a6ccf359f2965a13d8c3e07ada2a62a9d32be58b8e72d99ada2e80b3ec052df7

Analysis

max time kernel
164s
max time network
146s
platform
windows7_x64
resource
win7v20210408
submitted
26-08-2021 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installer.exe
Size

3.3MB
MD5

41544830599f851295a3218fc7f7d2bd
SHA1

d5fed6d46853a0583cd43646554bacb1448a69da
SHA256

a6ccf359f2965a13d8c3e07ada2a62a9d32be58b8e72d99ada2e80b3ec052df7
SHA512

18fcc9c1bbb19b4e3c8089c2d530ec975582aacc8ca24257af1672d2a1e36ec760d63f5903380ca7e1ed9d45a28f471a5dbc2056d16b03f97e65a904947954f0

Score

10^/10

discovery persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

__Package_pdfconverter.exeMovePdfConvertMenu.exeHdWebRegProcess.exexunjiepdfLaunch.exexunjiepdfLaunch.exe

pid process

316 __Package_pdfconverter.exe
952 MovePdfConvertMenu.exe
1768 HdWebRegProcess.exe
840 xunjiepdfLaunch.exe
1688 xunjiepdfLaunch.exe

pid	process
316	__Package_pdfconverter.exe
952	MovePdfConvertMenu.exe
1768	HdWebRegProcess.exe
840	xunjiepdfLaunch.exe
1688	xunjiepdfLaunch.exe

Loads dropped DLL 53 IoCs

Processes:

installer.exe__Package_pdfconverter.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeHdWebRegProcess.exexunjiepdfLaunch.exexunjiepdfLaunch.exe

pid	process
564	installer.exe
316	__Package_pdfconverter.exe
316	__Package_pdfconverter.exe
316	__Package_pdfconverter.exe
316	__Package_pdfconverter.exe
316	__Package_pdfconverter.exe
316	__Package_pdfconverter.exe
316	__Package_pdfconverter.exe
808	regsvr32.exe
996	regsvr32.exe
336	regsvr32.exe
1432	regsvr32.exe
316	__Package_pdfconverter.exe
1200
316	__Package_pdfconverter.exe
316	__Package_pdfconverter.exe
316	__Package_pdfconverter.exe
316	__Package_pdfconverter.exe
1768	HdWebRegProcess.exe
1768	HdWebRegProcess.exe
1768	HdWebRegProcess.exe
1768	HdWebRegProcess.exe
1768	HdWebRegProcess.exe
1768	HdWebRegProcess.exe
1768	HdWebRegProcess.exe
1768	HdWebRegProcess.exe
1768	HdWebRegProcess.exe
1768	HdWebRegProcess.exe
840	xunjiepdfLaunch.exe
1768	HdWebRegProcess.exe
1768	HdWebRegProcess.exe
1768	HdWebRegProcess.exe
840	xunjiepdfLaunch.exe
1768	HdWebRegProcess.exe
840	xunjiepdfLaunch.exe
1768	HdWebRegProcess.exe
1768	HdWebRegProcess.exe
1768	HdWebRegProcess.exe
1768	HdWebRegProcess.exe
1768	HdWebRegProcess.exe
1768	HdWebRegProcess.exe
1768	HdWebRegProcess.exe
840	xunjiepdfLaunch.exe
840	xunjiepdfLaunch.exe
840	xunjiepdfLaunch.exe
840	xunjiepdfLaunch.exe
1688	xunjiepdfLaunch.exe
1688	xunjiepdfLaunch.exe
1688	xunjiepdfLaunch.exe
1688	xunjiepdfLaunch.exe
1688	xunjiepdfLaunch.exe
1688	xunjiepdfLaunch.exe
1688	xunjiepdfLaunch.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1548 taskkill.exe
340 taskkill.exe

pid	process
1548	taskkill.exe
340	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

HdWebRegProcess.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	HdWebRegProcess.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\HdWebRegProcess.exe = "1"	HdWebRegProcess.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT	HdWebRegProcess.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_GPU_RENDERING\HdWebRegProcess.exe = "1"	HdWebRegProcess.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\HdWebRegProcess.exe = "11000"	HdWebRegProcess.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	HdWebRegProcess.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_Cross_Domain_Redirect_Mitigation\HdWebRegProcess.exe = "1"	HdWebRegProcess.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	HdWebRegProcess.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG\HdWebRegProcess.exe = "1"	HdWebRegProcess.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\HdWebRegProcess.exe = "1"	HdWebRegProcess.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	HdWebRegProcess.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS\HdWebRegProcess.exe = "1"	HdWebRegProcess.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_Cross_Domain_Redirect_Mitigation	HdWebRegProcess.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_Cross_Domain_Redirect_Mitigation\HdWebRegProcess.exe = "1"	HdWebRegProcess.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BEHAVIORS\HdWebRegProcess.exe = "1"	HdWebRegProcess.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_IMG\HdWebRegProcess.exe = "1"	HdWebRegProcess.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\HdWebRegProcess.exe = "1"	HdWebRegProcess.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\HdWebRegProcess.exe = "1"	HdWebRegProcess.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	HdWebRegProcess.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT	HdWebRegProcess.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ENABLE_SCRIPT_PASTE_URLACTION_IF_PROMPT\HdWebRegProcess.exe = "1"	HdWebRegProcess.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_SCRIPT_PASTE_URLACTION_IF_PROMPT\HdWebRegProcess.exe = "1"	HdWebRegProcess.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\HdWebRegProcess.exe = "1"	HdWebRegProcess.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\HdWebRegProcess.exe = "1"	HdWebRegProcess.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\HdWebRegProcess.exe = "11000"	HdWebRegProcess.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG	HdWebRegProcess.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\HdWebRegProcess.exe = "1"	HdWebRegProcess.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_SCRIPT_PASTE_URLACTION_IF_PROMPT	HdWebRegProcess.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	HdWebRegProcess.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS	HdWebRegProcess.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_Cross_Domain_Redirect_Mitigation	HdWebRegProcess.exe

