Malware Analysis Report

2024-09-23 16:13

Sample ID 240517-e1zp3shb9t
Target 4e691c56f819bda7a993a1da19b09e54_JaffaCakes118
SHA256 b594cd8de8e9110feac542500ef31a0730a67d5ecd7ccd7756d9ea5982cb305d
Tags
bootkit discovery persistence qr link
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

b594cd8de8e9110feac542500ef31a0730a67d5ecd7ccd7756d9ea5982cb305d

Threat Level: Shows suspicious behavior

The file 4e691c56f819bda7a993a1da19b09e54_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence qr link

Writes to the Master Boot Record (MBR)

Checks computer location settings

Executes dropped EXE

Registers COM server for autorun

Drops file in Windows directory

Checks installed software on the system

Loads dropped DLL

Program crash

One or more HTTP URLs in qr code identified

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies Internet Explorer settings

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-17 04:25

Signatures

One or more HTTP URLs in qr code identified

qr link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win7-20240221-en

Max time kernel

120s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\hudunSplash.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\hudunSplash.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\hudunSplash.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 256

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win10v2004-20240426-en

Max time kernel

132s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-file-l1-2-0.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2088 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2088 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-file-l1-2-0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-file-l1-2-0.dll,#1

Network

Country Destination Domain Proto
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
GB 23.73.138.82:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 82.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
GB 23.73.138.82:443 www.bing.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A

Checks installed software on the system

discovery

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{731B2DBD-0F02-456D-A15C-BC2A5DAAF5A4}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{731B2DBD-0F02-456D-A15C-BC2A5DAAF5A4}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\hudun\\XunjieCADEditor\\xjcadeditmenu64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{731B2DBD-0F02-456D-A15C-BC2A5DAAF5A4}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XunjieCADEditorExt\Application\ApplicationDescription = "迅捷CAD编辑器" C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dwt\shell\open\command C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4D1782A-AE30-40A8-914F-26644BC7437C} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dwt\shell\open C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dxf C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dwt\shell\open C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dxf\shell\open\command C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CADCtxMenuEx.MenuExt.1 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CADCtxMenuEx.MenuExt\CurVer C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{731B2DBD-0F02-456D-A15C-BC2A5DAAF5A4} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{731B2DBD-0F02-456D-A15C-BC2A5DAAF5A4}\ProgID\ = "CADCtxMenuEx.MenuExt.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{731B2DBD-0F02-456D-A15C-BC2A5DAAF5A4}\Version C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dwt\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\hudun\\XunjieCADEditor\\XunjieCADEditor.exe,0" C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XunjieCADEditorExt\Application C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\XunjieCADEditorExt\Application\ApplicationCompany = "迅捷CAD编辑器" C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\XunjieCADEditorExt\DefaultIcon C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XunjieCADEditorExt\Application\ApplicationName = "迅捷CAD编辑器" C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\XunjieCADEditorExt C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4D1782A-AE30-40A8-914F-26644BC7437C}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\ = "IsgStringConverter" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dwg\OpenWithProgids\XunjieCADEditorExt C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dwt\OpenWithProgids\XunjieCADEditorExt C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dwt\OpenWithProgids\XunjieCADEditorExt C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dws\shell C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dws\ = "XunjieCADEditorExt" C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dwg\shell\open\command C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dxf\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\hudun\\XunjieCADEditor\\XunjieCADEditor.exe\" \"%1\"" C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dxf\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\hudun\\XunjieCADEditor\\XunjieCADEditor.exe,0" C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4D1782A-AE30-40A8-914F-26644BC7437C} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dwg\shell\open C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dxf\shell\open\command C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dxf\shell\open C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XunjieCADEditorExt\Application\ApplicationCompany = "迅捷CAD编辑器" C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dws\DefaultIcon C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dwg\shell C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dwt\OpenWithProgids C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dws\OpenWithProgids C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dxf\shell C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dwt\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\hudun\\XunjieCADEditor\\XunjieCADEditor.exe\" \"%1\"" C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\XunjieCADEditorExt\Application C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XunjieCADEditorExt\shell\open\command C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dws\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\hudun\\XunjieCADEditor\\XunjieCADEditor.exe\" \"%1\"" C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{731B2DBD-0F02-456D-A15C-BC2A5DAAF5A4}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4D1782A-AE30-40A8-914F-26644BC7437C}\TypeLib\ = "{6D8D885D-9FF7-48E7-8CB6-AB2DE5990149}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dwg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\hudun\\XunjieCADEditor\\XunjieCADEditor.exe\" \"%1\"" C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dwg\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\hudun\\XunjieCADEditor\\XunjieCADEditor.exe,0" C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dws\OpenWithProgids\XunjieCADEditorExt C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XunjieCADEditorExt\shell\open C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dwg\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\hudun\\XunjieCADEditor\\XunjieCADEditor.exe,0" C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\ = "ISgCADEditor" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\MiscStatus\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dws C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dws\ = "XunjieCADEditorExt" C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dwg C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\TypeLib\ = "{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Roaming\\hudun\\XunjieCADEditor\\CADEditorLib.ocx,1" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4376 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4376 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4376 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4280 wrote to memory of 3104 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4280 wrote to memory of 3104 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4376 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4376 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4376 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4376 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe
PID 4376 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe
PID 4376 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe
PID 4376 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4376 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 2248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 2248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 3620 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 3620 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 3620 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 3620 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 3620 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 3620 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 3620 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\xjcadeditmenu64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\xjcadeditmenu64.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\CADEditorLib.ocx"

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe InitSetting

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://tj.sjhfrj.com/redirect/ver1/xunjiecadeditor/welcome/1.9.7.0/4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe/%7Bmachineid%7D

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb343b46f8,0x7ffb343b4708,0x7ffb343b4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,3628143007721254286,6895645769803000313,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,3628143007721254286,6895645769803000313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,3628143007721254286,6895645769803000313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,3628143007721254286,6895645769803000313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,3628143007721254286,6895645769803000313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe

"C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe" "C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\3DLamborgini.dwg" NSICALL

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,3628143007721254286,6895645769803000313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,3628143007721254286,6895645769803000313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,3628143007721254286,6895645769803000313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,3628143007721254286,6895645769803000313,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,3628143007721254286,6895645769803000313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,3628143007721254286,6895645769803000313,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe

"C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe" StartGuidAnimate 328200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,3628143007721254286,6895645769803000313,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4804 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 tj.sjhfrj.com udp
US 8.8.8.8:53 tj.huduntech.com udp
GB 43.132.64.151:80 tj.sjhfrj.com tcp
GB 43.132.64.151:80 tj.sjhfrj.com tcp
US 8.8.8.8:53 www.xunjiecad.com udp
US 8.8.8.8:53 151.64.132.43.in-addr.arpa udp
CN 113.201.158.139:80 www.xunjiecad.com tcp
CN 118.25.162.48:443 tj.huduntech.com tcp
CN 113.201.158.139:80 www.xunjiecad.com tcp
US 8.8.8.8:53 kuaishouapi.yiyongcad.com udp
CN 47.103.114.178:443 kuaishouapi.yiyongcad.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
CN 118.25.162.48:443 tj.huduntech.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
CN 42.177.83.87:80 www.xunjiecad.com tcp
CN 42.177.83.87:80 www.xunjiecad.com tcp
CN 119.167.147.251:80 www.xunjiecad.com tcp
CN 119.167.147.251:80 www.xunjiecad.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
CN 42.177.83.225:80 www.xunjiecad.com tcp
CN 42.177.83.225:80 www.xunjiecad.com tcp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
CN 220.202.36.149:80 www.xunjiecad.com tcp
CN 220.202.36.149:80 www.xunjiecad.com tcp
CN 123.6.33.31:80 www.xunjiecad.com tcp
CN 123.6.33.31:80 www.xunjiecad.com tcp
CN 116.153.46.40:80 www.xunjiecad.com tcp
CN 116.153.46.40:80 www.xunjiecad.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsy5053.tmp\UserInfo.dll

MD5 dc90f96b169dcc9151ee6e93b47446ea
SHA1 61e57bbe333a98d14f48815db7382ddbf90db642
SHA256 afc939ebfd66a6c972d2d6bbcb978559ab3427d1582935e45392f9912ef186ad
SHA512 11658c2342a2a686a012d81c602cd8e50861506dcee9d38c416bc60451cb1d7fc24e964875b8edfc22c9647f06ffe90088f83a60973eeaffa98538294af1d5ba

C:\Users\Admin\AppData\Local\Temp\nsy5053.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

C:\Users\Admin\AppData\Local\Temp\nsy5053.tmp\FindProcDLL.dll

MD5 6f73b00aef6c49eac62128ef3eca677e
SHA1 1b6aff67d570e5ee61af2376247590eb49b728a1
SHA256 6eb09ce25c7fc62e44dc2f71761c6d60dd4b2d0c7d15e9651980525103aac0a9
SHA512 678fc4bf7d345eeb99a3420ec7d0071eaba302845e93b48527d9a2a9c406709cc44ec74d6a889e25a8351a463803f8713a833df3a1707a5ad50db05240a32938

C:\Users\Admin\AppData\Local\Temp\nsy5053.tmp\KillProcDLL.dll

MD5 1cc87d2b5a79b18f133b4f944e2f2f74
SHA1 98e0ddb727c76e06be1668434d754e5b80a0c154
SHA256 de1177a4bd1c56c3555f366d40b37d7dd9cb25e16c4973d0a4d22bf9a8af7aed
SHA512 d8fee1c09fef9af4e1f38baaffa3a6d059713b14ecad900815c086cc22855644fcdeacd6bba31ea6e6925831e650f7b0d34e6dea4c57a978fb4f5bf0cd6d72a9

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\cadeditor-res\VIP\vp_00047.png

MD5 9612142af51639deddf10ab6e4a0b2c4
SHA1 76a5d9c4ae4d394a42fe6d8a112ed7a26944c76a
SHA256 ef4b76092a4c1731fb2740b79f1c83c5ff79b9c0ec8587804f2b880b42c5c6d9
SHA512 93616516b08c5e3b996364deb427c3c1a6f51eda91744158a84668b0da5325b7d1dbea4ff07ab335a7ebf16043906e878cce62fa98ce771f9d17f5708da5457b

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\cadeditor-res\load\logo动画_00072.png

MD5 77e4e719dc5a80f4fb998fc83a3d0775
SHA1 8091b08db3dcfe86ef4dca5aa22fa0e9038e4bb6
SHA256 d14195dbf975375477537d901847fecddc554b42f766c87481b8cca3e13f2e5d
SHA512 2c09ba2556210aff410c56b5642bc0e584831f14cc06ea3087a572611b366962c0d3280eca3d837ab5f18ef7b599bd37027202ab09d154a902ab25e6262e808e

