3bd535bfa2ec0e9ddeb5b18303b3124169d8a

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\ThreadTimer.dll

Filesize
9KB

MD5
697f61a904654e9363e28c5223182994

SHA1
df916f7098e3f89a5cf100529ba3480feba71ce9

SHA256
5ffc3354029e6c6ed0a7db4690fe74d453980a3f21dc8cf0fb94cb5bbd421ac1

SHA512
3bfd89810bccb0d8b389988201f65b8823f138f763a1cc0cbeebdeee5a086c5c8dfb18e2a4d664648224bb96dce0ce7b6936ccc63b10f6f56fc1a4247a0d0eb4

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\hzSrv.dll

Filesize
91KB

MD5
b037232e7e160c23458ab2df4987150f

SHA1
d760cb6fb752993816f3ee7554755dd556145052

SHA256
555599bb71f3f1905fbe606b4b552814239971f2de7e4ee4a928d424d0063467

SHA512
591b10c1c493eba936060871b48a432f77a4efdba09c693d382f8e8c1b0087232bbbd8799c331efabaaa68b4353aa00b5c331c6adb11dd08dd1f0f61a40db8aa

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\hzSrv.dll

Filesize
91KB

MD5
b037232e7e160c23458ab2df4987150f

SHA1
d760cb6fb752993816f3ee7554755dd556145052

SHA256
555599bb71f3f1905fbe606b4b552814239971f2de7e4ee4a928d424d0063467

SHA512
591b10c1c493eba936060871b48a432f77a4efdba09c693d382f8e8c1b0087232bbbd8799c331efabaaa68b4353aa00b5c331c6adb11dd08dd1f0f61a40db8aa

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\hzSrv.dll

Filesize
91KB

MD5
b037232e7e160c23458ab2df4987150f

SHA1
d760cb6fb752993816f3ee7554755dd556145052

SHA256
555599bb71f3f1905fbe606b4b552814239971f2de7e4ee4a928d424d0063467

SHA512
591b10c1c493eba936060871b48a432f77a4efdba09c693d382f8e8c1b0087232bbbd8799c331efabaaa68b4353aa00b5c331c6adb11dd08dd1f0f61a40db8aa

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\hzSrv.dll

Filesize
91KB

MD5
b037232e7e160c23458ab2df4987150f

SHA1
d760cb6fb752993816f3ee7554755dd556145052

SHA256
555599bb71f3f1905fbe606b4b552814239971f2de7e4ee4a928d424d0063467

SHA512
591b10c1c493eba936060871b48a432f77a4efdba09c693d382f8e8c1b0087232bbbd8799c331efabaaa68b4353aa00b5c331c6adb11dd08dd1f0f61a40db8aa

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFA19.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
\Windows\SysWOW64\CCBHDSNCtrl.dll

Filesize
182KB

MD5
5d3719734f3d9c2e4ad47482e5051893

SHA1
e515fe68efa9afe6be8b694305556dacca1bcd30

SHA256
39c29baaba12a3a018a8ff2fcd91de322ba51ab5536ba852d214af5e2c678e2c

SHA512
6299458e041de4bc6eaca35ed7950d6cacae64ee6bd3a0cfe3f7e040677e12e43337ff1c5eb889f0f2ab29b52c09db718357b14fe8e3a5cbfb96e97d63fabcdb

Download Submit
\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_TokenV2.dll

Filesize
574KB

MD5
964fa6b0d17fb2511ad77f6ef6d099e8

SHA1
babd54bbbd634c903604c5585a4bee98849955e6

SHA256
bd06b09a1fba74213699e2fb4a669886d8c560f8708a4df29fbebe1be6d47bac

SHA512
e31298167233001c3fcbbbffd9a976006604372b828e805838bd6d57b49f876fc60abf57cbe09d0fab57b0e07cea187cb918abf4d05449190e584a687a65ecce

Download Submit
\Windows\System32\CCBHDSNCtrl.dll

Filesize
217KB

MD5
097ebdb8a5274eeaeef26f301af786b2

SHA1
3aba6c7c51821cda98e3427db2026c3879a09341

SHA256
367db5d59bb4a622a25c7f182300bc0daa31bf92d0cf990e8c00fee45394a593

SHA512
c1dfc5cab5ce7dea74868bfeeaf0265d3c6156b87f90fedd042ee071d994d489421987e35c93382871dbb36d3fe5198164d8c1fc9abe4ba4afa4634b98e5ad22

Download Submit
\Windows\System32\CCB_HDZB_CCID_USBKey2G\HD_TokenV2.dll

Filesize
811KB

MD5
04db61611f80f57c83467cf74984bc22

SHA1
b9d3d7cb40732fc9608fcd968cfbcfbf8068f521

SHA256
52f84436d0c802de132d5cc18a74574b03a983ece9d6b89063b7c6a55e13079d

SHA512
923ad0a107e06ae1d39e9bd18d73861311553f2918df8b7536278f60a1a2549d89a20aaa0a6f5cf1c4d671d55bc2f3dbe8af360edb2a3107478920ec8a71a144

Download Submit
memory/624-144-0x0000000001D10000-0x0000000001D3F000-memory.dmp

Filesize
188KB

Download
memory/624-167-0x0000000001D10000-0x0000000001D28000-memory.dmp

Filesize
96KB

Download