Modifies registry class 48 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PdfConvert.PdfConvertMenuEx.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PdfConvert.PdfConvertMenuEx\ = "PdfConvertMenuEx Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C405CEC-8624-4FEF-B3BA-9D4E5A8F58B5}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C405CEC-8624-4FEF-B3BA-9D4E5A8F58B5}\VersionIndependentProgID\ = "PdfConvert.PdfConvertMenuEx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C405CEC-8624-4FEF-B3BA-9D4E5A8F58B5}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C405CEC-8624-4FEF-B3BA-9D4E5A8F58B5}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C405CEC-8624-4FEF-B3BA-9D4E5A8F58B5}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C405CEC-8624-4FEF-B3BA-9D4E5A8F58B5}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BCF37AFF-A574-49DD-8972-7AF10850DD4F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BCF37AFF-A574-49DD-8972-7AF10850DD4F}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BCF37AFF-A574-49DD-8972-7AF10850DD4F}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\xunjiepdfConverter\\pdfconvertmenu64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BCF37AFF-A574-49DD-8972-7AF10850DD4F}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57F7AED5-B08A-43B4-967F-F75418074CB2}\TypeLib\ = "{BCF37AFF-A574-49DD-8972-7AF10850DD4F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57F7AED5-B08A-43B4-967F-F75418074CB2}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PdfConvert.PdfConvertMenuEx	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C405CEC-8624-4FEF-B3BA-9D4E5A8F58B5}\ProgID\ = "PdfConvert.PdfConvertMenuEx.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C405CEC-8624-4FEF-B3BA-9D4E5A8F58B5}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C405CEC-8624-4FEF-B3BA-9D4E5A8F58B5}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BCF37AFF-A574-49DD-8972-7AF10850DD4F}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BCF37AFF-A574-49DD-8972-7AF10850DD4F}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{57F7AED5-B08A-43B4-967F-F75418074CB2}\TypeLib\ = "{BCF37AFF-A574-49DD-8972-7AF10850DD4F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PdfConvert.PdfConvertMenuEx.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\hPdfConvertMenuExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57F7AED5-B08A-43B4-967F-F75418074CB2}\ = "IPdfConvertMenuEx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{57F7AED5-B08A-43B4-967F-F75418074CB2}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{57F7AED5-B08A-43B4-967F-F75418074CB2}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PdfConvert.PdfConvertMenuEx.1\ = "PdfConvertMenuEx Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PdfConvert.PdfConvertMenuEx.1\CLSID\ = "{6C405CEC-8624-4FEF-B3BA-9D4E5A8F58B5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PdfConvert.PdfConvertMenuEx\CurVer\ = "PdfConvert.PdfConvertMenuEx.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C405CEC-8624-4FEF-B3BA-9D4E5A8F58B5}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BCF37AFF-A574-49DD-8972-7AF10850DD4F}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{57F7AED5-B08A-43B4-967F-F75418074CB2}\ = "IPdfConvertMenuEx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C405CEC-8624-4FEF-B3BA-9D4E5A8F58B5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C405CEC-8624-4FEF-B3BA-9D4E5A8F58B5}\ = "PdfConvertMenuEx Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\hPdfConvertMenuExt\ = "{6C405CEC-8624-4FEF-B3BA-9D4E5A8F58B5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57F7AED5-B08A-43B4-967F-F75418074CB2}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{57F7AED5-B08A-43B4-967F-F75418074CB2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57F7AED5-B08A-43B4-967F-F75418074CB2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{57F7AED5-B08A-43B4-967F-F75418074CB2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PdfConvert.PdfConvertMenuEx\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C405CEC-8624-4FEF-B3BA-9D4E5A8F58B5}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\xunjiepdfConverter\\pdfconvertmenu64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C405CEC-8624-4FEF-B3BA-9D4E5A8F58B5}\TypeLib\ = "{BCF37AFF-A574-49DD-8972-7AF10850DD4F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BCF37AFF-A574-49DD-8972-7AF10850DD4F}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BCF37AFF-A574-49DD-8972-7AF10850DD4F}\1.0\ = "PdfConvertMenuLib"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BCF37AFF-A574-49DD-8972-7AF10850DD4F}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\xunjiepdfConverter"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57F7AED5-B08A-43B4-967F-F75418074CB2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57F7AED5-B08A-43B4-967F-F75418074CB2}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{57F7AED5-B08A-43B4-967F-F75418074CB2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

__Package_pdfconverter.exe

pid process

316 __Package_pdfconverter.exe
316 __Package_pdfconverter.exe
316 __Package_pdfconverter.exe
316 __Package_pdfconverter.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1548 taskkill.exe
Token: SeDebugPrivilege 340 taskkill.exe

pid	process
316	__Package_pdfconverter.exe
316	__Package_pdfconverter.exe
316	__Package_pdfconverter.exe
316	__Package_pdfconverter.exe

description	pid	process
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	340	taskkill.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

