e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766

Analysis

max time kernel
27s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30-03-2023 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Size

1.5MB
MD5

c2ecd8425110620f8f6451e3b6bda838
SHA1

00eca57dbd38dbd97b21e19ebaf451ab412189be
SHA256

e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766
SHA512

7f88a3c9c1e75fe4421805190099484af662e8dfc646e49c30a777ecf82a6ba2955505bbd3aac31da2ec712f2960faa43e2f6b1512e1ce3b59459d6984c1d442
SSDEEP

49152:GnnSosNlOlf/kbsoiZjYuBRRM9OZ7ipr27fCEfO+:GnSoEOVkbOjY0PM9aK2+a

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\HDZB_DeviceService_For_CCB_2G\ImagePath = "\"C:\\Program Files (x86)\\CCBComponents\\HDZB\\CCB_HDZB_2G_DeviceService.exe\""	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
1620	CCB_HDZB_2G_DeviceService.exe

Loads dropped DLL 16 IoCs

pid	Process
1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
824	regsvr32.exe
824	regsvr32.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32\ = "C:\\Windows\\system32\\CCBHDSNCtrl.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\DisplayKeyA18.gif	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HDZB_CSP_Imp.ini	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HDZB_CSP_Imp.mac	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HD_CCB_GM_SSL.dll	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HDZB_CSP_Imp.dll	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\DisplayK43.gif	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_CCB_GM_SSL.dll	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_DetectCertGM.dll	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\DisplayK33.gif	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HDZB_CSP.dll	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\SysWOW64\CCBHDSNCtrl.dll	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\DisplayKeyA18.gif	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HDZB_CSP.dll	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HD_LibUI.dll	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HDZB_CSP_Imp.dll	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\DisplayK43.gif	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\DisplayK54K100.gif	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\system32\CCB_HD_TokenV2.dll	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_LibUI.dll	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\SysWOW64\CCB_HD_TokenV2.dll	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HD_TokenV2.dll	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HDZB_CSP_Imp.ini	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\DisplayK54K100.gif	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\DisplayK151.gif	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HD_DetectCertGM.dll	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\DisplayK33.gif	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\DisplayK151.gif	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\system32\CCBHDSNCtrl.dll	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_TokenV2.dll	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_DetectCert2G.dll	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HDZB_CSP_Imp.mac	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\CCBComponents\HDZB\DisplayK43.gif	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\lang\ChineseTraditional.dll	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\lang\English.dll	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\uninst_2g.exe	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\lang\x64\English.dll	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\DisplayKeyA18.gif	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\cert\ccbcert.cer	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\cert\rsa2048ca.cer	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\lang\x64\ChineseTraditional.dll	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\DisplayK33.gif	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\cert\ca_sm2_child.cer	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\DisplayK54K100.gif	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\DisplayK151.gif	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\lang\ChineseSimple.dll	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\cert\ca_sm2_root.cer	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\lang\x64\ChineseSimple.dll	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
552	sc.exe
944	sc.exe
1476	sc.exe
1524	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ProgID	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\0	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\TypeLib\Version = "1.0"	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\0\win64\ = "C:\\Windows\\system32\\CCBHDSNCtrl.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ = "SNCtrl Class"	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\VersionIndependentProgID	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\TypeLib	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\CurVer\ = "GDCCBCtrl.SNCtrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ProgID\ = "GDCCBCtrl.SNCtrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\TypeLib\ = "{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\ = "SNCtrl Class"	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Insertable	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\TypeLib\ = "{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}"	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ToolboxBitmap32\ = "C:\\Windows\\system32\\CCBHDSNCtrl.dll, 101"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\FLAGS\ = "0"	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\CLSID\ = "{391E41FF-1CE1-493F-9B34-8BC53FB7914C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl.1	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\TypeLib	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\ = "GDCCBCtrl 1.0 Type Library"	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\HELPDIR	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\CurVer\ = "GDCCBCtrl.SNCtrl.1"	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\MiscStatus\1	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\ = "SNCtrl Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\VersionIndependentProgID\ = "GDCCBCtrl.SNCtrl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32\ = "C:\\Windows\\system32\\CCBHDSNCtrl.