359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce

Analysis

max time kernel
189s
max time network
195s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
Size

13.4MB
MD5

3143c00032a1ea047a24e780d1369e47
SHA1

3a3eddc54315f398642d707a345f8b2903e3abd9
SHA256

359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce
SHA512

6c62dcc936c8c9f433469fbb1dd068be50f43ca9053a9ee7435859aed6a5bde1134c1bda1e8dd469e0805b95107bf89ebc730673b2d069959de7e820a4c14d83
SSDEEP

196608:dcepE527eDHmo4O8vUnIO+p+zRCND2uxLFx/CaGcmQjr138TvgFyQeQA:dceC5cS0OQUnbe9xLL6wmQMgJ7A

Score

10^/10

bootkit discovery evasion persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

RegSvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\BDShellExt	RegSvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\BDShellExt\ = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"	RegSvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\BDShellExt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\BDShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\BDShellExt\ = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"	regsvr32.exe

Executes dropped EXE 6 IoCs

Processes:

G40458_s_0529.exeBDDownloader.exeBDDownloader.exeBDKVWsc.exebddownloader.exeBaiduSd.exe

pid process

1724 G40458_s_0529.exe
432 BDDownloader.exe
972 BDDownloader.exe
544 BDKVWsc.exe
1832 bddownloader.exe
1192 BaiduSd.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1596 netsh.exe

pid	process
1724	G40458_s_0529.exe
432	BDDownloader.exe
972	BDDownloader.exe
544	BDKVWsc.exe
1832	bddownloader.exe
1192	BaiduSd.exe

pid	process
1596	netsh.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\InProcServer32\ = "C:\\Program Files (x86)\\Baidu\\BaiduSd\\1.8.0.1255\\BDShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\BaiduSd\\1.8.0.1255\\BDShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\InProcServer32	regsvr32.exe

Loads dropped DLL 33 IoCs

Processes:

359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exeG40458_s_0529.exeBDDownloader.exeBDDownloader.exeRegSvr32.exeregsvr32.exeRegSvr32.exeregsvr32.exeBaiduSd.exe

pid	process
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1724	G40458_s_0529.exe
1724	G40458_s_0529.exe
1724	G40458_s_0529.exe
1724	G40458_s_0529.exe
1724	G40458_s_0529.exe
1724	G40458_s_0529.exe
1724	G40458_s_0529.exe
1724	G40458_s_0529.exe
1724	G40458_s_0529.exe
432	BDDownloader.exe
432	BDDownloader.exe
432	BDDownloader.exe
432	BDDownloader.exe
1724	G40458_s_0529.exe
1724	G40458_s_0529.exe
972	BDDownloader.exe
972	BDDownloader.exe
2016	RegSvr32.exe
624	regsvr32.exe
1584	RegSvr32.exe
1680	regsvr32.exe
1724	G40458_s_0529.exe
1724	G40458_s_0529.exe
1724	G40458_s_0529.exe
1192	BaiduSd.exe
1192	BaiduSd.exe
1192	BaiduSd.exe
1192	BaiduSd.exe
1192	BaiduSd.exe
1192	BaiduSd.exe
1192	BaiduSd.exe
1192	BaiduSd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe

description ioc process

File opened for modification \??\PhysicalDrive0 359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe

Drops file in Program Files directory 64 IoCs

Processes:

G40458_s_0529.exeBDDownloader.exe

description	ioc	process
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\Skins\Default\KVCommonRes.rdb	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.ATL\atl80.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.ATL\atl80.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\uninst.exe	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\BDMSREng.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\kav_verify.dat	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\msvcp80.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDDownloader.exe	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDShellExt64.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\plugins\KVTray_PluginConfig.xml	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\TrayPluginContainerConfig.xml	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\msvcm80.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BaiduSdUpdate.exe	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\explugin\npBaiduSDDetectPlug.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMRepBase.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\tips.xml	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\msvcm80.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDShellExt.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\tuopan.png	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\bd0002.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKV.rdb	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVConfig.rdb	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDLogicUtils.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\bd0001.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVTray.rdb	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BaiduSdTray.exe	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\FileMon.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BAV\bdmp.dat	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\ToastImage.png	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMPerfMon.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\DriverManager.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\plugins\KVMainframe_PluginConfig.xml	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\blacksign.dat	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVTips.rdb	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\msvcr80.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDKVMainFrame.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\DesktopToast.exe	G40458_s_0529.exe
File created	C:\Program Files (x86)\Common Files\Baidu\BDDownload\106\dl.dll	BDDownloader.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\KVMainframePluginContainerConfig.xml	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BAV\BDAVCScan.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\BDMSRCore.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDKVDeskBand64.dll	G40458_s_0529.exe
File opened for modification	C:\Program Files (x86)\Common Files\Baidu\BDDownload\106\bddownloader.exe	BDDownloader.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\plugins\repairplugins\RepairPluginContainerConfig.xml	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\BDKVVirusPlugins.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\msvcp80.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\msvcm80.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDConfig.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Common Files\Baidu\BDDownload\106\bddownloader.exe	BDDownloader.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\KavUpdate.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVUpdate.rdb	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMRepMgr.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BaiduSdBugRpt.exe	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\plugins\coolyplugins\CoolyContainerConfig.xml	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BAV\bdvs.dat	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDKVDeskBand.dll	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\RtpContainerConfig.xml	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\Skins\Default\TrayPlugin.rdb	G40458_s_0529.exe
File created	C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDMSkin.dll	G40458_s_0529.exe