installer.exe__Package_pdfconverter.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 564 wrote to memory of 316	564	installer.exe	__Package_pdfconverter.exe
PID 564 wrote to memory of 316	564	installer.exe	__Package_pdfconverter.exe
PID 564 wrote to memory of 316	564	installer.exe	__Package_pdfconverter.exe
PID 564 wrote to memory of 316	564	installer.exe	__Package_pdfconverter.exe
PID 316 wrote to memory of 1548	316	__Package_pdfconverter.exe	taskkill.exe
PID 316 wrote to memory of 1548	316	__Package_pdfconverter.exe	taskkill.exe
PID 316 wrote to memory of 1548	316	__Package_pdfconverter.exe	taskkill.exe
PID 316 wrote to memory of 1548	316	__Package_pdfconverter.exe	taskkill.exe
PID 316 wrote to memory of 340	316	__Package_pdfconverter.exe	taskkill.exe
PID 316 wrote to memory of 340	316	__Package_pdfconverter.exe	taskkill.exe
PID 316 wrote to memory of 340	316	__Package_pdfconverter.exe	taskkill.exe
PID 316 wrote to memory of 340	316	__Package_pdfconverter.exe	taskkill.exe
PID 316 wrote to memory of 952	316	__Package_pdfconverter.exe	MovePdfConvertMenu.exe
PID 316 wrote to memory of 952	316	__Package_pdfconverter.exe	MovePdfConvertMenu.exe
PID 316 wrote to memory of 952	316	__Package_pdfconverter.exe	MovePdfConvertMenu.exe
PID 316 wrote to memory of 952	316	__Package_pdfconverter.exe	MovePdfConvertMenu.exe
PID 316 wrote to memory of 808	316	__Package_pdfconverter.exe	regsvr32.exe
PID 316 wrote to memory of 808	316	__Package_pdfconverter.exe	regsvr32.exe
PID 316 wrote to memory of 808	316	__Package_pdfconverter.exe	regsvr32.exe
PID 316 wrote to memory of 808	316	__Package_pdfconverter.exe	regsvr32.exe
PID 316 wrote to memory of 808	316	__Package_pdfconverter.exe	regsvr32.exe
PID 316 wrote to memory of 808	316	__Package_pdfconverter.exe	regsvr32.exe
PID 316 wrote to memory of 808	316	__Package_pdfconverter.exe	regsvr32.exe
PID 808 wrote to memory of 996	808	regsvr32.exe	regsvr32.exe
PID 808 wrote to memory of 996	808	regsvr32.exe	regsvr32.exe
PID 808 wrote to memory of 996	808	regsvr32.exe	regsvr32.exe
PID 808 wrote to memory of 996	808	regsvr32.exe	regsvr32.exe
PID 808 wrote to memory of 996	808	regsvr32.exe	regsvr32.exe
PID 808 wrote to memory of 996	808	regsvr32.exe	regsvr32.exe
PID 808 wrote to memory of 996	808	regsvr32.exe	regsvr32.exe
PID 316 wrote to memory of 336	316	__Package_pdfconverter.exe	regsvr32.exe
PID 316 wrote to memory of 336	316	__Package_pdfconverter.exe	regsvr32.exe
PID 316 wrote to memory of 336	316	__Package_pdfconverter.exe	regsvr32.exe
PID 316 wrote to memory of 336	316	__Package_pdfconverter.exe	regsvr32.exe
PID 316 wrote to memory of 336	316	__Package_pdfconverter.exe	regsvr32.exe
PID 316 wrote to memory of 336	316	__Package_pdfconverter.exe	regsvr32.exe
PID 316 wrote to memory of 336	316	__Package_pdfconverter.exe	regsvr32.exe
PID 336 wrote to memory of 1432	336	regsvr32.exe	regsvr32.exe
PID 336 wrote to memory of 1432	336	regsvr32.exe	regsvr32.exe
PID 336 wrote to memory of 1432	336	regsvr32.exe	regsvr32.exe
PID 336 wrote to memory of 1432	336	regsvr32.exe	regsvr32.exe
PID 336 wrote to memory of 1432	336	regsvr32.exe	regsvr32.exe
PID 336 wrote to memory of 1432	336	regsvr32.exe	regsvr32.exe
PID 336 wrote to memory of 1432	336	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\installer.exe
"C:\Users\Admin\AppData\Local\Temp\installer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564

C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\__Package_pdfconverter.exe
"C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\__Package_pdfconverter.exe" /S -console=show -version=1.0.0 -adminact=true -authorizationact=true -dsc=true -ssc=true -instdir="C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter" /D=C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im pdfconverter.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im xunjiepdfConverter.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:340

C:\Users\Admin\AppData\Local\xunjiepdfConverter\MovePdfConvertMenu.exe
C:\Users\Admin\AppData\Local\xunjiepdfConverter\MovePdfConvertMenu.exe
3⤵
- Executes dropped EXE
PID:952

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s /u "C:\Users\Admin\AppData\Local\xunjiepdfConverter\pdfconvertmenu64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\system32\regsvr32.exe
/s /u "C:\Users\Admin\AppData\Local\xunjiepdfConverter\pdfconvertmenu64.dll"
4⤵
- Loads dropped DLL
PID:996

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\xunjiepdfConverter\pdfconvertmenu64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\xunjiepdfConverter\pdfconvertmenu64.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:1432

C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\HdWebRegProcess.exe
"C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\HdWebRegProcess.exe" -1073741515
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
PID:1768

C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\xunjiepdfLaunch.exe
"C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\xunjiepdfLaunch.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840

C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\xunjiepdfLaunch.exe
"C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\xunjiepdfLaunch.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\xunjiepdfConverter\MovePdfConvertMenu.exe
MD5
e2e45894a9d0757690b1b4d1d2925229

SHA1
7f899fd1379260b143917eeea7b7b0df89d8d0f6

SHA256
13586ab6a3c833b34f90810b34f8226477710db98242a9411b6d2277ed220341

SHA512
21e58bb17713ad801e1186dd8be534696398b83ecd7d23fdfbbe222acd236aa553ed366621f122361b1bd29c5ddfd7587a4bcbb9b3fd890cfd6e07f12750aa63

Download Submit
C:\Users\Admin\AppData\Local\xunjiepdfConverter\pdfconvertmenu64.dll
MD5
904cb39f227b211abea7c8122ed6932b

SHA1
104d7cba7e41f83ae5373cf6bdef4f2d06a903b6

SHA256
066370686b018d4f7969c7b15ceff75539eea4b730acf6d218325ab9dea8fa62

SHA512
8f25519dabb2b86ba0f325c3ef8519125088b49ff1769d6e13e6c42127792cec821c69d750142fcd21dbc18b606143c72eb7a54f476f74e2e67a93359d2809ae

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\HdWebRegProcess.exe
MD5
b45f48b0fa1db20fe9175912423f41cd

SHA1
2edbbbc28cf1dac874e152d0f4615f8706d98073

SHA256
88f18d31e3ae4480e2674c45d84c8f2c4669203d4a2f701e1e57a67dc70c1b5b

SHA512
4466f8680206868bf746933f6126b0b0512d0d452cf7bbe7c7f51cf56cbd40facc288cb535c7194a01c3a87c363ddb6b92f18517ae65d384ecb583d79b24ce87