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32\ThreadingModel = "Apartment"	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\TypeLib	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl.1\ = "SNCtrl Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ProgID\ = "GDCCBCtrl.SNCtrl.1"	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\MiscStatus\ = "0"	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\0\win32	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\HELPDIR\ = "C:\\Windows\\system32"	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\TypeLib\ = "{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}"	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ = "SNCtrl Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl.1\ = "SNCtrl Class"	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl.1\CLSID\ = "{391E41FF-1CE1-493F-9B34-8BC53FB7914C}"	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Programmable	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\ProxyStubClsid32	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\CLSID\ = "{391E41FF-1CE1-493F-9B34-8BC53FB7914C}"	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Control	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\MiscStatus\1\ = "131473"	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\CCBHDSNCtrl.dll, 101"	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\ProxyStubClsid32	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl.1\CLSID\ = "{391E41FF-1CE1-493F-9B34-8BC53FB7914C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\FLAGS	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\TypeLib\ = "{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}"	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32	regsvr32.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
824	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 1884	1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe	27
PID 1196 wrote to memory of 1884	1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe	27
PID 1196 wrote to memory of 1884	1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe	27
PID 1196 wrote to memory of 1884	1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe	27
PID 1884 wrote to memory of 552	1884	cmd.exe	29
PID 1884 wrote to memory of 552	1884	cmd.exe	29
PID 1884 wrote to memory of 552	1884	cmd.exe	29
PID 1884 wrote to memory of 552	1884	cmd.exe	29
PID 1196 wrote to memory of 112	1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe	30
PID 1196 wrote to memory of 112	1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe	30
PID 1196 wrote to memory of 112	1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe	30
PID 1196 wrote to memory of 112	1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe	30
PID 112 wrote to memory of 944	112	cmd.exe	32
PID 112 wrote to memory of 944	112	cmd.exe	32
PID 112 wrote to memory of 944	112	cmd.exe	32
PID 112 wrote to memory of 944	112	cmd.exe	32
PID 1196 wrote to memory of 1356	1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe	33
PID 1196 wrote to memory of 1356	1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe	33
PID 1196 wrote to memory of 1356	1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe	33
PID 1196 wrote to memory of 1356	1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe	33
PID 1356 wrote to memory of 1476	1356	cmd.exe	35
PID 1356 wrote to memory of 1476	1356	cmd.exe	35
PID 1356 wrote to memory of 1476	1356	cmd.exe	35
PID 1356 wrote to memory of 1476	1356	cmd.exe	35
PID 1196 wrote to memory of 888	1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe	36
PID 1196 wrote to memory of 888	1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe	36
PID 1196 wrote to memory of 888	1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe	36
PID 1196 wrote to memory of 888	1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe	36
PID 888 wrote to memory of 1524	888	cmd.exe	38
PID 888 wrote to memory of 1524	888	cmd.exe	38
PID 888 wrote to memory of 1524	888	cmd.exe	38
PID 888 wrote to memory of 1524	888	cmd.exe	38
PID 1196 wrote to memory of 868	1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe	40
PID 1196 wrote to memory of 868	1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe	40
PID 1196 wrote to memory of 868	1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe	40
PID 1196 wrote to memory of 868	1196	e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe	40
PID 868 wrote to memory of 824	868	cmd.exe	42
PID 868 wrote to memory of 824	868	cmd.exe	42
PID 868 wrote to memory of 824	868	cmd.exe	42
PID 868 wrote to memory of 824	868	cmd.exe	42
PID 868 wrote to memory of 824	868	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe
"C:\Users\Admin\AppData\Local\Temp\e60e5ab66a2c80da67b63f74e8c5a3e94f43a3fc79efd69a525b140572c4a766.exe"
1⤵
- Sets service image path in registry
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Windows\system32\sc.exe STOP "HDZB_DeviceService_For_CCB_2G"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe STOP "HDZB_DeviceService_For_CCB_2G"
    3⤵
    - Launches sc.exe
    PID:552
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Windows\system32\sc.exe delete "HDZB_DeviceService_For_CCB_2G"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe delete "HDZB_DeviceService_For_CCB_2G"
    3⤵
    - Launches sc.exe
    PID:944
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Windows\system32\sc.exe create HDZB_DeviceService_For_CCB_2G binPath= "C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe" type= own type= interact start= auto DisplayName= "HDZB Comm Service For CCB 2G MASS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe create HDZB_DeviceService_For_CCB_2G binPath= "C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe" type= own type= interact start= auto DisplayName= "HDZB Comm Service For CCB 2G MASS"
    3⤵
    - Launches sc.exe
    PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Windows\system32\sc.exe start "HDZB_DeviceService_For_CCB_2G"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe start "HDZB_DeviceService_For_CCB_2G"
    3⤵
    - Launches sc.exe
    PID:1524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /C regsvr32.exe C:\Windows\system32\CCBHDSNCtrl.dll -s
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\system32\regsvr32.exe
    regsvr32.exe C:\Windows\system32\CCBHDSNCtrl.dll -s
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:824