Drops file in Windows directory 1 IoCs

Processes:

359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe

description ioc process

File opened for modification C:\windows\pc58611.dll 359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\windows\pc58611.dll	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe

Modifies registry class 64 IoCs

Processes:

G40458_s_0529.exebddownloader.exeregsvr32.exeregsvr32.exeRegSvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ieCommonPlugin.Implement\CurVer	G40458_s_0529.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDDownloadProxy.Downloader.1	bddownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32	bddownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\InprocServer32	G40458_s_0529.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\ProgID\ = "BDShellExt.BDShellExtMenu.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6B4447CA-C33E-4E65-914D-C7B346D73F80}\ = "ieCommonPlugin"	G40458_s_0529.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\TypeLib	G40458_s_0529.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\InProcServer32\ = "C:\\Program Files (x86)\\Baidu\\BaiduSd\\1.8.0.1255\\BDShellExt.dll"	RegSvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\NumMethods\ = "3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ieCommonPlugin.Implement\CLSID\ = "{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}"	G40458_s_0529.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\HELPDIR\	bddownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\TypeLib	RegSvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\ProgID\ = "BDDownloadProxy.Downloader.1"	bddownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\Version = "1.0"	bddownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{FBE0E29B-01DB-4876-B147-46F5AABA6823}\ = "BDShellExt"	RegSvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\TypeLib\ = "{9A93865B-4314-47AE-8C4A-850748CCC6BF}"	G40458_s_0529.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}	bddownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\InprocServer32\ThreadingModel = "Apartment"	G40458_s_0529.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\InProcServer32\ = "C:\\Program Files (x86)\\Baidu\\BaiduSd\\1.8.0.1255\\BDShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\VersionIndependentProgID\ = "ieCommonPlugin.Implement"	G40458_s_0529.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0	bddownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "IDownloader"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32	bddownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\Version = "1.0"	bddownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\InprocServer32\ThreadingModel = "Apartment"	RegSvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\BDShellExt\ = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A93865B-4314-47AE-8C4A-850748CCC6BF}	G40458_s_0529.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0\win32	bddownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\HELPDIR	bddownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\ProxyStubClsid32\ = "{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ieCommonPlugin.Implement	G40458_s_0529.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32	bddownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	RegSvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}	bddownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDShellExt.BDShellExtMenu.1\CLSID\ = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"	RegSvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\BDShellExt	RegSvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{45D1EEF3-7713-48FA-B7A5-B77229C7D330}\1.0\HELPDIR	RegSvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\InProcServer32	RegSvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\ = "PSFactoryBuffer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\ProgID\ = "ieCommonPlugin.Implement.1"	G40458_s_0529.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C7777CD6-0F43-49E4-B988-F62E3BA5130A}\ProxyStubClsid32	G40458_s_0529.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\ = "DownloadProxy 1.0 Type Library"	bddownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\TypeLib	RegSvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ieCommonPlugin.Implement\ = "Implement Class"	G40458_s_0529.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDShellExt.BDShellExtMenu.1	RegSvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\TypeLib	RegSvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\ = "PSFactoryBuffer"	RegSvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\BDShellExt\ = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}	G40458_s_0529.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\Programmable	G40458_s_0529.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A93865B-4314-47AE-8C4A-850748CCC6BF}\1.0\FLAGS\ = "0"	G40458_s_0529.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	bddownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib	bddownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BDShellExt.DLL\AppID = "{FBE0E29B-01DB-4876-B147-46F5AABA6823}"	RegSvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\InProcServer32\ThreadingModel = "Both"	RegSvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7777CD6-0F43-49E4-B988-F62E3BA5130A}\TypeLib\ = "{9A93865B-4314-47AE-8C4A-850748CCC6BF}"	G40458_s_0529.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}\ = "DownloadProxy"	bddownloader.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exeG40458_s_0529.exe