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe

MD5 9996f1152e3a53c2ae8330a4eee6ebae
SHA1 b611da38401b58006053edbc6f94b46f0176de2c
SHA256 17d4e97c5763daa6d2e674d1115fa4813ea6a86e5e1a7bfe65f1d0da78104be2
SHA512 9acb0ee4d06b25f2d66c7e5945adc9fb2d063d55adffbcc0008a8d95b9e75af3610d748b6b4d4e3a8aac4f1959a762a985779f4a3b618b3316371d362256f346

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\xjcadeditmenu64.dll

MD5 800b7aaa92d95e380b6bb4825f6eab91
SHA1 fed27c8c1ed74d7fd3d327fdb651d288cafc7638
SHA256 70829da77d63f8cccfb9b8009dc2b63ffae2bd8567d78493c00b365537a8a6d6
SHA512 7a1d002184c0e1009ff0527de68e6b01263019f4466ce30dd6facb2a9740b188141d4e0b0ac49c4572a82909e71d1aeb4aac5ec9d03e1a40f8aa2ba0e8b951f8

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\CADEditorLib.ocx

MD5 362573b1a66f32d678320d33e63ac0eb
SHA1 0e77102fbd7bb81ecfad8a8db1de64f62374a01b
SHA256 41c8fd5b7790783ba031153623ef7ec526bf22290fa41b9ea31cad0475aa3fb2
SHA512 d34bf43e9700d943058dd10abdf1c48d78497fb983bdb59dfafc2a5fd2ccd03b2f7c7b00f87adf21a70c105e5348b30f3eec80e3fdb316bdfed3476858255f9c

memory/2300-1017-0x0000000002290000-0x0000000003C04000-memory.dmp

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\uninst.exe

MD5 ec985b2c13732547c667655e399f9ed6
SHA1 05cb21f1df57457eadb2a4959ebc8831e0f10bdd
SHA256 6e2e115646de5b8cffe852dc3fc0d591eab7608f0fb38f0ab24a5cdf03264cac
SHA512 9a69d575729f8a2e9f8cc303e553bb511fb63cebd1039c904a71d03c8a151df71ad49e7a6b9c374c3ccb513b3d17cb0948e0d0cbdf7db33f4204cc67d3b11d85

C:\Users\Admin\AppData\Local\Temp\nsy5053.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\libcurl.dll

MD5 899cffa43b14882c7a894124dddff0ef
SHA1 eb7bf83f28e29504433f9641a29bc6eda86d97db
SHA256 77085f2830c0e3bde9eadc9003c3ede78a79c876035bdfa12cdab9db60cf64a3
SHA512 cc49f6801a34b10ebeea06289bfb5bd3db2247e705280295550aba5dda4747cce3a7ecbcdbbbeed550cde111f7a0044df1c887b35a05243626f7384f6f87dbde

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\zlib1.dll

MD5 a2937afc459de3dd731a815f17dedda7
SHA1 35d72eb978f15d903acbaccaa1c3bd9ea1f7653a
SHA256 b2c36f807753cc164633724a587f8b4bdbb9bc80c7f2990994420b3a3a05c8fc
SHA512 7d093fbf6db8770341ce9e2492079f2d3283d732d08e18ca8242ae8274325c4efb664c47e3904510c1aaeb939b9fdeee0adbae6e59f02ddb41c3998ca8ff00ab

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\vcruntime140.dll

MD5 b77eeaeaf5f8493189b89852f3a7a712
SHA1 c40cf51c2eadb070a570b969b0525dc3fb684339
SHA256 b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e
SHA512 a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\set.ini

MD5 e313882ae02be70bc8bb44a43f0335cf
SHA1 247274f10d6c0d37fe48459cb9c25c7aa3c37534
SHA256 9e06251a848df652b731547fe9f24ecfedd0f8d023ae72a1be6948669be7c8b1
SHA512 5fbbdd70ad1083020f28272acc0ea4984f9847285f479d18292f88ed95f46c811fdcea91345171b63e3d64393d33c4b7c548152d16ab3b58b3d8ba0a44617c19

C:\Users\Admin\AppData\Local\HDLocal\CADEditor\CADEditor_HDSConfigure.ini

MD5 359b207f81f8d3628e22145c05d25ba4
SHA1 1c16561f270294c457cf7002532bccd55ed87a26
SHA256 7709bbdaf4df1aeab7b485c0e6c6fc2da68405f5cae9f854dd22d190a9c10bf3
SHA512 52c0b8c0f29c5900cbc9f632506296dcb7c5f5e7e3374fdc45692f2d4eac06757685b9b8bae4af0ba263f4173e47ccfc63ff2c54541633e8d88d049b8a81a29a

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Arabic.lng

MD5 d08acec03741e33db4275e47df0600f5
SHA1 df1c70f6a3a4433932b2bdc69ebd0440ec596281
SHA256 dc79ff247e17853340fa8c9e95a826e3a509e1bac86488590192636a6c2d1ef8
SHA512 c6f5913a48a4e5d6d85d901ad66c8ae3debf6e5dc7f0e3f58c14212b4854926ed51e9543faa9ede7c32e0fa1970fdd0a36b1c6efe30951201edd1179030316dd

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Bulgarian.lng

MD5 530abd65468af82a0718fd78da59b942
SHA1 c0b65ce0472b7d8f7dad632dc42455a2cd08b8cf
SHA256 500ad076d28fe65140c1d3c3cd2f0322cb8971555ec9910af136068fd6367483
SHA512 bb4596da5dd25e0d0a82e66591fdef4ccfe349fc7a242b9ef25cab6f2d7bc65e834aecaa9a7bbfbb47426c2e392a6031270af40ce1bdb2aa88909fea981d074e

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Deutsch.lng

MD5 0d41d109c3658821876bb1d1004a93e6
SHA1 e8bee15f8c14e62992edf75c6c1030d42d470f11
SHA256 24003182e93e37e88192bd667874c569c34f8e3653bfe278c2bfc5c7e596e4c6
SHA512 c3d10f3ae5671754162c1d244b45863fa5d05ea2ff0b6b1db6391bc8e49cb61b63bc5a0383d16edb75e76c428f2f106893bc49e3441f2b5356367bf04b8d7466

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Dansk.lng

MD5 2687b60c142043147c85c4103d0ebda9
SHA1 14c7cc50db6ed0a31c37d69d0731354986db77b4
SHA256 79df0e7fa797dd58e38ba92b1cd132ce5ac1fd946b9abed921c091283b64e5af
SHA512 ff6373e14696548dde194784332f6418cadbdb03c1f5f5cbd60703b895de838b1a239dbad988cf12731702b68229ed3cf1a85f128f98acf3052ca1240340162c

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Czech.lng

MD5 2f15f1a3537b1d94f9b1f7c603bb15d3
SHA1 52c2472468fa7cb53a4e5042dc167d77e6fa6286
SHA256 d49d88cb598a8f6d66d0abce91d2c9c5c98fe7eae67a23c04884acc969c29865
SHA512 96bf402aa30aa1586e765056f528afe3fe490366c70c09d41f5baa91275aa2b0060cdc96c938196cd2535e03a9a49c3bda2fa0d8e4eac993e9a5bf1c52ad4ec4

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Chinese.lng

MD5 4d34e20aa8bf812fa81add3bc7cc3afc
SHA1 e3f671b0d9768bfc7e7d6f098f919138a803ccdf
SHA256 de1e3aba0dd9dfe6011a4b70017df310337da90776c2856e9278e83c57c59c43
SHA512 9bcdbd8e761753894e451a48539ab8cc7d56cd690b4fb338a03b2a4c092a6ca83f8e98c7632cd533a3cc4a7fe4ddaed9d0f482074714eb124ae664b0fb64f0a5

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Catalan.lng

MD5 5cc37089eee3bc430c50c2b0f9a5f799
SHA1 c9994afcf6b828b74904a61ab2da9f17747d0176
SHA256 2386326614b38dec206f9437b4310ab8e96bd2fe1040ecc9ee82736561dce064
SHA512 445bc2ccf2c65091b9b339effdfddcfca5e708a7ec44f58d7c2e0f03fae25ccc4420a50d2f4d7acd7d540ced3c379f09bcb90a7f745a2277175bff7eceb8708d

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Brazilian Portuguese.lng

MD5 0e6e8b30d6478d05466b23c59ee7ddb7
SHA1 1dcb6dc5b76fe521897f8929cc753a61c3f02b12
SHA256 dfded812238ff64a8d807157722c03c9ef9a9a85d370156def1187578e65b598
SHA512 5a581de77dd0b95d2f9fe8ae977aacece382f88fe6353e3f7cc3ead291c4f359d7229c9e1557ff3c7f2d578a295f479061a96c017b215a10e93867d17366dfc7

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Belarusian.lng

MD5 b6579dd916cf423208bbda7edaa58d6f
SHA1 cb2289c520011f94419635e4cde0de100fab67c1
SHA256 7dcb701515457766eff56eb0812119fb32c1955ff4663a55abe512e15ac5ec3d
SHA512 51df63921979fdc64d4308cbe99baa2a8b7d0e43776e6db00d89d68abf8e6a2cd3ff1d4ee01ac0612d8c28d597ad3477b2365a1509f43041888607a98b1bb6da

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Estonian.lng

MD5 1a330f3a8451e2953e5068be6be2ae13
SHA1 2b0710ba932dc7f406d0c22072b0c49a6d1686bd
SHA256 60c288e8db3666a54bcc7d75077a9adb5292a4362188aa7e1e480e7fded06b5b
SHA512 7c06d6dff356441410cd50f14e2fd1d0d79e9d6a6216d9e9d2daa2866ef361974f994feadbaf145a44fe5cf615553fbc53ebfd19baeb6b34e4bbdbd50cfaa868

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Hebrew.lng

MD5 c13423d36cc13aeb56c474e4a2b5fe26
SHA1 66b5ad260e28d1ec2f5c065c4377847c1bda5e4a
SHA256 0e6791af7ead05ac36918b0629e892907af39169eb6325e9f124153a3d9ca20f
SHA512 b69898698b22328d15bf53fde83358f92239a17055a7620e2cc9b245a41d8cd7176c46defa76c60a6fcba1cb287bf06ab30c660464a8067c959131e30093d383

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Serbian.lng

MD5 8e730b9f56b7c4342ef14872d08c6e52
SHA1 537178c35fed05e039477a69519fd670f2751dbf
SHA256 33e8a9197ffd3812f00231b5bd6c534521f9db565fd667a9f629130c2f6d4d80
SHA512 734838d63d0e9e53c889d72fbc4983b2b10a47f704a15270afa5a6d7a36dc0397a0ad70d6911b6afeafe4e6d728cd62b40a129b758f0973860a88e07d1a2df74

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Russian_VM.lng

MD5 e47acd86eb4e728a30581d1fbba9f395
SHA1 6e87accd83e24b5ef4013c750881c1098ec1a3ef
SHA256 43f958974b2a8a618f5cfeedda6f7f6dabf657d877b4ed168dcde4e440e1acc0
SHA512 fbaf53b16eabd19c5f704b787a2c50f29b6f287d555cc3af6ea461807a574c68393ade6c680dc67d6ad8caeaaaba48b0004fb7b4468d1795096b5afef7a6a08f