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\MSVCP140.dll
MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\Qt5Core.dll
MD5
c96bb37abfe76314a7933fa1e2e613b8

SHA1
f11f8b382d40103f3e86559e0cf80d1618f9bbb8

SHA256
061d82e422d4c80e0a2b564464ba15b7abb43fb2bdbe0d48588704b670692aa7

SHA512
1252e50df1df18919aa720e23cf5c51ae225fd110ccadfc7e31f83680d35802271feaab53650ecb2292ff29b66cb53fcd62442f9f3ac97ad185bfa1a7d368705

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\VCRUNTIME140.dll
MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\__Package_pdfconverter.exe
MD5
24d2b6da84ae9ca5e8e7a9056431a5e9

SHA1
da2cb3700e0b50ae96352497fbba87fdbb30e62b

SHA256
190c32d452968ddc9384ba2ad43578bdc00e6c2e67e7bacf41acf296cf67de77

SHA512
81f41e5cf5eaebc00765f3d95726ccdd0fddd5ab2eb6df3e318ae1fa9e8da244d65ef405b486c02ebb6b0f77dad02be29412d2ca5e108881a6af60bf2a1788a1

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\__Package_pdfconverter.exe
MD5
24d2b6da84ae9ca5e8e7a9056431a5e9

SHA1
da2cb3700e0b50ae96352497fbba87fdbb30e62b

SHA256
190c32d452968ddc9384ba2ad43578bdc00e6c2e67e7bacf41acf296cf67de77

SHA512
81f41e5cf5eaebc00765f3d95726ccdd0fddd5ab2eb6df3e318ae1fa9e8da244d65ef405b486c02ebb6b0f77dad02be29412d2ca5e108881a6af60bf2a1788a1

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-core-file-l1-2-0.dll
MD5
ec4f2cb68dcf7e96516eb284003be8bb

SHA1
fb9237719b5e21b9db176e41bdf125e6e7c01b11

SHA256
3816bbb7dd76d8fc6a7b83a0ed2f61b23dd5fc0843d3308ee077cb725d5c9088

SHA512
6cbda80c476a9fcf46458cac45229c96dc9df251230531e25088e834cd954db9ff4561e744f76495f9c57a4068b7635c72c6f9ff838436c54142297ee310b236

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-core-file-l2-1-0.dll
MD5
b9287eb7bcbfdcec2e8d4198fd266509

SHA1
1375b6ff6121ec140668881f4a0b02f0c517f6c7

SHA256
096409422ecd1894e4d6289fd2d1c7490bd83daff0c1e3d16c36c78bd477b895

SHA512
b86348d3f42d0ff465066a14c281088c73ec5e03efacdaabe27a410b054a8a81b438d7e5d030b0d95f53b07783911b8b8200581d4e0b6f1b3cc79f4aae1d67df

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-core-localization-l1-2-0.dll
MD5
dbb81fcc74c59490008ee59bffff5a6d

SHA1
edbb465ab3bea3a4df3f05e5a4e816edbe195c3b

SHA256
f33e6ac5d3e1c4f1d89564fb6aeeac170486c073b67694380755049dbc48eec1

SHA512
2847a73e952bd5f2448264e0bfc8dc1dcd37f8b02d6d6f525ef0cb69c8e634fdcc4637876361b22c53244659039ed305c015435834b61eea15015fed45e9c374

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-core-processthreads-l1-1-1.dll
MD5
f61b9ecb79cd20fc2e8fce87286cfe43

SHA1
7a48accbe43e156f886f1f2836f74e1043feec59

SHA256
bfa24f94ba095174b82d3657f8ecc689eab8ff380c69b1c9a7e311eb70d66386

SHA512
42ab62087bbc9fc9c9003ae96ebb9e9bbfa3db4eb74bd6746da035d53d1002015d8482ecb92620ec65c42b8b2b41d9b0a7793e105b0cf8cb6f713a2bc03241db

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-core-synch-l1-2-0.dll
MD5
e4110aa5c8a32b63de2c85e0bc297c54

SHA1
6039680f47750cf56d0c9a1768de815a44b83de7

SHA256
01bb32d692b86ebb39a76893125e0f3aaf957c6e4bd682fb46eac32f6fb65be7

SHA512
0631ea8224403ca113dff9b17852e92c1fcb2820e4f335b668b12689d2a8f058ba33905692f2fd0f4897f8f766db816747ec95478d854b75a0803d2c899e6d98

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-core-timezone-l1-1-0.dll
MD5
00b548bf3eab7a6debce296ee5e877de

SHA1
ae18022eb78c192ac3baee32664b9eb011194772

SHA256
d592b91a087c001f9ea38dc5912a90c78fad3a368879d04fd7e5650ed374c8dc

SHA512
3ba15d9a0f1680c2b182cf04fbbfcb0d4f1b607519c161c590928930ad1b3eba8bd417575a51305b9552f0abf0064c74267336ec09cea709aed9228e4eac799e

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-crt-convert-l1-1-0.dll
MD5
94e386a317faa200aa1dc270ce54e5fd

SHA1
e352ced285c04378bc3f6af4b30fa69df70b8974

SHA256
e4ccd13d5861e3e28984fc7263d79b580a0bc7bbe0d234ed8f1a69706ef908f3

SHA512
f622d303adecdce6ff88acc779d108556c2fdbe1f4140092d2d637c2fc1aaf651c1798291239e1334aabea702d7d380150922abd4e0122cbfc9c079a64dc0e76

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-crt-heap-l1-1-0.dll
MD5
aad41d33906cfdb31681ce8276648481

SHA1
6367d1990873c5af2f5d05d31ea083fb8b127883

SHA256
242cb185643df586a5f55735e8810b8d2b6b095c78be206e42cdaae7665bb2cf

SHA512
43b2cf09fcb13211f5bcab6942050e03dfb9ce36b727727f7c764df3754f332f04dc81f411e55caeecfa676c43dd1e977f29b0042c485babaaad609c239a84a9