C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe
"C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe"
1⤵
- Executes dropped EXE
PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe

Filesize
258KB

MD5
edcfb5991d68d6b5d2a4caeaacbf0915

SHA1
21dd3bd5156d3b92e1d427f077b98949626d8898

SHA256
02bec26c7b54545002d360a39b9fbe4d88366dd72c6f0a299e0d0a73a7dc4ed5

SHA512
56a46ac19c45921fe7209507223f5909afa30e43953ae507df515b078438aa9b6e7f1f792a0dae293d3509238c2c7e96e668b16c3980430e9321e2764d0c644d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd4CDB.tmp\KillProcDLL.dll

Filesize
48KB

MD5
daf77c6e38734936c2f2c08a78f9505d

SHA1
3aefb2cf5e66ff1c4e3111a74c11963bcd1a2418

SHA256
e19a3ac82e2b18f6dd763ec7875c8eb1e2fb0500ec3a699f46dee4cb21bd4ec4

SHA512
6ad8fd922a1ce7b9bd6f0981546b490c2fb12379407a813ba38855e692d8dcdfb964f876b5420dc9694e1a14105d65b2256f880facbfbf739de9f6d74728f41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd4CDB.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd4CDB.tmp\hzSrv.dll

Filesize
78KB

MD5
bdc56cb6d1b523ffa23d5ed85c91f66e

SHA1
895781b220dc6c30c39820d1b76a8b9c4b8d9134

SHA256
7b8133235c552cf051abe03f7a882c8335fbaf4b644cb9fdc8443bbcfc6bdc7e

SHA512
747983d2f9960dd28e1878e3eb613f18a42f0bd595087df591f15ed796e730c4affacbf60384e5908e1b877e2668d206bc61b5d4b097dd70035f767d2b405399

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd4CDB.tmp\nsExec.dll

Filesize
12KB

MD5
8531a2fcc1c2ba1873f1f0de960bac47

SHA1
93e7843b46c02d3852ed1dac2b56a9bc9dc83553

SHA256
f2df6aed3a5a4291e92268ec7c0edaa549d885690b945f8bb208a9ea228b66c0

SHA512
597cbe8d30d2e6d98b0fd1a128386b9377141fb0860d5493a46d2b4ed2898f81632a3321e106f565f52b9260b1f1574107fa55b280c56a63da8a0cb05ef00c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd4CDB.tmp\nsProcess.dll

Filesize
11KB

MD5
0535e5fb0b9a06e37a12d9205b15603b

SHA1
af2806329a2a024a54460c80e842f90cb9b51818

SHA256
1386cb9371adf1f8b1454efd2a1e6ab10751a367bf3199d4b5509070136b8834

SHA512
bbdcbd41e3484f81adea848fa243e24d17df873dcde4becba439da96d62c28a0b32f105d233e301dc916e045b10a4f2712bc11f82b2b9d2866747a0a8f7b9856

Download Submit
C:\Windows\system32\CCBHDSNCtrl.dll

Filesize
217KB

MD5
097ebdb8a5274eeaeef26f301af786b2

SHA1
3aba6c7c51821cda98e3427db2026c3879a09341

SHA256
367db5d59bb4a622a25c7f182300bc0daa31bf92d0cf990e8c00fee45394a593

SHA512
c1dfc5cab5ce7dea74868bfeeaf0265d3c6156b87f90fedd042ee071d994d489421987e35c93382871dbb36d3fe5198164d8c1fc9abe4ba4afa4634b98e5ad22

Download Submit
C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HD_TokenV2.dll

Filesize
811KB

MD5
04db61611f80f57c83467cf74984bc22

SHA1
b9d3d7cb40732fc9608fcd968cfbcfbf8068f521

SHA256
52f84436d0c802de132d5cc18a74574b03a983ece9d6b89063b7c6a55e13079d

SHA512
923ad0a107e06ae1d39e9bd18d73861311553f2918df8b7536278f60a1a2549d89a20aaa0a6f5cf1c4d671d55bc2f3dbe8af360edb2a3107478920ec8a71a144

Download Submit
\Users\Admin\AppData\Local\Temp\nsd4CDB.tmp\KillProcDLL.dll

Filesize
48KB

MD5
daf77c6e38734936c2f2c08a78f9505d

SHA1
3aefb2cf5e66ff1c4e3111a74c11963bcd1a2418

SHA256
e19a3ac82e2b18f6dd763ec7875c8eb1e2fb0500ec3a699f46dee4cb21bd4ec4

SHA512
6ad8fd922a1ce7b9bd6f0981546b490c2fb12379407a813ba38855e692d8dcdfb964f876b5420dc9694e1a14105d65b2256f880facbfbf739de9f6d74728f41c