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Russian.lng

MD5 5873e7ca2c1479c17e7389e082ba9f4d
SHA1 9c58c2ee22e2c1417f16e574427b16020a316f3f
SHA256 8e113c35eb625b068c756cce8aa55d05854f8e4d91e4730252b64f2d7988aea8
SHA512 6de7dc97132383e9eb673a9a491e63dbd33fc047a89e39c6493f19b66184b8f363f52ad5b68f5fc5abbd1b6b781715e114d3ab2eaa0332ef05cb3e4c3f715569

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Ukrainian.lng

MD5 495530d2e908b23ddea6e7dc66ddacdb
SHA1 277dbba622517aea195e1e9b9420e820fbbfa93a
SHA256 aac190e1e437e3930a640ca8524803741abbfc8586cd20b783911b747a1b057a
SHA512 f202e95aa5d3d128511f734100e530a898d4e1d3cdfcfd827beeb219ace8bae5f66c53c96d631919fc2e3c2a510e0e2d8eb75a0131587ff97bb89087e756ea61

C:\Users\Admin\AppData\Roaming\CADSoftTools\CADEditorX 14\Settings.ini

MD5 1255db551760c4b6448374e01d16eb62
SHA1 d8f444df2d3732020f947e431ba6b75d536f2380
SHA256 47749a8075b0a51d92424b98db9a5c3e7596ee2ff2ce6f9e3175aa7ca3f7d650
SHA512 6ff1ccecd6f7231214c5a40ab9624c7a77c9379eed33c36b4540c18a83f23d1974b8f35d9ee053203ccf1a080eeb00202cfdf41e73cd5807f4a6520c72d13c83

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\Hints\Brazilian Portuguese.xml

MD5 432305dae8ffbeb3a8041c021ce05c44
SHA1 813ae3937452f9409fc2acc0f512276f2158a2aa
SHA256 55713f83b62403900a78f75c0aa3b332906ab20e02107f98c69062e7e589e04e
SHA512 98e14a4f4a3c7242f9dca10f73fd011ae3a46b6028519f87ce8c607e406eb0ea1282548c611a31b8c143059a3fa6970b219648bb2c42e836a0389ad97ddbb586

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Turkish.lng

MD5 69a8f255be49a31d09805d887245f001
SHA1 20a0d8cafef1851e241b83fd0cff52654f01e7ea
SHA256 b06c4bc1d59b7cb88ce9cf678ca5cc53396ab58a0cd5e7a6384140525ec17e0e
SHA512 8c817b93de5fb5e940243f8b0306ae5c05d104f55a5494af1c7ef1e841e9867363dbcec31a333de96a530cb89ab57faf97e361c6d0bfa1baf9eadc1c1dd35fdc

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Traditional Chinese.lng

MD5 0675972914a7a51cfc9eb18e48cf96d5
SHA1 5b0502841c55bdf719c6050a8ea9627d7316cef1
SHA256 76012c7f9b3fa30e95570af8b07081c7a325c697a9d58c7f312a6b8dd41b3f15
SHA512 876b311f4b692868a6c0aa799110ed4529e8fb467243ac2a8c5064c31cadfcb55d16a0629d220a3d33d845d11fa537bef53844ee4ad26f907e1bfd5b5e1802f8

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Taiwanese.lng

MD5 03c261888308b017eed0b8276302e800
SHA1 175cd46b809a94f8cdc9f903d9485cf581126dc6
SHA256 f01a3a621d8ee535fdefbe86c708e02c18f0bfdca43d7bc68136ee5d99618b54
SHA512 9edc33b51a5ba608ddb3c4a0b4d34722d972ac0c638059de07673edc7862ca0f3292507e72054597c017055d0c60f86c10a4c9d9694e9f41c7c972648759fe92

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Svenska.lng

MD5 5cec75c6c96f4a7c7be2885f96961812
SHA1 713ed34f695d2236ce2f225d9715d06fe0012fd0
SHA256 bbd19785825b025c645dd52cf929ba25c18e5275a09f6d1e4e32cefce003452c
SHA512 af76a3e5a555e9b6338c61f84002ffb5ab81979606551ac61b48b020f9271518fc72fd1ec0c7c4324a42008c5aedc07749c6d9f4219552ef8773ec819bb80e46

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Spanish.lng

MD5 493fc389d7c229046adb8eec35c119aa
SHA1 61ee88a4cd00be06c2fca74271b31cc648683926
SHA256 92cb27b5ac6e2bf1bc471593517a5d80e6205732f631fdd632d690a56a859183
SHA512 80972165b40fe465b94638458cf5c85e451844ca88ecfee0cc931b19a0751604815aff66c1df94b7bc8dd22599fb26016553069b62eed91f07c0c7dfc39a04b5

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Slovenian.lng

MD5 e5a0735d22721c484f3c6b2cf318971c
SHA1 9eef4bf2b9011c181675a1dd2f5283e04b6cdb1b
SHA256 4db0fd0241a10cb86efc521812e7e793f6d1bfdd9f80c549d37336fa8c3a3042
SHA512 4e04fd133bc1e0f2113104bde6741ee360ea99767fe04d92678a262df5fe7166f79b79a23a218094ca593c599c550716c332afb899b4672da0402afe09edba9b

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Slovak.lng

MD5 730f0ed163490289392575875aa0b792
SHA1 0441d5101475ad231d832a71176df21486b01596
SHA256 5617245a6a36db308c624e0b99b0429b8b06c987fdd1aa16fbedf0213b714409
SHA512 0f0af20b90d13971766918c1b928d6a59d0d0804d01a5e157b3773ae7f94a251488b432190421a3fcbda8aa19aab65b9b9a5d5db000a0dc3e6b30081ee2d58e6

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Romanian.lng

MD5 b5e28e79ed605aee8470fc80f2c17787
SHA1 b161869e90725ead3d7ab90f7ddd5ef4ba0f2bbe
SHA256 f715bcfae4f8afc669f3e18a68c2044f54939ea344f147d14dc9d52253533d5e
SHA512 848efcc6a9cb5e01c9fa61495e49cc728c994e089a49b18c7eada09798572aa029c3eba55f19e00b580794c23469a64a24c8bcddc220255e56b944c16739864c

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Portuguese (Portugal).lng

MD5 66546cf8c6dc3096c3cab5ed5273a1a2
SHA1 36d352b094fa43237f57456126fc6048f3323839
SHA256 a1e535235b493eebdcf0cbe67240a325f96a6fc747225d20001a59352aa5d3df
SHA512 c47f8bd593470b399c7306ffdc953da8ce66a7642eda797c8b59f777a05cefce3e59c18da75bb5e45b4a8083ec2de7d6771468f204250cafdd39503d9b3b288e

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Polski.lng

MD5 5ebb438f2f03b35ca324abfda1f98bce
SHA1 5f1fc6d5b39bb75e4ae8b9d76318105cbb435db1
SHA256 f995bd74cb7b38b70c3a98676a3a7764590172938e7a803caf9704633629b5cf
SHA512 f7e90f8fbd9e4793781576fbeaa2f09b7efe1192b224562c08dcb834f10cb1d716f6fcd6123e6f3ece9110901da15ab7788e56c0abd0300808e86e4ffc6219e0

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Persian.lng

MD5 90dd299c5a27f409ed57d8632b29c084
SHA1 dcea5d7e2e38e5c7b535f5fcec430e81b4e8206b
SHA256 7361055b1206b8878c23a20f851996f009cd5dd78621cefb7a438085a974cc5f
SHA512 d9b46fd6b40451f7c0049eb113fd539bb59df2bf9758772529d57ef09ff02ce514c289f6e589d5f0ca4b2e9fd96ab901ed3e6fce5112767f55a02071ff684c3d

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Norsk.lng

MD5 85f6b52a7d8955bcfbda6eb7471661a8
SHA1 bd463678315c48f1e069cbf94d61949b0d1b8765
SHA256 0cf2c74af57799b404288b771d62ca55de44e3dbe67dafd22bed01765385b528
SHA512 996090d3362060687e59cef6d94c7c36cdc3457313d4db19f3927daf622ec83e12848c7d154b8f18a0ec5c27c75b17973c0418e57d78603c0cb32d30f3c1ae68

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Nederlands.lng

MD5 659c70269caf083034347dcaf5d0f25b
SHA1 c1e93ecfc4f76228094bc5202f91229e90bc4c7f
SHA256 10f4cc179412a6acc80ad5209f265c9ae4fdb1e17096be217afbdadc2933ff39
SHA512 2d8eb59bc9fd0c03073c11e75e6ed2fcfd4e2adeffa6bd867547e14652bba1002265e29951f5b91b7b1c1a344776a1b20cb92537bfc4c87f9ff7958716448a61

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Korean.lng

MD5 71a8ffb46ebf238452e31f281a9d240d
SHA1 d74f07f3da6756f8cb88b9b0e246e4040b9b6bdc
SHA256 b05af9430b6b207895e7a094c6887e049f24f7834433c6d6e83bf910c48c9923
SHA512 c6967ac33b3de1745d560b5c1e3331028d315d57b48014cc83b54ccb4a9bcd9cdeb7b8772d083eec73b46db1608484f3d728703e438f6afbab4d8d78e7bcc9b9

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Japanese.lng

MD5 061bc8badea109078305634ab07ccc41
SHA1 71f8a511d19317200bdf64a41c95f6b9985c790a
SHA256 4ba1caab95cf81c7054c41e08dcf640af23d570d33dbac8688ec1ca4efc97413
SHA512 d2455c805da2a88fefe02b3716da537484b726cc1c93948fb39ea22dbc74a367d00bc71be6372aca83651f29c0f69cf8cfb0444d55a5da1748fc1f4bb11f710d

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Italiano.lng

MD5 6d61d37eb18550ba6511b6d72a78a302
SHA1 a719fdedede3c10121f39fc5a8e90db5a1b31888
SHA256 6f83b561172e3a3a6acdda6d2e8f21f5dd11195ec952d9e1a3c64974a1ac5c46
SHA512 d49bd7181e8eadb473da1d57087d722635f951647c231bb063f93b5cabf5c3eabf012f52ce44c08f3f5ebe63bcbb7dbcb6a238b458a293c9508919b59e0cac78

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Hungarian.lng

MD5 7318a506cff2e93d946a7aef92d767c6
SHA1 3156cf0f6abcd77822caf31ba058577cb9a8f9fa
SHA256 45978707e1f87798b4fcb86964f5831c5d510eac088a32ebed2afbc700c2cbb2
SHA512 23b93db5dd52373a714b4761c4d0c9b6b9315ce9539844e7b53bce051dcda5194e1bf679680ecbfa391bdd2d129762363dd0791c7ec156ad99dfcd5dec5ab5b5