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-crt-locale-l1-1-0.dll
MD5
e70d8fe9d21841202b4fd1cf55d37ac5

SHA1
fa62fb609d15c8ad3b5a12618bcc50f0d95cdea3

SHA256
e087f611b3659151dfb674728202944a7c0fe71710f280840e00a5c4b640632d

SHA512
bd38bdf80defd4548580e7973d89ed29e1edd401f202c367a3ba0020678206da3acc9b4436c9a122e4efc32e80dbb39eb9bf08587e4febc8f14ec86a8993bcc8

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-crt-math-l1-1-0.dll
MD5
1028042a84aefe816280f22a4517dc68

SHA1
b3437beb0e5a6a062678a0b32cea98f3c5e33580

SHA256
4a88f73cae12080b9a637f76f8ab1b8ac29829817ff03ddd611a25b6981ee573

SHA512
1da4a2d152943447950ae5de80360741c8a827647d1568c18b026376645f15cc9b5d1915dbdb43278adeac1423b20d6e1c97f6ad67ce724a0d91ec84c4e5250c

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-crt-multibyte-l1-1-0.dll
MD5
809bc1010eaf714cd095189af236ce2f

SHA1
10dbc383f7c49de17fc50e830e3cb494cc873dd1

SHA256
b52f2b9de19d12b0e727e13e3dde93009e487bfb2dd97fd23952c7080949d97e

SHA512
f72ec10a0005e7023187ef6ccedf2af81d16174e628369fb834af78e4ef2f3d44bf8b70e9b894abc6791d7b9720c62c52a697ff0ade0edddcaa52b6f14630d1d

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-crt-runtime-l1-1-0.dll
MD5
2f10f2255271b09d58af75f58476899c

SHA1
ca37f8e4c99fb178e718e99eed286d1ef32b00fc

SHA256
24bc147f7c8a2dfcbe9296d83ce75a1f2c02076d8f6e6c81f6032c927ed5888a

SHA512
74d85f5a40bd22eb9c85973bda5e596c3688096dc78fb6984f84ded4757ae82d77894c4cae0f24de77d211bbd869f9a4120a104d7c2ed161b4bb7b8568cf5103

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-crt-stdio-l1-1-0.dll
MD5
65fe48962755451a1a5bab26e6fd978d

SHA1
d1322c477fe4ff61eedf9433b8deddee27f5adb9

SHA256
5a3d9a0a2c1f9b14cb52d9cce92b761ec1fe0460ea7d994179c96648455ead84

SHA512
940269af2c3a8b5b43ca936df1bb5338ae5166f04c34a163b5938895d19bdd7eadc156add1b96b5508e06088419a7d8f466f40bf01e64b4c547fbc1b20328ed7

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-crt-string-l1-1-0.dll
MD5
a3eccd7f2f2c45d1553055593278645a

SHA1
23cd6aed1b198ca515d7adb213efae780fbf0537

SHA256
d51dfd972e6df5e8185dce0b4eb26dccb0527c5f1c63bc081677335f69b92b67

SHA512
1dbf60f5df95e72b98b72faccb52f83585bc0bc5b1f65c259e8568d812461b738bb37c96e72e2f272370788cc7dcd7a8e5a698d9fb2c773ce0e17978c19ef858

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\libgcc_s_dw2-1.dll
MD5
043b39434829ce93637b1801d57b2082

SHA1
297b5f72104130e17d92789adbbcfab8fe700a82

SHA256
4d2e2d408d399d066b0aaef2047f7a33515c13c589832de0d9f1ba87a530c394

SHA512
eee912b21d31c54bf913d11028f1637a041809bbe4cd6a5ca28c664f72b397d67d03230ba652a06b86916aea7e7ff5999a5b26cc14c067ab1652ab82f565edcf

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\libwinpthread-1.dll
MD5
1f4411c1f66c9cdf96ca9d7f9caf52d9

SHA1
ea04be653df7335483c7c8f46367d75d4ad9224e

SHA256
b5fe4d6408ef2baabdd168f4c7250900606468e9aeb24c71e0c833d3d715ae65

SHA512
8b95d0533773c5424733862cf60ed0f0d2ed5c7016b602a71dc4ce4a90ef0946de605f46c94fb0f6c3135447f60a00d3476e8b91a61e079885aa764bc1407b8a

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\ucrtbase.DLL
MD5
015b30309491a911e75748ad69c9e680

SHA1
2f2243b6ea99689cd54e45b67d9b7d98847f904c

SHA256
dd32570b8183a8b117233333153da29cc8d2ac5b1c868440dd852d9c3f77baf5

SHA512
51159e407021ce78ad64ea91a5e53f59ee15d6d74b9c2891cd6dd532cae3f1d388198e0cd78648ce067e82fa7f01050b4773d95c5c827439f094b289f0ee0ac8

Download Submit
C:\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\xunjiepdfLaunch.exe
MD5
f1f4fc1244f2af11a3a0fd7d35032e47

SHA1
6900806ad5b155a5c302d806c8e9c35499c1cab2

SHA256
30fe0af7f379596f10b6b5dc51614d0c1279a2541d253517df692db22df2edb4

SHA512
bd74849f6087a5c2e7d4357df6d8a873f01e1de4dbe6100957b7d662c0a264d9824001c96fbc4514006e4a1bbc65d44c53449eb0c0b20bdf3060bb524f94487b

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C9.tmp\KillProcDLL.dll
MD5
1cc87d2b5a79b18f133b4f944e2f2f74

SHA1
98e0ddb727c76e06be1668434d754e5b80a0c154

SHA256
de1177a4bd1c56c3555f366d40b37d7dd9cb25e16c4973d0a4d22bf9a8af7aed

SHA512
d8fee1c09fef9af4e1f38baaffa3a6d059713b14ecad900815c086cc22855644fcdeacd6bba31ea6e6925831e650f7b0d34e6dea4c57a978fb4f5bf0cd6d72a9

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C9.tmp\KillProcDLL.dll
MD5
1cc87d2b5a79b18f133b4f944e2f2f74