Download Submit
\Users\Admin\AppData\Local\Temp\nsd4CDB.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
\Users\Admin\AppData\Local\Temp\nsd4CDB.tmp\hzSrv.dll

Filesize
78KB

MD5
bdc56cb6d1b523ffa23d5ed85c91f66e

SHA1
895781b220dc6c30c39820d1b76a8b9c4b8d9134

SHA256
7b8133235c552cf051abe03f7a882c8335fbaf4b644cb9fdc8443bbcfc6bdc7e

SHA512
747983d2f9960dd28e1878e3eb613f18a42f0bd595087df591f15ed796e730c4affacbf60384e5908e1b877e2668d206bc61b5d4b097dd70035f767d2b405399

Download Submit
\Users\Admin\AppData\Local\Temp\nsd4CDB.tmp\hzSrv.dll

Filesize
78KB

MD5
bdc56cb6d1b523ffa23d5ed85c91f66e

SHA1
895781b220dc6c30c39820d1b76a8b9c4b8d9134

SHA256
7b8133235c552cf051abe03f7a882c8335fbaf4b644cb9fdc8443bbcfc6bdc7e

SHA512
747983d2f9960dd28e1878e3eb613f18a42f0bd595087df591f15ed796e730c4affacbf60384e5908e1b877e2668d206bc61b5d4b097dd70035f767d2b405399

Download Submit
\Users\Admin\AppData\Local\Temp\nsd4CDB.tmp\hzSrv.dll

Filesize
78KB

MD5
bdc56cb6d1b523ffa23d5ed85c91f66e

SHA1
895781b220dc6c30c39820d1b76a8b9c4b8d9134

SHA256
7b8133235c552cf051abe03f7a882c8335fbaf4b644cb9fdc8443bbcfc6bdc7e

SHA512
747983d2f9960dd28e1878e3eb613f18a42f0bd595087df591f15ed796e730c4affacbf60384e5908e1b877e2668d206bc61b5d4b097dd70035f767d2b405399

Download Submit
\Users\Admin\AppData\Local\Temp\nsd4CDB.tmp\hzSrv.dll

Filesize
78KB

MD5
bdc56cb6d1b523ffa23d5ed85c91f66e

SHA1
895781b220dc6c30c39820d1b76a8b9c4b8d9134

SHA256
7b8133235c552cf051abe03f7a882c8335fbaf4b644cb9fdc8443bbcfc6bdc7e

SHA512
747983d2f9960dd28e1878e3eb613f18a42f0bd595087df591f15ed796e730c4affacbf60384e5908e1b877e2668d206bc61b5d4b097dd70035f767d2b405399

Download Submit
\Users\Admin\AppData\Local\Temp\nsd4CDB.tmp\nsExec.dll

Filesize
12KB

MD5
8531a2fcc1c2ba1873f1f0de960bac47

SHA1
93e7843b46c02d3852ed1dac2b56a9bc9dc83553

SHA256
f2df6aed3a5a4291e92268ec7c0edaa549d885690b945f8bb208a9ea228b66c0

SHA512
597cbe8d30d2e6d98b0fd1a128386b9377141fb0860d5493a46d2b4ed2898f81632a3321e106f565f52b9260b1f1574107fa55b280c56a63da8a0cb05ef00c2f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd4CDB.tmp\nsExec.dll

Filesize
12KB

MD5
8531a2fcc1c2ba1873f1f0de960bac47

SHA1
93e7843b46c02d3852ed1dac2b56a9bc9dc83553

SHA256
f2df6aed3a5a4291e92268ec7c0edaa549d885690b945f8bb208a9ea228b66c0

SHA512
597cbe8d30d2e6d98b0fd1a128386b9377141fb0860d5493a46d2b4ed2898f81632a3321e106f565f52b9260b1f1574107fa55b280c56a63da8a0cb05ef00c2f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd4CDB.tmp\nsExec.dll

Filesize
12KB

MD5
8531a2fcc1c2ba1873f1f0de960bac47

SHA1
93e7843b46c02d3852ed1dac2b56a9bc9dc83553

SHA256
f2df6aed3a5a4291e92268ec7c0edaa549d885690b945f8bb208a9ea228b66c0

SHA512
597cbe8d30d2e6d98b0fd1a128386b9377141fb0860d5493a46d2b4ed2898f81632a3321e106f565f52b9260b1f1574107fa55b280c56a63da8a0cb05ef00c2f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd4CDB.tmp\nsExec.dll