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\HRVATSKI.lng

MD5 057aae866e068228a8ee6a183df3b4e6
SHA1 55a71f8a09af069078a683fd85d48188ff65f626
SHA256 51dc9ded7d4dfb838e83f305c842ca604b51fd0f66fd93a342ed9289699744cf
SHA512 4302505b19060ffd0b35fb27a36735c0290749a43da16c7c367f227e26d39cc3b38af596c1c1625088fd2b2799583e356b3d1c4a9d79027abb56b71396e9aa91

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Greek.lng

MD5 1009849674bba18f52795c5c46efa325
SHA1 fb325ebc8f18717d3e87d245c6172ea62368d888
SHA256 1e95825ede8ddcc3a863285d70cffe922ea8efe0cd21d304cad47ba467ede64a
SHA512 29aea94040cdc31b5e1455aaf683d018f4e39f9c6384f7672439b916638e6c60f9706052d4cc91d035dd75a972e8dce82ad55c70789330fadbc580646fa01bc7

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\French.lng

MD5 8dd4753207b0b0380b5242750f53071b
SHA1 97159def25810831a2dff194df1e2fb0d21b278b
SHA256 33c1dabffb4db4f099e2d8e870897a1ff8813f1f4a886bead260da7e7834231e
SHA512 eb2e4845a18826a7dd5236716350edc1ccf7ac01b72b328319a9ad31bdfa87ac395a26fac954b874888877dda6b09314c499f2a490dada7a98b8feccd72efa71

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Finnish.lng

MD5 fd36e10d0c756cbdc7ce6ec9eb7c3d59
SHA1 4dc34f8b5f6a3465c15e6d05aa3827674c1aa072
SHA256 8b9a4d50830f5d22f6023384ef2d006052e2c34ba7b121fcb2d38617b56fe8cd
SHA512 1575a8ee4d81d32be74dca1f443210a1e39a80e01036e60487e01fc18859580f9ab8f3b0b557601c5409bb468108d5bd5ee39313e1fa2260b0a1eaa1136a35de

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\English.lng

MD5 81df25e25463536768cbdc0040d4f098
SHA1 61dc93988931d53fa0c870b5eb87753736e01184
SHA256 e8c0fe67d716492b4c64b05f2fc2925eff6fb9d5fd37bcee0e3d557c0e2bd175
SHA512 42857db37a60628bc21258a7b40ba5da749547437e5a5375f6bcd91b1d8df5b0957e4c125888e9b345821c43e1fb626fb514526918f55f9eb0460526201eb58b

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\lng\Eesti.lng

MD5 3e56dd5c43507b789792d381c90c410c
SHA1 8b535e1fcea7838c636e97a121e6abf67753f50c
SHA256 c0c9876e127cf5620ffbac8cc1d6332a2927bed1ce59bfbb6ca7e7296ed2f853
SHA512 adcd7d45b56b7feedb2d46a4935cdc7354725bee818ddb106b14ae4f37beabd1647d57ce8320c16dae926c57161eb9f8c1c0127b6c2a886f7e977721c8a99328

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 87f7abeb82600e1e640b843ad50fe0a1
SHA1 045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256 b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512 ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1 df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256 284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512 971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 465bde9c1470940c1d08be966c131b8f
SHA1 91b08bd57934f1f38940f904b099678aa2aa9a72
SHA256 c2dac3a83cf944ced70229b72204f246af2dad32ad9ecc91b3c661907b4ee5fd
SHA512 39daa1e12f3f4c00e713b7024093ef1139cdb3a4641d9a1d7422496904218d5def304d19568750900fbeb320f25df3d0421f1405c8f11cdcfd632e9fa7b8bc54

C:\Users\Admin\AppData\Local\Temp\nsy5053.tmp\ShellExecAsUser.dll

MD5 552cba3c6c9987e01be178e1ee22d36b
SHA1 4c0ab0127453b0b53aeb27e407859bccb229ea1b
SHA256 1f17e4d5ffe7b2c9a396ee9932ac5198f0c050241e5f9ccd3a56e576613d8a29
SHA512 9bcf47b62ca8ffa578751008cae523d279cdb1699fd916754491899c31ace99f18007ed0e2cbe9902abf132d516259b5fb283379d2fead37c76b19e2e835e95a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1805dbd6d277fb77c1c1cf277482dc10
SHA1 0d64f6fba847e8e0f8e7baf13ca5bf0898d01d18
SHA256 c47cb0e25017571f886782fc9c312a03760426fec29efc448488969340c7bf6e
SHA512 f8d27f6b0cdc45c1762ea36852122bc85f15ea58220e4905e4871ce8391f832864f202f4115416af4404dabe1dbdafdb7abca96b90dc74095d96cc0df61403f4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 cc0cde2b5da7a3355049609569328543
SHA1 9ea56b007aa34d5abddc99473405ff27e70c0c7a
SHA256 8d8e2a44cb88bc30d95c6a9cfb88a3bf1ee5cb562d9988e0333d8ab7b9b1017f
SHA512 378e16128edc7d7520ad9f05d461361d1c4a8d2dd8ba5c134b1593997879e5ef174dcbf7cf731cf745cc5e543ac394e9a907cfbfc140316355b41945ed74051f

memory/2932-1245-0x0000000005B10000-0x0000000007484000-memory.dmp

memory/2932-1249-0x0000000005B10000-0x0000000007484000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4d36ed195375810dde7a2279428f1f35
SHA1 b35830e23d115b3122a604596a359c240df709d1
SHA256 bba1085b4095f2072d5e6067ab0bd72eee854486a377a4d07f175b177eb4eb56
SHA512 4e29b04c9280d4468916cd7decb1cc575b099a2a5403be3ccf5c3075a9e80ba47009296e6a5389baed0f6d29abc4df292e947b4a5f53ded686a6557f2e62635d

memory/2932-1269-0x0000000005B10000-0x0000000007484000-memory.dmp

memory/2932-1280-0x0000000005B10000-0x0000000007484000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

174s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellExecAsUser.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2752 wrote to memory of 4752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 4752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 4752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellExecAsUser.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellExecAsUser.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4752 -ip 4752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win7-20240220-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 220

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

105s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-errorhandling-l1-1-0.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5140 wrote to memory of 4224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5140 wrote to memory of 4224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5140 wrote to memory of 4224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-errorhandling-l1-1-0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-errorhandling-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

174s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-handle-l1-1-0.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4068 wrote to memory of 5084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4068 wrote to memory of 5084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4068 wrote to memory of 5084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-handle-l1-1-0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-handle-l1-1-0.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4312 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win7-20240508-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellExecAsUser.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellExecAsUser.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellExecAsUser.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 220

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\hudunSplash.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 440 wrote to memory of 3152 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 440 wrote to memory of 3152 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 440 wrote to memory of 3152 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\hudunSplash.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\hudunSplash.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3152 -ip 3152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 644

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 240

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win10v2004-20240426-en

Max time kernel

135s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2616 wrote to memory of 1084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2616 wrote to memory of 1084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2616 wrote to memory of 1084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1084 -ip 1084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win10v2004-20240508-en

Max time kernel

137s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3096 wrote to memory of 4028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3096 wrote to memory of 4028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3096 wrote to memory of 4028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4028 -ip 4028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win10v2004-20240426-en

Max time kernel

133s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AutoUpdate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AutoUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\AutoUpdate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\XunjieCADEditorExt\Application C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dws\OpenWithProgids\XunjieCADEditorExt C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dxf\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\XunjieCADEditorExt\shell C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\XunjieCADEditorExt\shell\open C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dxf\OpenWithProgids\XunjieCADEditorExt C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XunjieCADEditorExt\Application\ApplicationCompany = "迅捷CAD编辑器" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dws\ = "XunjieCADEditorExt" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\XunjieCADEditorExt\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dwt\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dxf\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\XunjieCADEditorExt\Application\ApplicationIcon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe,0" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\XunjieCADEditorExt\shell\open\command C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dwg\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe,0" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dwg\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dwg\shell C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dwt\shell C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dws\OpenWithProgids\XunjieCADEditorExt C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dws\shell\open C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dwt\shell\open C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dws C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XunjieCADEditorExt\shell\open C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dxf\DefaultIcon C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\XunjieCADEditorExt\shell\open\command C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dwg\DefaultIcon C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dwg\shell\open\command C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dws\shell\open\command C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dws\shell\open\command C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XunjieCADEditorExt\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe,0" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dxf\shell\open\command C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dwt C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dws\shell C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XunjieCADEditorExt\Application\ApplicationIcon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe,0" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dwg\shell\open C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dws\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\XunjieCADEditorExt C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dwg C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dwt\DefaultIcon C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dws\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XunjieCADEditorExt\Application C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dws\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe,0" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dwt\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dwt\shell\open C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dxf\OpenWithProgids\XunjieCADEditorExt C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dws\DefaultIcon C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dwt\shell\open\command C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dwg\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dxf\shell\open C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dwg\shell\open C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dxf\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe,0" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dws\DefaultIcon C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dwt\shell\open\command C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dwt\DefaultIcon C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dwt\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe,0" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dwt\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dwg C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dwt\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe,0" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dws\ = "XunjieCADEditorExt" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dws\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe,0" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\XunjieCADEditorExt\Application\ApplicationCompany = "迅捷CAD编辑器" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dxf\ = "XunjieCADEditorExt" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dxf\shell\open\command C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dwg\DefaultIcon C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.dxf\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe,0" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe

"C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe"

C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe

"C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe" StartGuidAnimate 393274

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 tj2.sjhfrj.com udp
US 8.8.8.8:53 tj.huduntech.com udp
CN 118.25.162.48:443 tj.huduntech.com tcp
NL 23.62.61.194:443 www.bing.com tcp
GB 3.10.12.189:80 tj2.sjhfrj.com tcp
US 8.8.8.8:53 189.12.10.3.in-addr.arpa udp
CN 118.25.162.48:443 tj.huduntech.com tcp
CN 118.25.162.48:443 tj.huduntech.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\HDLocal\CADEditor\CADEditor_HDSConfigure.ini

MD5 091f16e566ddad1ff340a2ddf69d2820
SHA1 416a400d18a035e969b742510bed7d919d6b53cc
SHA256 862954c301983fa79741c9ca91b21861312a19c1e3a94a13592f72fe9a520b82
SHA512 83dc984f30b9bce9dfeed98802c3b5cbbdfb175d7cb84159ca02a73638599a1a8655f4c49ceb3258e1312565176300bfa005e8d50cc368c570e26d6b600e12bf