SHA1
98e0ddb727c76e06be1668434d754e5b80a0c154

SHA256
de1177a4bd1c56c3555f366d40b37d7dd9cb25e16c4973d0a4d22bf9a8af7aed

SHA512
d8fee1c09fef9af4e1f38baaffa3a6d059713b14ecad900815c086cc22855644fcdeacd6bba31ea6e6925831e650f7b0d34e6dea4c57a978fb4f5bf0cd6d72a9

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C9.tmp\ShellExecAsUser.dll
MD5
552cba3c6c9987e01be178e1ee22d36b

SHA1
4c0ab0127453b0b53aeb27e407859bccb229ea1b

SHA256
1f17e4d5ffe7b2c9a396ee9932ac5198f0c050241e5f9ccd3a56e576613d8a29

SHA512
9bcf47b62ca8ffa578751008cae523d279cdb1699fd916754491899c31ace99f18007ed0e2cbe9902abf132d516259b5fb283379d2fead37c76b19e2e835e95a

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C9.tmp\StdUtils.dll
MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C9.tmp\System.dll
MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C9.tmp\nsExec.dll
MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C9.tmp\nsExec.dll
MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C9.tmp\nsExec.dll
MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
\Users\Admin\AppData\Local\xunjiepdfConverter\MovePdfConvertMenu.exe
MD5
e2e45894a9d0757690b1b4d1d2925229

SHA1
7f899fd1379260b143917eeea7b7b0df89d8d0f6

SHA256
13586ab6a3c833b34f90810b34f8226477710db98242a9411b6d2277ed220341

SHA512
21e58bb17713ad801e1186dd8be534696398b83ecd7d23fdfbbe222acd236aa553ed366621f122361b1bd29c5ddfd7587a4bcbb9b3fd890cfd6e07f12750aa63

Download Submit
\Users\Admin\AppData\Local\xunjiepdfConverter\pdfconvertmenu64.dll
MD5
904cb39f227b211abea7c8122ed6932b

SHA1
104d7cba7e41f83ae5373cf6bdef4f2d06a903b6

SHA256
066370686b018d4f7969c7b15ceff75539eea4b730acf6d218325ab9dea8fa62

SHA512
8f25519dabb2b86ba0f325c3ef8519125088b49ff1769d6e13e6c42127792cec821c69d750142fcd21dbc18b606143c72eb7a54f476f74e2e67a93359d2809ae

Download Submit
\Users\Admin\AppData\Local\xunjiepdfConverter\pdfconvertmenu64.dll
MD5
904cb39f227b211abea7c8122ed6932b

SHA1
104d7cba7e41f83ae5373cf6bdef4f2d06a903b6

SHA256
066370686b018d4f7969c7b15ceff75539eea4b730acf6d218325ab9dea8fa62

SHA512
8f25519dabb2b86ba0f325c3ef8519125088b49ff1769d6e13e6c42127792cec821c69d750142fcd21dbc18b606143c72eb7a54f476f74e2e67a93359d2809ae

Download Submit
\Users\Admin\AppData\Local\xunjiepdfConverter\pdfconvertmenu64.dll
MD5
904cb39f227b211abea7c8122ed6932b

SHA1
104d7cba7e41f83ae5373cf6bdef4f2d06a903b6

SHA256
066370686b018d4f7969c7b15ceff75539eea4b730acf6d218325ab9dea8fa62

SHA512
8f25519dabb2b86ba0f325c3ef8519125088b49ff1769d6e13e6c42127792cec821c69d750142fcd21dbc18b606143c72eb7a54f476f74e2e67a93359d2809ae

Download Submit
\Users\Admin\AppData\Local\xunjiepdfConverter\pdfconvertmenu64.dll
MD5
904cb39f227b211abea7c8122ed6932b

SHA1
104d7cba7e41f83ae5373cf6bdef4f2d06a903b6

SHA256
066370686b018d4f7969c7b15ceff75539eea4b730acf6d218325ab9dea8fa62

SHA512
8f25519dabb2b86ba0f325c3ef8519125088b49ff1769d6e13e6c42127792cec821c69d750142fcd21dbc18b606143c72eb7a54f476f74e2e67a93359d2809ae

Download Submit
\Users\Admin\AppData\Local\xunjiepdfConverter\pdfconvertmenu64.dll
MD5
904cb39f227b211abea7c8122ed6932b

SHA1
104d7cba7e41f83ae5373cf6bdef4f2d06a903b6

SHA256
066370686b018d4f7969c7b15ceff75539eea4b730acf6d218325ab9dea8fa62

SHA512
8f25519dabb2b86ba0f325c3ef8519125088b49ff1769d6e13e6c42127792cec821c69d750142fcd21dbc18b606143c72eb7a54f476f74e2e67a93359d2809ae

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\Qt5Core.dll
MD5
c96bb37abfe76314a7933fa1e2e613b8

SHA1
f11f8b382d40103f3e86559e0cf80d1618f9bbb8

SHA256
061d82e422d4c80e0a2b564464ba15b7abb43fb2bdbe0d48588704b670692aa7

SHA512
1252e50df1df18919aa720e23cf5c51ae225fd110ccadfc7e31f83680d35802271feaab53650ecb2292ff29b66cb53fcd62442f9f3ac97ad185bfa1a7d368705

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\__Package_pdfconverter.exe
MD5
24d2b6da84ae9ca5e8e7a9056431a5e9

SHA1
da2cb3700e0b50ae96352497fbba87fdbb30e62b

SHA256
190c32d452968ddc9384ba2ad43578bdc00e6c2e67e7bacf41acf296cf67de77

SHA512
81f41e5cf5eaebc00765f3d95726ccdd0fddd5ab2eb6df3e318ae1fa9e8da244d65ef405b486c02ebb6b0f77dad02be29412d2ca5e108881a6af60bf2a1788a1

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-core-file-l1-2-0.dll
MD5
ec4f2cb68dcf7e96516eb284003be8bb