pid	process
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1724	G40458_s_0529.exe
1724	G40458_s_0529.exe
1724	G40458_s_0529.exe
1724	G40458_s_0529.exe
1724	G40458_s_0529.exe
1724	G40458_s_0529.exe
1724	G40458_s_0529.exe
1724	G40458_s_0529.exe
1724	G40458_s_0529.exe
1724	G40458_s_0529.exe
1724	G40458_s_0529.exe
1724	G40458_s_0529.exe
1724	G40458_s_0529.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

G40458_s_0529.exe

description	pid	process
Token: SeDebugPrivilege	1724	G40458_s_0529.exe
Token: SeDebugPrivilege	1724	G40458_s_0529.exe
Token: SeDebugPrivilege	1724	G40458_s_0529.exe
Token: SeDebugPrivilege	1724	G40458_s_0529.exe
Token: SeDebugPrivilege	1724	G40458_s_0529.exe
Token: SeDebugPrivilege	1724	G40458_s_0529.exe
Token: SeDebugPrivilege	1724	G40458_s_0529.exe
Token: SeDebugPrivilege	1724	G40458_s_0529.exe
Token: SeDebugPrivilege	1724	G40458_s_0529.exe
Token: SeDebugPrivilege	1724	G40458_s_0529.exe
Token: SeDebugPrivilege	1724	G40458_s_0529.exe
Token: SeDebugPrivilege	1724	G40458_s_0529.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe

pid	process
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exeG40458_s_0529.exeBDDownloader.exeBDDownloader.exebddownloader.exeRegSvr32.exe

description	pid	process	target process
PID 1728 wrote to memory of 1724	1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe	G40458_s_0529.exe
PID 1728 wrote to memory of 1724	1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe	G40458_s_0529.exe
PID 1728 wrote to memory of 1724	1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe	G40458_s_0529.exe
PID 1728 wrote to memory of 1724	1728	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe	G40458_s_0529.exe
PID 1724 wrote to memory of 432	1724	G40458_s_0529.exe	BDDownloader.exe
PID 1724 wrote to memory of 432	1724	G40458_s_0529.exe	BDDownloader.exe
PID 1724 wrote to memory of 432	1724	G40458_s_0529.exe	BDDownloader.exe
PID 1724 wrote to memory of 432	1724	G40458_s_0529.exe	BDDownloader.exe
PID 432 wrote to memory of 972	432	BDDownloader.exe	BDDownloader.exe
PID 432 wrote to memory of 972	432	BDDownloader.exe	BDDownloader.exe
PID 432 wrote to memory of 972	432	BDDownloader.exe	BDDownloader.exe
PID 432 wrote to memory of 972	432	BDDownloader.exe	BDDownloader.exe
PID 1724 wrote to memory of 544	1724	G40458_s_0529.exe	BDKVWsc.exe
PID 1724 wrote to memory of 544	1724	G40458_s_0529.exe	BDKVWsc.exe
PID 1724 wrote to memory of 544	1724	G40458_s_0529.exe	BDKVWsc.exe
PID 1724 wrote to memory of 544	1724	G40458_s_0529.exe	BDKVWsc.exe
PID 972 wrote to memory of 1832	972	BDDownloader.exe	bddownloader.exe
PID 972 wrote to memory of 1832	972	BDDownloader.exe	bddownloader.exe
PID 972 wrote to memory of 1832	972	BDDownloader.exe	bddownloader.exe
PID 972 wrote to memory of 1832	972	BDDownloader.exe	bddownloader.exe
PID 1724 wrote to memory of 2016	1724	G40458_s_0529.exe	RegSvr32.exe
PID 1724 wrote to memory of 2016	1724	G40458_s_0529.exe	RegSvr32.exe
PID 1724 wrote to memory of 2016	1724	G40458_s_0529.exe	RegSvr32.exe
PID 1724 wrote to memory of 2016	1724	G40458_s_0529.exe	RegSvr32.exe
PID 1724 wrote to memory of 2016	1724	G40458_s_0529.exe	RegSvr32.exe
PID 1724 wrote to memory of 2016	1724	G40458_s_0529.exe	RegSvr32.exe
PID 1724 wrote to memory of 2016	1724	G40458_s_0529.exe	RegSvr32.exe
PID 1832 wrote to memory of 1596	1832	bddownloader.exe	netsh.exe
PID 1832 wrote to memory of 1596	1832	bddownloader.exe	netsh.exe
PID 1832 wrote to memory of 1596	1832	bddownloader.exe	netsh.exe
PID 1832 wrote to memory of 1596	1832	bddownloader.exe	netsh.exe
PID 1832 wrote to memory of 624	1832	bddownloader.exe	regsvr32.exe
PID 1832 wrote to memory of 624	1832	bddownloader.exe	regsvr32.exe
PID 1832 wrote to memory of 624	1832	bddownloader.exe	regsvr32.exe
PID 1832 wrote to memory of 624	1832	bddownloader.exe	regsvr32.exe
PID 1832 wrote to memory of 624	1832	bddownloader.exe	regsvr32.exe
PID 1832 wrote to memory of 624	1832	bddownloader.exe	regsvr32.exe
PID 1832 wrote to memory of 624	1832	bddownloader.exe	regsvr32.exe
PID 1724 wrote to memory of 1584	1724	G40458_s_0529.exe	RegSvr32.exe
PID 1724 wrote to memory of 1584	1724	G40458_s_0529.exe	RegSvr32.exe
PID 1724 wrote to memory of 1584	1724	G40458_s_0529.exe	RegSvr32.exe
PID 1724 wrote to memory of 1584	1724	G40458_s_0529.exe	RegSvr32.exe
PID 1724 wrote to memory of 1584	1724	G40458_s_0529.exe	RegSvr32.exe
PID 1724 wrote to memory of 1584	1724	G40458_s_0529.exe	RegSvr32.exe
PID 1724 wrote to memory of 1584	1724	G40458_s_0529.exe	RegSvr32.exe
PID 1584 wrote to memory of 1680	1584	RegSvr32.exe	regsvr32.exe
PID 1584 wrote to memory of 1680	1584	RegSvr32.exe	regsvr32.exe
PID 1584 wrote to memory of 1680	1584	RegSvr32.exe	regsvr32.exe
PID 1584 wrote to memory of 1680	1584	RegSvr32.exe	regsvr32.exe
PID 1584 wrote to memory of 1680	1584	RegSvr32.exe	regsvr32.exe
PID 1584 wrote to memory of 1680	1584	RegSvr32.exe	regsvr32.exe
PID 1584 wrote to memory of 1680	1584	RegSvr32.exe	regsvr32.exe
PID 1724 wrote to memory of 1192	1724	G40458_s_0529.exe	BaiduSd.exe
PID 1724 wrote to memory of 1192	1724	G40458_s_0529.exe	BaiduSd.exe
PID 1724 wrote to memory of 1192	1724	G40458_s_0529.exe	BaiduSd.exe
PID 1724 wrote to memory of 1192	1724	G40458_s_0529.exe	BaiduSd.exe