C:\Users\Admin\AppData\Local\HDLocal\CADEditor\CADEditor_HDSConfigure.ini

MD5 28fc9006e88959e4325609b95f7cbc4f
SHA1 99a0717756657158f8b60acc359a16b57b605116
SHA256 33ff368484844cba1b7b929fbdf26151d7016188df68e0e3d158bd89405791fa
SHA512 b81912bccb75f352ebe0e9985ab52f251a954ca571bb3c667cec9a1cf7cd52d606192e6d30c607ca51b4cf1582870fb788f69879670f869a03072b02ced6f7ce

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win7-20240508-en

Max time kernel

122s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 220

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 640 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 640 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 640 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2456 -ip 2456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win7-20231129-en

Max time kernel

118s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 224

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3712 wrote to memory of 2532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3712 wrote to memory of 2532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3712 wrote to memory of 2532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2532 -ip 2532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win7-20240508-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AutoUpdate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AutoUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\AutoUpdate.exe"

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win10v2004-20240426-en

Max time kernel

143s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-file-l2-1-0.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2152 wrote to memory of 4024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2152 wrote to memory of 4024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2152 wrote to memory of 4024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-file-l2-1-0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-file-l2-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win7-20240215-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\seguiemj.ttf C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{731B2DBD-0F02-456D-A15C-BC2A5DAAF5A4}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\hudun\\XunjieCADEditor\\xjcadeditmenu64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{731B2DBD-0F02-456D-A15C-BC2A5DAAF5A4}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{731B2DBD-0F02-456D-A15C-BC2A5DAAF5A4}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007adde9513885dc4695b27d8ad466b4f800000000020000000000106600000001000020000000904d5734ef91bad0587d271d97b408760cd9e4fdf1281bcee9d389210a792774000000000e8000000002000020000000b5d07f80c10fd8a4d865de4ddce9c8c93150376507c3b1e6b8dcb766f9d31f4620000000854d8e3c960816d16ef444aa6dbecee79a781cd3d83be21a37cdee08a518c28840000000f2b01cd0843270634d7f9c0bb843f58e7d7d19c04946c628334bb8604d903ec7db826a8dfe2980061f6b361a7fbfbbf581b2efce1a32881e708ce2d0155409ba C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422081821" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 001a879f12a8da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007adde9513885dc4695b27d8ad466b4f800000000020000000000106600000001000020000000befb87c0e2c7bc729ee572eaa75790277caf12798399d7948859ba6d0a17d3a8000000000e8000000002000020000000aacdfd56f48b7208fa518bd631af4409d0f6e560819bdf6881a5159979eaa3589000000027e50eef18731c188045ec11c532e73c07d84c33fc26b4748341de01c4145c7def0c3840dda720545a65be675e2c924c90f7ee61c325ea1a79de207ae0cf11d1c497bb752709d14527382d191ec9edbcf8a2578902259097ad7d1c7ba598559840e783896d3276860612997782ba4592e041f461a43b0bdd8aefbc3436fb76f43e6dd3824f13f5aadac01affae2e58b940000000541edeb428a120c94712fa8dac8de21bf22878b1e64a6f1e0b5370dca9f8a2b9f55a58ccb62cd0110408f9fbb5fd730f7140367de6428a1a1cea5e4c6adf033e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8C306AB1-1405-11EF-AF73-469E18234AA3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4D1782A-AE30-40A8-914F-26644BC7437C}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\MiscStatus\1\ = "205201" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\TypeLib\ = "{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dxf\shell\open\command C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CADCtxMenuEx.MenuExt C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{731B2DBD-0F02-456D-A15C-BC2A5DAAF5A4}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\ = "ISgCADEditorEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dxf\OpenWithProgids\XunjieCADEditorExt C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XunjieCADEditorExt\shell C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}\1.0\FLAGS\ = "2" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dwt\ = "XunjieCADEditorExt" C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.dwt\shell\open C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\XunjieCADEditorExt\Application\ApplicationName = "迅捷CAD编辑器" C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dwg C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.dwg\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\hudun\\XunjieCADEditor\\XunjieCADEditor.exe,0" C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{731B2DBD-0F02-456D-A15C-BC2A5DAAF5A4}\ProgID\ = "CADCtxMenuEx.MenuExt.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A4D1782A-AE30-40A8-914F-26644BC7437C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\ = "ISgCADEditorEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XunjieCADEditorExt\Application\ApplicationDescription = "迅捷CAD编辑器" C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.dwt\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\hudun\\XunjieCADEditor\\XunjieCADEditor.exe\" \"%1\"" C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dws\shell\open\command C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{731B2DBD-0F02-456D-A15C-BC2A5DAAF5A4}\TypeLib\ = "{6D8D885D-9FF7-48E7-8CB6-AB2DE5990149}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D8D885D-9FF7-48E7-8CB6-AB2DE5990149}\1.0\FLAGS C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.dxf C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dxf C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dws\shell\open\command C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A4D1782A-AE30-40A8-914F-26644BC7437C}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dwt\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\hudun\\XunjieCADEditor\\XunjieCADEditor.exe\" \"%1\"" C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dxf\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\hudun\\XunjieCADEditor\\XunjieCADEditor.exe,0" C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D8D885D-9FF7-48E7-8CB6-AB2DE5990149}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Roaming\\hudun\\XunjieCADEditor\\xjcadeditmenu64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dwg\DefaultIcon C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\XunjieCADEditorExt\Application C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\XunjieCADEditorExt\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\hudun\\XunjieCADEditor\\XunjieCADEditor.exe\" \"%1\"" C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.dwg\ = "XunjieCADEditorExt" C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dwg\shell\open C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{731B2DBD-0F02-456D-A15C-BC2A5DAAF5A4}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{731B2DBD-0F02-456D-A15C-BC2A5DAAF5A4}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A4D1782A-AE30-40A8-914F-26644BC7437C} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.dwt\DefaultIcon C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\XunjieCADEditorExt\shell\open\command C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D8D885D-9FF7-48E7-8CB6-AB2DE5990149}\1.0\0 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\TypeLib\ = "{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dws\OpenWithProgids C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{731B2DBD-0F02-456D-A15C-BC2A5DAAF5A4}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\hudun\\XunjieCADEditor\\xjcadeditmenu64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\Verb C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dwg\shell\open\command C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\Verb\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dxf\shell\open C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\XunjieCADEditorExt\shell\open C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{731B2DBD-0F02-456D-A15C-BC2A5DAAF5A4}\ = "CADCtxMenu Class" C:\Windows\system32\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1200 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1200 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1200 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1200 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1200 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1200 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2816 wrote to memory of 2004 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2816 wrote to memory of 2004 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2816 wrote to memory of 2004 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2816 wrote to memory of 2004 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2816 wrote to memory of 2004 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2816 wrote to memory of 2004 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2816 wrote to memory of 2004 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1200 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1200 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1200 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1200 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1200 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1200 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1200 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1200 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe
PID 1200 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe
PID 1200 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe
PID 1200 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe
PID 1200 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1200 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1200 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1200 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 704 wrote to memory of 2208 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 704 wrote to memory of 2208 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 704 wrote to memory of 2208 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 704 wrote to memory of 2208 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2572 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe
PID 2572 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe
PID 2572 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe
PID 2572 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\xjcadeditmenu64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\xjcadeditmenu64.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\CADEditorLib.ocx"

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe InitSetting

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://tj.sjhfrj.com/redirect/ver1/xunjiecadeditor/welcome/1.9.7.0/4e691c56f819bda7a993a1da19b09e54_JaffaCakes118.exe/%7Bmachineid%7D

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:704 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe

"C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe" "C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\3DLamborgini.dwg" NSICALL

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe

"C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe" StartGuidAnimate 328178

Network

Country Destination Domain Proto
US 8.8.8.8:53 tj.sjhfrj.com udp
US 8.8.8.8:53 tj.sjhfrj.com udp
NL 43.152.42.39:80 tj.sjhfrj.com tcp
NL 43.152.42.39:80 tj.sjhfrj.com tcp
US 8.8.8.8:53 tj.huduntech.com udp
CN 118.25.162.48:443 tj.huduntech.com tcp
US 8.8.8.8:53 www.xunjiecad.com udp
CN 123.6.33.209:80 www.xunjiecad.com tcp
CN 123.6.33.209:80 www.xunjiecad.com tcp
US 8.8.8.8:53 kuaishouapi.yiyongcad.com udp
CN 47.103.114.178:443 kuaishouapi.yiyongcad.com tcp
CN 118.25.162.48:443 tj.huduntech.com tcp
CN 123.6.33.31:80 www.xunjiecad.com tcp
CN 123.6.33.31:80 www.xunjiecad.com tcp
CN 116.153.68.187:80 www.xunjiecad.com tcp
CN 116.153.68.187:80 www.xunjiecad.com tcp
CN 42.177.83.87:80 www.xunjiecad.com tcp
CN 42.177.83.87:80 www.xunjiecad.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 116.153.68.115:80 www.xunjiecad.com tcp
CN 116.153.68.115:80 www.xunjiecad.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsi1823.tmp\UserInfo.dll

MD5 dc90f96b169dcc9151ee6e93b47446ea
SHA1 61e57bbe333a98d14f48815db7382ddbf90db642
SHA256 afc939ebfd66a6c972d2d6bbcb978559ab3427d1582935e45392f9912ef186ad
SHA512 11658c2342a2a686a012d81c602cd8e50861506dcee9d38c416bc60451cb1d7fc24e964875b8edfc22c9647f06ffe90088f83a60973eeaffa98538294af1d5ba

\Users\Admin\AppData\Local\Temp\nsi1823.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

\Users\Admin\AppData\Local\Temp\nsi1823.tmp\FindProcDLL.dll

MD5 6f73b00aef6c49eac62128ef3eca677e
SHA1 1b6aff67d570e5ee61af2376247590eb49b728a1
SHA256 6eb09ce25c7fc62e44dc2f71761c6d60dd4b2d0c7d15e9651980525103aac0a9
SHA512 678fc4bf7d345eeb99a3420ec7d0071eaba302845e93b48527d9a2a9c406709cc44ec74d6a889e25a8351a463803f8713a833df3a1707a5ad50db05240a32938

\Users\Admin\AppData\Local\Temp\nsi1823.tmp\KillProcDLL.dll

MD5 1cc87d2b5a79b18f133b4f944e2f2f74
SHA1 98e0ddb727c76e06be1668434d754e5b80a0c154
SHA256 de1177a4bd1c56c3555f366d40b37d7dd9cb25e16c4973d0a4d22bf9a8af7aed
SHA512 d8fee1c09fef9af4e1f38baaffa3a6d059713b14ecad900815c086cc22855644fcdeacd6bba31ea6e6925831e650f7b0d34e6dea4c57a978fb4f5bf0cd6d72a9

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\cadeditor-res\VIP\vp_00047.png

MD5 9612142af51639deddf10ab6e4a0b2c4
SHA1 76a5d9c4ae4d394a42fe6d8a112ed7a26944c76a
SHA256 ef4b76092a4c1731fb2740b79f1c83c5ff79b9c0ec8587804f2b880b42c5c6d9
SHA512 93616516b08c5e3b996364deb427c3c1a6f51eda91744158a84668b0da5325b7d1dbea4ff07ab335a7ebf16043906e878cce62fa98ce771f9d17f5708da5457b