SHA1
fb9237719b5e21b9db176e41bdf125e6e7c01b11

SHA256
3816bbb7dd76d8fc6a7b83a0ed2f61b23dd5fc0843d3308ee077cb725d5c9088

SHA512
6cbda80c476a9fcf46458cac45229c96dc9df251230531e25088e834cd954db9ff4561e744f76495f9c57a4068b7635c72c6f9ff838436c54142297ee310b236

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-core-file-l2-1-0.dll
MD5
b9287eb7bcbfdcec2e8d4198fd266509

SHA1
1375b6ff6121ec140668881f4a0b02f0c517f6c7

SHA256
096409422ecd1894e4d6289fd2d1c7490bd83daff0c1e3d16c36c78bd477b895

SHA512
b86348d3f42d0ff465066a14c281088c73ec5e03efacdaabe27a410b054a8a81b438d7e5d030b0d95f53b07783911b8b8200581d4e0b6f1b3cc79f4aae1d67df

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-core-localization-l1-2-0.dll
MD5
dbb81fcc74c59490008ee59bffff5a6d

SHA1
edbb465ab3bea3a4df3f05e5a4e816edbe195c3b

SHA256
f33e6ac5d3e1c4f1d89564fb6aeeac170486c073b67694380755049dbc48eec1

SHA512
2847a73e952bd5f2448264e0bfc8dc1dcd37f8b02d6d6f525ef0cb69c8e634fdcc4637876361b22c53244659039ed305c015435834b61eea15015fed45e9c374

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-core-processthreads-l1-1-1.dll
MD5
f61b9ecb79cd20fc2e8fce87286cfe43

SHA1
7a48accbe43e156f886f1f2836f74e1043feec59

SHA256
bfa24f94ba095174b82d3657f8ecc689eab8ff380c69b1c9a7e311eb70d66386

SHA512
42ab62087bbc9fc9c9003ae96ebb9e9bbfa3db4eb74bd6746da035d53d1002015d8482ecb92620ec65c42b8b2b41d9b0a7793e105b0cf8cb6f713a2bc03241db

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-core-synch-l1-2-0.dll
MD5
e4110aa5c8a32b63de2c85e0bc297c54

SHA1
6039680f47750cf56d0c9a1768de815a44b83de7

SHA256
01bb32d692b86ebb39a76893125e0f3aaf957c6e4bd682fb46eac32f6fb65be7

SHA512
0631ea8224403ca113dff9b17852e92c1fcb2820e4f335b668b12689d2a8f058ba33905692f2fd0f4897f8f766db816747ec95478d854b75a0803d2c899e6d98

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-core-timezone-l1-1-0.dll
MD5
00b548bf3eab7a6debce296ee5e877de

SHA1
ae18022eb78c192ac3baee32664b9eb011194772

SHA256
d592b91a087c001f9ea38dc5912a90c78fad3a368879d04fd7e5650ed374c8dc

SHA512
3ba15d9a0f1680c2b182cf04fbbfcb0d4f1b607519c161c590928930ad1b3eba8bd417575a51305b9552f0abf0064c74267336ec09cea709aed9228e4eac799e

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-crt-convert-l1-1-0.dll
MD5
94e386a317faa200aa1dc270ce54e5fd

SHA1
e352ced285c04378bc3f6af4b30fa69df70b8974

SHA256
e4ccd13d5861e3e28984fc7263d79b580a0bc7bbe0d234ed8f1a69706ef908f3

SHA512
f622d303adecdce6ff88acc779d108556c2fdbe1f4140092d2d637c2fc1aaf651c1798291239e1334aabea702d7d380150922abd4e0122cbfc9c079a64dc0e76

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-crt-heap-l1-1-0.dll
MD5
aad41d33906cfdb31681ce8276648481

SHA1
6367d1990873c5af2f5d05d31ea083fb8b127883

SHA256
242cb185643df586a5f55735e8810b8d2b6b095c78be206e42cdaae7665bb2cf

SHA512
43b2cf09fcb13211f5bcab6942050e03dfb9ce36b727727f7c764df3754f332f04dc81f411e55caeecfa676c43dd1e977f29b0042c485babaaad609c239a84a9

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-crt-locale-l1-1-0.dll
MD5
e70d8fe9d21841202b4fd1cf55d37ac5

SHA1
fa62fb609d15c8ad3b5a12618bcc50f0d95cdea3

SHA256
e087f611b3659151dfb674728202944a7c0fe71710f280840e00a5c4b640632d

SHA512
bd38bdf80defd4548580e7973d89ed29e1edd401f202c367a3ba0020678206da3acc9b4436c9a122e4efc32e80dbb39eb9bf08587e4febc8f14ec86a8993bcc8

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-crt-math-l1-1-0.dll
MD5
1028042a84aefe816280f22a4517dc68

SHA1
b3437beb0e5a6a062678a0b32cea98f3c5e33580

SHA256
4a88f73cae12080b9a637f76f8ab1b8ac29829817ff03ddd611a25b6981ee573

SHA512
1da4a2d152943447950ae5de80360741c8a827647d1568c18b026376645f15cc9b5d1915dbdb43278adeac1423b20d6e1c97f6ad67ce724a0d91ec84c4e5250c

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-crt-multibyte-l1-1-0.dll
MD5
809bc1010eaf714cd095189af236ce2f

SHA1
10dbc383f7c49de17fc50e830e3cb494cc873dd1

SHA256
b52f2b9de19d12b0e727e13e3dde93009e487bfb2dd97fd23952c7080949d97e

SHA512
f72ec10a0005e7023187ef6ccedf2af81d16174e628369fb834af78e4ef2f3d44bf8b70e9b894abc6791d7b9720c62c52a697ff0ade0edddcaa52b6f14630d1d

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-crt-runtime-l1-1-0.dll
MD5
2f10f2255271b09d58af75f58476899c

SHA1
ca37f8e4c99fb178e718e99eed286d1ef32b00fc

SHA256
24bc147f7c8a2dfcbe9296d83ce75a1f2c02076d8f6e6c81f6032c927ed5888a

SHA512
74d85f5a40bd22eb9c85973bda5e596c3688096dc78fb6984f84ded4757ae82d77894c4cae0f24de77d211bbd869f9a4120a104d7c2ed161b4bb7b8568cf5103