C:\Users\Admin\AppData\Local\Temp\359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
"C:\Users\Admin\AppData\Local\Temp\359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728

C:\Program Files\58611\G40458_s_0529.exe
"C:\Program Files\58611\G40458_s_0529.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDDownloader.exe
"C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDDownloader.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\BDDownloader_Installer\1.0.106.1[2022-11-23-11-12-8]\BDDownloader.exe
"C:\Users\Admin\AppData\Local\Temp\BDDownloader_Installer\1.0.106.1[2022-11-23-11-12-8]\BDDownloader.exe" /install
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:972

C:\program files (x86)\common files\baidu\bddownload\106\bddownloader.exe
"C:\program files (x86)\common files\baidu\bddownload\106\bddownloader.exe" -RegServer
5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="百度高速下载器" dir=in program="C:\program files (x86)\common files\baidu\bddownload\106\bddownloader.exe" description="C:\program files (x86)\common files\baidu\bddownload\106\bddownloader.exe" action=allow
6⤵
- Modifies Windows Firewall
PID:1596

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\program files (x86)\common files\baidu\bddownload\106\bdcomproxy.dll"
6⤵
- Loads dropped DLL
- Modifies registry class
PID:624

C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDKVWsc.exe
"C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDKVWsc.exe" -start
3⤵
- Executes dropped EXE
PID:544

C:\Windows\SysWOW64\RegSvr32.exe
"RegSvr32.exe" /s "C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDShellExt.dll"
3⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Modifies registry class
PID:2016

C:\Windows\SysWOW64\RegSvr32.exe
"RegSvr32.exe" /s "C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDShellExt64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDShellExt64.dll"
4⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:1680

C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BaiduSd.exe
"C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BaiduSd.exe" -mod=BDCooly.dll -install
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Change Default File Association