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\cadeditor-res\load\logo动画_00072.png

MD5 77e4e719dc5a80f4fb998fc83a3d0775
SHA1 8091b08db3dcfe86ef4dca5aa22fa0e9038e4bb6
SHA256 d14195dbf975375477537d901847fecddc554b42f766c87481b8cca3e13f2e5d
SHA512 2c09ba2556210aff410c56b5642bc0e584831f14cc06ea3087a572611b366962c0d3280eca3d837ab5f18ef7b599bd37027202ab09d154a902ab25e6262e808e

\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\XunjieCADEditor.exe

MD5 9996f1152e3a53c2ae8330a4eee6ebae
SHA1 b611da38401b58006053edbc6f94b46f0176de2c
SHA256 17d4e97c5763daa6d2e674d1115fa4813ea6a86e5e1a7bfe65f1d0da78104be2
SHA512 9acb0ee4d06b25f2d66c7e5945adc9fb2d063d55adffbcc0008a8d95b9e75af3610d748b6b4d4e3a8aac4f1959a762a985779f4a3b618b3316371d362256f346

\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\xjcadeditmenu64.dll

MD5 800b7aaa92d95e380b6bb4825f6eab91
SHA1 fed27c8c1ed74d7fd3d327fdb651d288cafc7638
SHA256 70829da77d63f8cccfb9b8009dc2b63ffae2bd8567d78493c00b365537a8a6d6
SHA512 7a1d002184c0e1009ff0527de68e6b01263019f4466ce30dd6facb2a9740b188141d4e0b0ac49c4572a82909e71d1aeb4aac5ec9d03e1a40f8aa2ba0e8b951f8

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\CADEditorLib.ocx

MD5 362573b1a66f32d678320d33e63ac0eb
SHA1 0e77102fbd7bb81ecfad8a8db1de64f62374a01b
SHA256 41c8fd5b7790783ba031153623ef7ec526bf22290fa41b9ea31cad0475aa3fb2
SHA512 d34bf43e9700d943058dd10abdf1c48d78497fb983bdb59dfafc2a5fd2ccd03b2f7c7b00f87adf21a70c105e5348b30f3eec80e3fdb316bdfed3476858255f9c

memory/536-1028-0x0000000002340000-0x0000000003CB4000-memory.dmp

C:\Windows\Fonts\seguiemj.ttf

MD5 66873ab6f9b6b7292a40ab6d14a3ec3a
SHA1 0d22b47d1283bfd390ae1e9e1b341024c2393d1b
SHA256 3e39d9acb979b5d8c22afce30a407473d2bca6c1a58631260d66b64b03460404
SHA512 6714cf72c8fd1996e4db63c7cea5ccde08f322d57899b5cc2bf233fcb0d3301703ab7e7aacbefae7908259336bd67f557189d55777f0d7ee1f98c25c0477379c

\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\uninst.exe

MD5 ec985b2c13732547c667655e399f9ed6
SHA1 05cb21f1df57457eadb2a4959ebc8831e0f10bdd
SHA256 6e2e115646de5b8cffe852dc3fc0d591eab7608f0fb38f0ab24a5cdf03264cac
SHA512 9a69d575729f8a2e9f8cc303e553bb511fb63cebd1039c904a71d03c8a151df71ad49e7a6b9c374c3ccb513b3d17cb0948e0d0cbdf7db33f4204cc67d3b11d85

memory/1200-1052-0x00000000005D0000-0x00000000005D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsi1823.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\api-ms-win-crt-runtime-l1-1-0.dll

MD5 2f10f2255271b09d58af75f58476899c
SHA1 ca37f8e4c99fb178e718e99eed286d1ef32b00fc
SHA256 24bc147f7c8a2dfcbe9296d83ce75a1f2c02076d8f6e6c81f6032c927ed5888a
SHA512 74d85f5a40bd22eb9c85973bda5e596c3688096dc78fb6984f84ded4757ae82d77894c4cae0f24de77d211bbd869f9a4120a104d7c2ed161b4bb7b8568cf5103

\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\vcruntime140.dll

MD5 b77eeaeaf5f8493189b89852f3a7a712
SHA1 c40cf51c2eadb070a570b969b0525dc3fb684339
SHA256 b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e
SHA512 a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\libcurl.dll

MD5 899cffa43b14882c7a894124dddff0ef
SHA1 eb7bf83f28e29504433f9641a29bc6eda86d97db
SHA256 77085f2830c0e3bde9eadc9003c3ede78a79c876035bdfa12cdab9db60cf64a3
SHA512 cc49f6801a34b10ebeea06289bfb5bd3db2247e705280295550aba5dda4747cce3a7ecbcdbbbeed550cde111f7a0044df1c887b35a05243626f7384f6f87dbde

C:\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\zlib1.dll

MD5 a2937afc459de3dd731a815f17dedda7
SHA1 35d72eb978f15d903acbaccaa1c3bd9ea1f7653a
SHA256 b2c36f807753cc164633724a587f8b4bdbb9bc80c7f2990994420b3a3a05c8fc
SHA512 7d093fbf6db8770341ce9e2492079f2d3283d732d08e18ca8242ae8274325c4efb664c47e3904510c1aaeb939b9fdeee0adbae6e59f02ddb41c3998ca8ff00ab

\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\api-ms-win-crt-multibyte-l1-1-0.dll

MD5 b7e1023ebbf0e5018c58b5488c03a643
SHA1 b10d3a570d4a44b87480d015aac4d04ef3f0a355
SHA256 e7238f5e38d3991e9d6219255e8cd951d6dd431402c4b4b295a68bd43efa3d48
SHA512 c5536416aeba4b37931e2961a29ea4c8679f6d942289325c9067d46b36797e404c0d8dfd01ce997e89bd42a7f084029d2f2d3cd7485b8cec5e66db50ac1df565

\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\api-ms-win-crt-utility-l1-1-0.dll

MD5 e0aeba2d9d9ae584d6c1aa0f5929526b
SHA1 3f97b977d8877398d350b373fd441867167bd2ba
SHA256 4eca5b9e5be5750b0bc03fd74b6d5e351cb6d70fd63d5f740a1a122f906390e0
SHA512 cfa02a7afa052c5149a741500063f110462d272af417c33bedeac6ad3af424b181144c8045adc04a44a54dffca4639ae3c135f23d64bcfb66f7d3aa980143799

\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\api-ms-win-crt-math-l1-1-0.dll

MD5 1028042a84aefe816280f22a4517dc68
SHA1 b3437beb0e5a6a062678a0b32cea98f3c5e33580
SHA256 4a88f73cae12080b9a637f76f8ab1b8ac29829817ff03ddd611a25b6981ee573
SHA512 1da4a2d152943447950ae5de80360741c8a827647d1568c18b026376645f15cc9b5d1915dbdb43278adeac1423b20d6e1c97f6ad67ce724a0d91ec84c4e5250c

\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\api-ms-win-crt-time-l1-1-0.dll

MD5 c8f1a3b19e5103751202010805bce5c9
SHA1 179cf585ce939d05f9610d4b684e4dda6f452f76
SHA256 d5e2fb8495bbbfb66b2612cd5179c1a5f4746dcdd043ecd474363ffe4a8deb4f
SHA512 879fbe66e5440cbe01bd1814a36345fce6454196c8457969d2ee9e93b749df91d0d95b1da1d368063b7ef2a3ed538449b456eb2c7507a27de60105a0d37dcb71

\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\api-ms-win-crt-locale-l1-1-0.dll

MD5 bc75b80a80802146e79c383c94542f06
SHA1 7da2020a855ea6c003d905551a28af456e7519c2
SHA256 81a7a98e11ae94236f34a82a0d450a1100a9b8e752205248de0037a764b91a07
SHA512 0b6a8f6809f1a39c90bfe58ef0d05d997be307cb18771ff8fed6539bf7e19ee8cc3bedc44e1c22f34441db9b82a6470d3814fc7465d1ea82fa30d37278a0fe65

\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 42153324a982f848d7a49bb7406125c2
SHA1 f0878690d23ad0c905f0a6ec37e9ea1edb813195
SHA256 fcd8b213e2e9962b84d1eec4296bbefdf4465398a235e118be12c878fdc08c05
SHA512 1710b3fd90210dd6603f2104de249704cad9d83acdc0c6b96ac24e20c4913679b1e4ee41bb7812d919ba76cadb36f7bd8210ee127325fd9db6b542cf2d0b7f69

\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\api-ms-win-crt-convert-l1-1-0.dll

MD5 94e386a317faa200aa1dc270ce54e5fd
SHA1 e352ced285c04378bc3f6af4b30fa69df70b8974
SHA256 e4ccd13d5861e3e28984fc7263d79b580a0bc7bbe0d234ed8f1a69706ef908f3
SHA512 f622d303adecdce6ff88acc779d108556c2fdbe1f4140092d2d637c2fc1aaf651c1798291239e1334aabea702d7d380150922abd4e0122cbfc9c079a64dc0e76

\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\api-ms-win-crt-stdio-l1-1-0.dll

MD5 65fe48962755451a1a5bab26e6fd978d
SHA1 d1322c477fe4ff61eedf9433b8deddee27f5adb9
SHA256 5a3d9a0a2c1f9b14cb52d9cce92b761ec1fe0460ea7d994179c96648455ead84
SHA512 940269af2c3a8b5b43ca936df1bb5338ae5166f04c34a163b5938895d19bdd7eadc156add1b96b5508e06088419a7d8f466f40bf01e64b4c547fbc1b20328ed7

\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\api-ms-win-crt-heap-l1-1-0.dll

MD5 aad41d33906cfdb31681ce8276648481
SHA1 6367d1990873c5af2f5d05d31ea083fb8b127883
SHA256 242cb185643df586a5f55735e8810b8d2b6b095c78be206e42cdaae7665bb2cf
SHA512 43b2cf09fcb13211f5bcab6942050e03dfb9ce36b727727f7c764df3754f332f04dc81f411e55caeecfa676c43dd1e977f29b0042c485babaaad609c239a84a9

\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\api-ms-win-crt-string-l1-1-0.dll

MD5 a3eccd7f2f2c45d1553055593278645a
SHA1 23cd6aed1b198ca515d7adb213efae780fbf0537
SHA256 d51dfd972e6df5e8185dce0b4eb26dccb0527c5f1c63bc081677335f69b92b67
SHA512 1dbf60f5df95e72b98b72faccb52f83585bc0bc5b1f65c259e8568d812461b738bb37c96e72e2f272370788cc7dcd7a8e5a698d9fb2c773ce0e17978c19ef858

\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\api-ms-win-core-file-l1-2-0.dll