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-crt-stdio-l1-1-0.dll
MD5
65fe48962755451a1a5bab26e6fd978d

SHA1
d1322c477fe4ff61eedf9433b8deddee27f5adb9

SHA256
5a3d9a0a2c1f9b14cb52d9cce92b761ec1fe0460ea7d994179c96648455ead84

SHA512
940269af2c3a8b5b43ca936df1bb5338ae5166f04c34a163b5938895d19bdd7eadc156add1b96b5508e06088419a7d8f466f40bf01e64b4c547fbc1b20328ed7

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\api-ms-win-crt-string-l1-1-0.dll
MD5
a3eccd7f2f2c45d1553055593278645a

SHA1
23cd6aed1b198ca515d7adb213efae780fbf0537

SHA256
d51dfd972e6df5e8185dce0b4eb26dccb0527c5f1c63bc081677335f69b92b67

SHA512
1dbf60f5df95e72b98b72faccb52f83585bc0bc5b1f65c259e8568d812461b738bb37c96e72e2f272370788cc7dcd7a8e5a698d9fb2c773ce0e17978c19ef858

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\libgcc_s_dw2-1.dll
MD5
043b39434829ce93637b1801d57b2082

SHA1
297b5f72104130e17d92789adbbcfab8fe700a82

SHA256
4d2e2d408d399d066b0aaef2047f7a33515c13c589832de0d9f1ba87a530c394

SHA512
eee912b21d31c54bf913d11028f1637a041809bbe4cd6a5ca28c664f72b397d67d03230ba652a06b86916aea7e7ff5999a5b26cc14c067ab1652ab82f565edcf

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\libwinpthread-1.dll
MD5
1f4411c1f66c9cdf96ca9d7f9caf52d9

SHA1
ea04be653df7335483c7c8f46367d75d4ad9224e

SHA256
b5fe4d6408ef2baabdd168f4c7250900606468e9aeb24c71e0c833d3d715ae65

SHA512
8b95d0533773c5424733862cf60ed0f0d2ed5c7016b602a71dc4ce4a90ef0946de605f46c94fb0f6c3135447f60a00d3476e8b91a61e079885aa764bc1407b8a

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\msvcp140.dll
MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\ucrtbase.dll
MD5
015b30309491a911e75748ad69c9e680

SHA1
2f2243b6ea99689cd54e45b67d9b7d98847f904c

SHA256
dd32570b8183a8b117233333153da29cc8d2ac5b1c868440dd852d9c3f77baf5

SHA512
51159e407021ce78ad64ea91a5e53f59ee15d6d74b9c2891cd6dd532cae3f1d388198e0cd78648ce067e82fa7f01050b4773d95c5c827439f094b289f0ee0ac8

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\uninst.exe
MD5
74b3aaa09806f3e3e408a92dada7561a

SHA1
dccc8a92c05df19b31510705ea64b2345601b8df

SHA256
37234b3f62ec0447b07ace736c3f72ff90036f4ca20811f88a2138a0a7f7c4a7

SHA512
1b5ee5f83c9fa8e3e8421fbe2e77711dfbfcfd6558499ba6461e84c8da12b5119530aee9e2875036005f47c8d2bcdfff314fce726af2406e242c5d843a3ec116

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\vcruntime140.dll
MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\xunjiepdfLaunch.exe
MD5
f1f4fc1244f2af11a3a0fd7d35032e47

SHA1
6900806ad5b155a5c302d806c8e9c35499c1cab2

SHA256
30fe0af7f379596f10b6b5dc51614d0c1279a2541d253517df692db22df2edb4

SHA512
bd74849f6087a5c2e7d4357df6d8a873f01e1de4dbe6100957b7d662c0a264d9824001c96fbc4514006e4a1bbc65d44c53449eb0c0b20bdf3060bb524f94487b

Download Submit
\Users\Admin\AppData\Roaming\HuDun\XJPDFConverter\xunjiepdfLaunch.exe
MD5
f1f4fc1244f2af11a3a0fd7d35032e47

SHA1
6900806ad5b155a5c302d806c8e9c35499c1cab2

SHA256
30fe0af7f379596f10b6b5dc51614d0c1279a2541d253517df692db22df2edb4

SHA512
bd74849f6087a5c2e7d4357df6d8a873f01e1de4dbe6100957b7d662c0a264d9824001c96fbc4514006e4a1bbc65d44c53449eb0c0b20bdf3060bb524f94487b

Download Submit
memory/316-90-0x0000000000540000-0x0000000000542000-memory.dmp

Filesize
8KB

Download
memory/316-61-0x0000000000000000-mapping.dmp

Download
memory/336-83-0x0000000000000000-mapping.dmp

Download
memory/340-69-0x0000000000000000-mapping.dmp

Download
memory/564-59-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/808-76-0x0000000000000000-mapping.dmp

Download
memory/840-140-0x0000000068A80000-0x0000000068FB1000-memory.dmp

Filesize
5.2MB

Download
memory/840-139-0x00000000008F0000-0x0000000000F0B000-memory.dmp

Filesize
6.1MB

Download
memory/840-141-0x0000000061B40000-0x0000000062055000-memory.dmp

Filesize
5.1MB

Download
memory/840-142-0x0000000069900000-0x0000000069A92000-memory.dmp

Filesize
1.6MB

Download
memory/952-74-0x0000000000000000-mapping.dmp

Download
memory/996-81-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

Filesize
8KB

Download
memory/996-80-0x0000000000000000-mapping.dmp

Download
memory/1432-86-0x0000000000000000-mapping.dmp

Download
memory/1548-67-0x0000000000000000-mapping.dmp

Download
memory/1688-145-0x0000000068A80000-0x0000000068FB1000-memory.dmp

Filesize
5.2MB

Download
memory/1688-146-0x0000000061B40000-0x0000000062055000-memory.dmp

Filesize
5.1MB

Download
memory/1688-147-0x0000000069900000-0x0000000069A92000-memory.dmp

Filesize
1.6MB

Download