Filesize
12KB

MD5
8531a2fcc1c2ba1873f1f0de960bac47

SHA1
93e7843b46c02d3852ed1dac2b56a9bc9dc83553

SHA256
f2df6aed3a5a4291e92268ec7c0edaa549d885690b945f8bb208a9ea228b66c0

SHA512
597cbe8d30d2e6d98b0fd1a128386b9377141fb0860d5493a46d2b4ed2898f81632a3321e106f565f52b9260b1f1574107fa55b280c56a63da8a0cb05ef00c2f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd4CDB.tmp\nsExec.dll

Filesize
12KB

MD5
8531a2fcc1c2ba1873f1f0de960bac47

SHA1
93e7843b46c02d3852ed1dac2b56a9bc9dc83553

SHA256
f2df6aed3a5a4291e92268ec7c0edaa549d885690b945f8bb208a9ea228b66c0

SHA512
597cbe8d30d2e6d98b0fd1a128386b9377141fb0860d5493a46d2b4ed2898f81632a3321e106f565f52b9260b1f1574107fa55b280c56a63da8a0cb05ef00c2f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd4CDB.tmp\nsProcess.dll

Filesize
11KB

MD5
0535e5fb0b9a06e37a12d9205b15603b

SHA1
af2806329a2a024a54460c80e842f90cb9b51818

SHA256
1386cb9371adf1f8b1454efd2a1e6ab10751a367bf3199d4b5509070136b8834

SHA512
bbdcbd41e3484f81adea848fa243e24d17df873dcde4becba439da96d62c28a0b32f105d233e301dc916e045b10a4f2712bc11f82b2b9d2866747a0a8f7b9856

Download Submit
\Windows\SysWOW64\CCBHDSNCtrl.dll

Filesize
182KB

MD5
5d3719734f3d9c2e4ad47482e5051893

SHA1
e515fe68efa9afe6be8b694305556dacca1bcd30

SHA256
39c29baaba12a3a018a8ff2fcd91de322ba51ab5536ba852d214af5e2c678e2c

SHA512
6299458e041de4bc6eaca35ed7950d6cacae64ee6bd3a0cfe3f7e040677e12e43337ff1c5eb889f0f2ab29b52c09db718357b14fe8e3a5cbfb96e97d63fabcdb

Download Submit
\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_TokenV2.dll

Filesize
574KB

MD5
964fa6b0d17fb2511ad77f6ef6d099e8

SHA1
babd54bbbd634c903604c5585a4bee98849955e6

SHA256
bd06b09a1fba74213699e2fb4a669886d8c560f8708a4df29fbebe1be6d47bac

SHA512
e31298167233001c3fcbbbffd9a976006604372b828e805838bd6d57b49f876fc60abf57cbe09d0fab57b0e07cea187cb918abf4d05449190e584a687a65ecce

Download Submit
\Windows\System32\CCBHDSNCtrl.dll

Filesize
217KB

MD5
097ebdb8a5274eeaeef26f301af786b2

SHA1
3aba6c7c51821cda98e3427db2026c3879a09341

SHA256
367db5d59bb4a622a25c7f182300bc0daa31bf92d0cf990e8c00fee45394a593

SHA512
c1dfc5cab5ce7dea74868bfeeaf0265d3c6156b87f90fedd042ee071d994d489421987e35c93382871dbb36d3fe5198164d8c1fc9abe4ba4afa4634b98e5ad22

Download Submit
\Windows\System32\CCB_HDZB_CCID_USBKey2G\HD_TokenV2.dll

Filesize
811KB

MD5
04db61611f80f57c83467cf74984bc22

SHA1
b9d3d7cb40732fc9608fcd968cfbcfbf8068f521

SHA256
52f84436d0c802de132d5cc18a74574b03a983ece9d6b89063b7c6a55e13079d

SHA512
923ad0a107e06ae1d39e9bd18d73861311553f2918df8b7536278f60a1a2549d89a20aaa0a6f5cf1c4d671d55bc2f3dbe8af360edb2a3107478920ec8a71a144

Download Submit
memory/1196-129-0x0000000000730000-0x0000000000748000-memory.dmp

Filesize
96KB

Download
memory/1196-115-0x0000000000730000-0x000000000075F000-memory.dmp

Filesize
188KB

Download
memory/1196-63-0x00000000005D0000-0x00000000005DA000-memory.dmp

Filesize
40KB

Download