MD5 ec4f2cb68dcf7e96516eb284003be8bb
SHA1 fb9237719b5e21b9db176e41bdf125e6e7c01b11
SHA256 3816bbb7dd76d8fc6a7b83a0ed2f61b23dd5fc0843d3308ee077cb725d5c9088
SHA512 6cbda80c476a9fcf46458cac45229c96dc9df251230531e25088e834cd954db9ff4561e744f76495f9c57a4068b7635c72c6f9ff838436c54142297ee310b236

\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\api-ms-win-core-processthreads-l1-1-1.dll

MD5 f61b9ecb79cd20fc2e8fce87286cfe43
SHA1 7a48accbe43e156f886f1f2836f74e1043feec59
SHA256 bfa24f94ba095174b82d3657f8ecc689eab8ff380c69b1c9a7e311eb70d66386
SHA512 42ab62087bbc9fc9c9003ae96ebb9e9bbfa3db4eb74bd6746da035d53d1002015d8482ecb92620ec65c42b8b2b41d9b0a7793e105b0cf8cb6f713a2bc03241db

\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\api-ms-win-core-synch-l1-2-0.dll

MD5 e4110aa5c8a32b63de2c85e0bc297c54
SHA1 6039680f47750cf56d0c9a1768de815a44b83de7
SHA256 01bb32d692b86ebb39a76893125e0f3aaf957c6e4bd682fb46eac32f6fb65be7
SHA512 0631ea8224403ca113dff9b17852e92c1fcb2820e4f335b668b12689d2a8f058ba33905692f2fd0f4897f8f766db816747ec95478d854b75a0803d2c899e6d98

\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\api-ms-win-core-localization-l1-2-0.dll

MD5 dbb81fcc74c59490008ee59bffff5a6d
SHA1 edbb465ab3bea3a4df3f05e5a4e816edbe195c3b
SHA256 f33e6ac5d3e1c4f1d89564fb6aeeac170486c073b67694380755049dbc48eec1
SHA512 2847a73e952bd5f2448264e0bfc8dc1dcd37f8b02d6d6f525ef0cb69c8e634fdcc4637876361b22c53244659039ed305c015435834b61eea15015fed45e9c374

\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\api-ms-win-core-file-l2-1-0.dll

MD5 b9287eb7bcbfdcec2e8d4198fd266509
SHA1 1375b6ff6121ec140668881f4a0b02f0c517f6c7
SHA256 096409422ecd1894e4d6289fd2d1c7490bd83daff0c1e3d16c36c78bd477b895
SHA512 b86348d3f42d0ff465066a14c281088c73ec5e03efacdaabe27a410b054a8a81b438d7e5d030b0d95f53b07783911b8b8200581d4e0b6f1b3cc79f4aae1d67df

\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\api-ms-win-core-timezone-l1-1-0.dll

MD5 00b548bf3eab7a6debce296ee5e877de
SHA1 ae18022eb78c192ac3baee32664b9eb011194772
SHA256 d592b91a087c001f9ea38dc5912a90c78fad3a368879d04fd7e5650ed374c8dc
SHA512 3ba15d9a0f1680c2b182cf04fbbfcb0d4f1b607519c161c590928930ad1b3eba8bd417575a51305b9552f0abf0064c74267336ec09cea709aed9228e4eac799e

\Users\Admin\AppData\Roaming\hudun\XunjieCADEditor\ucrtbase.dll

MD5 015b30309491a911e75748ad69c9e680
SHA1 2f2243b6ea99689cd54e45b67d9b7d98847f904c
SHA256 dd32570b8183a8b117233333153da29cc8d2ac5b1c868440dd852d9c3f77baf5
SHA512 51159e407021ce78ad64ea91a5e53f59ee15d6d74b9c2891cd6dd532cae3f1d388198e0cd78648ce067e82fa7f01050b4773d95c5c827439f094b289f0ee0ac8

C:\Users\Admin\AppData\Local\HDLocal\CADEditor\CADEditor_HDSConfigure.ini

MD5 5e284b37407d9563cb7abc7b16dce888
SHA1 b404d18fc4527aae3d92de581c2fcb4ed1a34b2f
SHA256 03906ddaa8e2dd6c5b2c0d071b719044da3447436a908ee2d74b28ef614d8cd0
SHA512 a219f1340b199d1b78c0e31183d5ca9dbc02aa0e5f7bd7bc6e41b56c8fcace37689d475692dc62583fe94005512a5f892e2b9c96bc6f3c921dbe55c994fdaa4d

C:\Users\Admin\AppData\Local\Temp\nsi1823.tmp\ShellExecAsUser.dll

MD5 552cba3c6c9987e01be178e1ee22d36b
SHA1 4c0ab0127453b0b53aeb27e407859bccb229ea1b
SHA256 1f17e4d5ffe7b2c9a396ee9932ac5198f0c050241e5f9ccd3a56e576613d8a29
SHA512 9bcf47b62ca8ffa578751008cae523d279cdb1699fd916754491899c31ace99f18007ed0e2cbe9902abf132d516259b5fb283379d2fead37c76b19e2e835e95a

memory/2572-1197-0x0000000003C60000-0x00000000055D4000-memory.dmp

memory/2572-1202-0x0000000003C60000-0x00000000055D4000-memory.dmp

memory/2572-1204-0x0000000003C60000-0x00000000055D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2C50.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar2D51.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 13f0030070f6c16999baa0a14e5ba5b1
SHA1 9231a88771c8eca6989b2b402fdf92bc9f8de886
SHA256 c8b7c236faa8669fc9a1c491adfda78e42a840e5ee866b461306b7228f7b111a
SHA512 e40409288e49c2885bfeb27e565e52326874f9e676ac7601b02592b2cfb276c31818f16ffeb07684e1f6869b1742cd2fb7a7ac4dee78788a650be73caf4a499b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8d2b90362412ceb94a0d5d21a1b2353
SHA1 9948066242386210acd648b0f0d308b76bddad85
SHA256 0e87cc00b855933cf0d58054650e0a3ebddc6384530f829db5142c456cdbec72
SHA512 4a9a85944d4ff4e27bf7a00cee9cb7dceba44fada2eb6ed2aa234c2061fb1eb96d60a9c22bb6fd8dcf2303591828a49e141af828a145fdee134b4ccfd7218ade

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c285b940594293f871a4bc931a628c2
SHA1 f56bd70b38a35a09c476739c5434cdd328b63270
SHA256 be67d63509c8d512cc30f1c967f30d1e58e6ecccf67a7e026e15cfd6b750a978
SHA512 bdb9b56d826a966d808b428ead18a6ce9907c2951bec524dc115bcfe6951fde8485b65fdc947ab88e031aafcf5ceb33c3c95703fe2406d3672a84257c5eee770

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dfc1ba387e03f7223fedfbdb5949b2f4
SHA1 5506be7b23c350d776ae36784c3399582b680307
SHA256 475d8ae7db69c08b847c8633e117b2716446795e69a809801bc986dd6082dd75
SHA512 063f3dd7735250f19d36cf5e698087abdd396daaa928004b3b8567e51585687c5de00a6b53be2f047453e125d8cc8ccdd65df451a42210a17f527fd284b33386

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d3cd236aba283b0e1b9f6d4ba276f1c
SHA1 d2af317a824d610c32cb23ddca42eef26b497e3d
SHA256 3601c3a99a06e26792230f9bc08451e299e112f6e7ba7e26f677e268a4a3e867
SHA512 a62d059b2bb5286e0db73044ced7a3e7bc8fc3598fb858b5f3dac1dcaac0d887b2f5389aad4fd7e97e00f81054672a893e82044b8dfca98f999299313af30ba4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fef656664d61f79e03dca6b7504a52de
SHA1 c2931a2b5fc2b7ee5a1be5cbc619852efb2bfcd0
SHA256 c322a92a876db49825ff7123998847754244e93186700dad21d6144a54036fd8
SHA512 57aba0a987cce5bfb561943631dbe5fd6ff2a2eece4afddfb1566f9bd0da5cba8af7fa0aa032ebde4012d2945e69e304ea7e80e99d7e6bc287045f6463be50e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0947725a1186ca4956506d6dd38974ee
SHA1 e720087b311c062b91a2387e0cdf826338e1a805
SHA256 b5fbd9feadc80cb070e110a864ae8d6dc799b56859e2202c545797976a0bb425
SHA512 3dcee818c839fa7508c152462b3c45a40092777fc9fd83a48879b281ed6de76a77f4ff3d148c6325af88c8bdfff4ab8a8db474288cc9ff60ffac7816141724c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9957f91b7eb5fe8b6210402731ed404
SHA1 ad97313923d87060ab83810838f3e620a66b73fa
SHA256 26b4cb6c8b1785af490d2c2c5cebcb67846cccc572a2acecbe5d69d497e7cd66
SHA512 a1e348b750e431b3836fc5f7734c250c5e177e06053fa6e79c20d3b7bd9b3313c628b1b29fdc9893c724850374818ef7f744756468638d6182fff10d77aaadf0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fce6016b77c545f6653c7db8feaa2773
SHA1 5d701b4665a82497f7cf04cf8d27c15660618799
SHA256 be944e8ede42dcfd94535256493e563ea184e4790b0225fedd3b23b1b3d867f2
SHA512 039b9ab66cf4783a5304a1ab60ec689094f1e7aaeb9d2f51e12c242d30cb093525149ef6fae0b9732d3ae708ae6ecdec405aaff38dc0fd86ca8ca001b7d70fc2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e8caa6b067d388bb4461b1c209ae5a6
SHA1 c5e7decf713313829fec5f0cd0a85ae94c4eee95
SHA256 7beda6afc9b15690e6c0d2ebc4324a15930f01ac987f8d21148430e73c0cb88d
SHA512 8a6e1f34b27c804cdb9723b0609bf1606fcb7dd4bcf2f582277e92803cf3a00cd739b6ac9538466f05d83b9319c7bbfb42086e9d4cdcfa14b886654776b233b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40c260521a940d1a3a1897e600561315
SHA1 b3c17e3d8eae7b280701e507b1652a54f7178d9b
SHA256 f892afcbed8a395b97392139ca5d625afc5aa9827539696d357c2c9071f11a0c
SHA512 b33f8b9d9cdec3343023296f60096749ee180c157f01f67b39500ff2b59ccdbba31af56383cdee309f8baa29c97da0bd51504a5b27e0e1de0f32df0189739485

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20be921a0007de60099e945e7c84de18
SHA1 af0116ebc7857e4d4e79c5c86c0b29196f6e4e89
SHA256 9f628c367952dc5bc2876ba7dd4267a3207816a1626f6c69a8a186bc968f46a7
SHA512 446077e212e459f30543b637e4a88081970a3dea7eb8282ffe3c3243b54544b8b19cbd256db2b1a389df82e0cbc07c87d7628d23eaaa13ea2fa493f8d8d9bec3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8971635475687c67b55ee0f3ec72e17
SHA1 d907cf1f7ae7fec890e2e2f4e02a02f62501c6ac
SHA256 d299c37ee2a1643a627e98849394cc631823d9bf9f1537b729bae0dc314ab698
SHA512 8da7fbd0b97029d90deca92efe923fcf0775ce93705d2dd8b6e66a8c90470a9caee5c78e03f114a4a8c72ceb1e4fbddf2e20824cce4ebfe70c2e62540ee04b3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9fb9a5d2795da5af14dfaf278c73d939
SHA1 b8af12cf4c32f86e7c6aa47877b0f2bea5f23813
SHA256 dee2919cd455463480b39bace61e1b0ad0c2a30ca886119b2590eac75379c2e6
SHA512 81cfa676266457d5963d81de9e43a5fddc9b8f2dcb67b3c0773eec3dd94388a13b169152d8a1b0411327a7bc667c8c7610e7817ad4f9e1a256a5102a4767a7ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23011f2977d60de5d7a0783e76bd9be6
SHA1 2d4b96f7dc49d4b281b1002fbcaa2876b085013e
SHA256 db11d8a1782be393cb8ee4f389465bc20b491680814cd82a854417ea5c1ce282
SHA512 833d0e973522310b30fecfad31b4644889643a8e26e9aabb0fd27abe641de1453e37c1eb8a25a9aac8304bc4a0acd3da38c10c11feec865ec0b330bfeef915b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a890183550206b5988b6580441deb52
SHA1 92d54c50b66ca43da23096f1304f50d9c04b621f
SHA256 cdb4e70b99a2afbf80fc75d2ba29e4d2621bf70651e3f59a51598d09a8ecfb1b
SHA512 c0187653d6e2a9ab6c2d2b597b1f16cfe7ffc255584109f846c1452b9a2cd19b9ebc177d3565882f8527dc8787ba5871ce96f0e23b3a3b7fc594fd5052303d9d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff58601c080af9042b56785c3cbdd2d7
SHA1 a5b5d165680d60891925eea953fe3ed822e98d39
SHA256 b24ab9c259ad34caacd1fc23e0e688a5e8f68f7ef9be371eb3cf50592064e18b
SHA512 88518d92480c09d947bc754544500ffda1ff2a5f289d8b3287fc4f359710a089a8c87c5dbfa607250d32b5244cbe9f6199a62612dd9ee3943b57829b1478e039

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7eaae44435a8cb28f236c5b028524e9b
SHA1 f5d9430979e49d1304b7c1c828a00fb698e15e8d
SHA256 28b5322af9fee626ebd04fece3d036d90275176e44b0a2abbc2624f1a3c32c42
SHA512 a4b6f6d32dbca2fd4b1795b457e2625693050e8ed79a2a2e83023fb96012600a8b5f8d0f24a6b36e334422f5d46ba271907ad46853db45a6419f0a6b98b4012b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da69a3f459ea499cae839221fbc29398
SHA1 6f7ce5ba6e50926bc5e040c6b32cbe6918911113
SHA256 b4d0f26607cc221544951fd7753ac5d17b823c9dc49ea9564ba986781f3e3d16
SHA512 d8fc1813d961923eb9d78728138a19c7d861c7a470634a69fe76583442137c552101272565b4fbb1a91ce2cca070aefac079064f24bc9eb65fdfee911d355e09

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4992 wrote to memory of 4068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4992 wrote to memory of 4068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4992 wrote to memory of 4068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4068 -ip 4068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 220

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win10v2004-20240508-en

Max time kernel

137s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-datetime-l1-1-0.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 4400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 4400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 4400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-datetime-l1-1-0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-datetime-l1-1-0.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-debug-l1-1-0.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1256 wrote to memory of 4404 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1256 wrote to memory of 4404 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1256 wrote to memory of 4404 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-debug-l1-1-0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-debug-l1-1-0.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win10v2004-20240426-en

Max time kernel

133s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-file-l1-1-0.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3640 wrote to memory of 4272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3640 wrote to memory of 4272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3640 wrote to memory of 4272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-file-l1-1-0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-file-l1-1-0.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4272 -ip 4272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win10v2004-20240508-en

Max time kernel

138s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 1292 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2964 wrote to memory of 1292 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2964 wrote to memory of 1292 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1292 -ip 1292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3812,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win7-20240220-en

Max time kernel

122s

Max time network

125s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CADEditorLib.dll

Signatures

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CADEditorLib.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\Verb\0\ = "Properties,0,2" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CADEditorLib.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\ = "SgCADEditor Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\Control\ C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\Verb C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\TypeLib\ = "{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CADEditorLib.SgCADEditor C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\MiscStatus C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\MiscStatus\1\ = "205201" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\Verb\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\TypeLib\ = "{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CADEditorLib.SgCADEditor\Clsid C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\Verb\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\ = "ISgCADEditorEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\ProgID\ = "CADEditorLib.SgCADEditor" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\ = "IsgStringConverter" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CADEditorLib.SgCADEditor\ = "SgCADEditor Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\TypeLib\ = "{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\TypeLib\ = "{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\ = "IsgStringConverter" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}\1.0\ = "CADEditorX Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CADEditorLib.dll,1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\TypeLib\ = "{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\TypeLib\ = "{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\MiscStatus\1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\ = "ISgCADEditor" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\ = "ISgCADEditor" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 2188 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2200 wrote to memory of 2188 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2200 wrote to memory of 2188 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2200 wrote to memory of 2188 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2200 wrote to memory of 2188 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2200 wrote to memory of 2188 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2200 wrote to memory of 2188 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CADEditorLib.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\CADEditorLib.dll

Network

N/A

Files

memory/2188-0-0x00000000022A0000-0x0000000003C14000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win10v2004-20240508-en

Max time kernel

91s

Max time network

156s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CADEditorLib.dll

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\ = "ISgCADEditorEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\TypeLib\ = "{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CADEditorLib.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\ = "ISgCADEditor" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\ = "ISgCADEditorEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\TypeLib\ = "{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\TypeLib\ = "{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}\1.0\ = "CADEditorX Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\MiscStatus C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\TypeLib\ = "{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\Verb\0\ = "Properties,0,2" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CADEditorLib.SgCADEditor\Clsid C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\MiscStatus\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\ProgID\ = "CADEditorLib.SgCADEditor" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\ToolboxBitmap32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\TypeLib\ = "{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\ = "SgCADEditor Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\Verb C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CADEditorLib.SgCADEditor C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\MiscStatus\1\ = "205201" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\Verb\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\TypeLib\ = "{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E79ED66-1F5E-444F-90F0-6AD076AD3E77} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CADEditorLib.dll,1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\ = "IsgStringConverter" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CADEditorLib.SgCADEditor\ = "SgCADEditor Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}\MiscStatus\1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E521A72D-9E45-459B-9F75-915D377BCCDB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71CC3B83-5821-4476-A8B6-A1C55B0A0B1C}\TypeLib\ = "{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CADEditorLib.SgCADEditor\Clsid\ = "{7117DFC1-AD2A-46C9-80E0-1105FF21F19B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87E1D10D-44DD-4B1B-A72F-9219D83D8BF3}\1.0\FLAGS\ = "2" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 3968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2172 wrote to memory of 3968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2172 wrote to memory of 3968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CADEditorLib.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\CADEditorLib.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/3968-0-0x0000000002860000-0x00000000041D4000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win7-20240419-en

Max time kernel

118s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.dws\shell C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.dws\shell\open C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dxf C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dxf\shell\open\command C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XunjieCADEditorExt C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XunjieCADEditorExt\Application\ApplicationDescription = "迅捷CAD编辑器" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.dwt\shell\open\command C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.dxf\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dwt\shell C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dwg\shell C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XunjieCADEditorExt\shell\open C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\XunjieCADEditorExt\DefaultIcon C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dwg C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.dwg\shell C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.dxf\shell\open C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.dws\DefaultIcon C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XunjieCADEditorExt\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe,0" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dwt\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dxf\shell\open C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.dxf\OpenWithProgids\XunjieCADEditorExt C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dwt C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dws\shell C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dws\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dwg C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dwg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XunjieCADEditorExt\shell C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XunjieCADEditorExt\shell\open\command C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.dwg C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dwg\shell\open\command C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dws\ = "XunjieCADEditorExt" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dws\DefaultIcon C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dwt\OpenWithProgids\XunjieCADEditorExt C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.dws\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dwg\shell\open C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dxf\shell\open\command C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dws C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\XunjieCADEditorExt\shell\open\command C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.dwt\shell\open C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dwt\shell\open\command C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dws C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.dwg\ = "XunjieCADEditorExt" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dwt\shell\open C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dws\OpenWithProgids\XunjieCADEditorExt C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\XunjieCADEditorExt\Application\ApplicationName = "迅捷CAD编辑器" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\XunjieCADEditorExt\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.dxf C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\XunjieCADEditorExt\DefaultIcon C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.dwt\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dxf\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe,0" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.dwg\DefaultIcon C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.dws\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe,0" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.dws\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\XunjieCADEditorExt\Application C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.dwt\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe,0" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dxf\OpenWithProgids\XunjieCADEditorExt C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dws\shell\open\command C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.dxf C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.dxf\DefaultIcon C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dxf\ = "XunjieCADEditorExt" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.dwt\ = "XunjieCADEditorExt" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dxf\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.dwg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\XunjieCADEditor.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.dws\OpenWithProgids\XunjieCADEditorExt C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\XunjieCADEditorExt\shell\open C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe

"C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe"

C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe

"C:\Users\Admin\AppData\Local\Temp\XunjieCADEditor.exe" StartGuidAnimate 262166

Network

Country Destination Domain Proto
US 8.8.8.8:53 tj2.sjhfrj.com udp
US 8.8.8.8:53 tj.huduntech.com udp
CN 118.25.162.48:443 tj.huduntech.com tcp
GB 3.10.12.189:80 tj2.sjhfrj.com tcp
CN 118.25.162.48:443 tj.huduntech.com tcp
CN 118.25.162.48:443 tj.huduntech.com tcp

Files

C:\Users\Admin\AppData\Local\HDLocal\CADEditor\CADEditor_HDSConfigure.ini

MD5 06de03c962c15c5e13c6a44f315eca27
SHA1 1fd1f46887c853891af8fb5a4f9cc93c03808958
SHA256 1140fa216fee34dc2c5d68c9d28ee9a6e83d8e3e6af689fce89b73139f687310
SHA512 fab695a19a2af97250b231967a5303b3b56ec32c86f4f868511ddd1311beaa2a4124dec98b9fd29f1dee66f242b8f12512c46c7f0858f5ff5f2b8b44c921b8b0

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win10v2004-20240508-en

Max time kernel

138s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-console-l1-1-0.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1028 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1028 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1028 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-console-l1-1-0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-console-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-17 04:25

Reported

2024-05-17 04:28

Platform

win7-20231129-en

Max time kernel

120s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 224

Network

N/A

Files

N/A