T1042

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDCooly.dll

Filesize
43KB

MD5
b23e16f7ab426d84f7d28dfb1b61ecb1

SHA1
22e930a2fcc18ca16246b9499f6d315f340bd66e

SHA256
e37017bad2a60441d1d46f6231c5be3e6387746d67dfe3826ad83522375fae34

SHA512
3e1f9a8d8feea44b1b89a759297a3315c149103d9e475e79b3688a7f1e74398ffadf682b0205fce6ca3bae42f60dca55103664a797c297fcee0998b16af6632b

Download Submit
C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDDownloader.exe

Filesize
1.5MB

MD5
a3e4c0f9702c4d94f48327ab4bd4f623

SHA1
7c36ebff98e86c8ed2959af50503b1d391b70507

SHA256
4ddf50a979d7b1f4775fca7cda656763922e01c8d5721c6de81447976fa4001c

SHA512
20f315b1eb2d7cd7706065e9b56020b769101e2ddd5b494148dd604b53576fe54774a695cbe0ee208c1634ff96061bee8fbd6c702fe081cc2dc8a103c5133165

Download Submit
C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDDownloader.exe

Filesize
1.5MB

MD5
a3e4c0f9702c4d94f48327ab4bd4f623

SHA1
7c36ebff98e86c8ed2959af50503b1d391b70507

SHA256
4ddf50a979d7b1f4775fca7cda656763922e01c8d5721c6de81447976fa4001c

SHA512
20f315b1eb2d7cd7706065e9b56020b769101e2ddd5b494148dd604b53576fe54774a695cbe0ee208c1634ff96061bee8fbd6c702fe081cc2dc8a103c5133165

Download Submit
C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDKVWsc.exe

Filesize
381KB

MD5
4095c145259e889746755494ceb74eb7

SHA1
0d53b58d1681495e824d6ab436e43c7c90e307a0

SHA256
5ef115f87f3a0fc0e5103d67e54ef59db2cbaff6a19aacc5fd9c717f731c0e92

SHA512
6717a29d5ba04445eb77ada071c1a287f9a7a0b077c1ea7936281147c3566629260761641c7f13069314cd320305cccbc283188c91312d09d17225b5c080873a

Download Submit
C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDLogicUtils.dll

Filesize
252KB

MD5
ee66741056b4a37421d5de01b897aee3

SHA1
91ff4821161f38bc7408f30aed402c57ac1c105b

SHA256
cc99024d2960b4ed55f44aa0d50431b2f17b8959ba225ad943ea2557fa2a8d88

SHA512
73d97408e9896ef2180c611577c6fd23ad61f627413b29bf054f5b49e6561add24ada196c39da67e180c7d69ef576c2d51653df727c15d458418d0343e6ce6e2

Download Submit
C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDMBase.dll

Filesize
936KB

MD5
350329be769648dbaf47eeaa6cdc120f

SHA1
8ef565a63f726749571c2980d52d8c3e74b19a7f

SHA256
fc1683bc7d1e0f888b755d2164630126e8868fe3606626b2e33dd7136e85196a

SHA512
b316040b91f8250643ad1ceb36619798c54abf79818eac5b25b72885808443942b55f993509c092e2984860d2189cb10ce18a8e21d2fd9a2e62e49057da83d58

Download Submit
C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDMFrameWork.dll

Filesize
276KB

MD5
93d734ae40875f4340388208d046b460

SHA1
ee054c44222164436edb30c30559ff32886101c2

SHA256
54649aff6c0c484c1af42181dcb399bc71d6296a8a1bc0f5ef15110527a98553

SHA512
6da63b939a604fd250c1332bf60c8a3eafdafbd64d31f16a70229417c7803b4b2c785568b157f84536957702d6ad4c932d734282dd9dfaec74f12119ae77dbc1

Download Submit
C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDMMsg.dll

Filesize
32KB

MD5
c9d9a790f4b3e522a6c87d14ecd02099

SHA1
e31df4a8c938dd4bf45a1e68c5613c635811177b

SHA256
12f9048c7cfe5c832fd970bcb294b1ddfeba5f2243df90b9041ba218569d2816

SHA512
1d0a4d8f4efde8619ddc5665d1fa22210b15d5eef58d7fae9eb7e6fd1c5f289912bec81a0678964fddb277f6784612c8fe5b5e66aa5dcb087544e48aab016454

Download Submit
C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDMSkin.dll

Filesize
1.3MB

MD5
4ab03490fde54a1860aa89e943b8fbed

SHA1
0a4c5cc6e5281bd6c346037a6d021ec8de1b5bd1

SHA256
f1cb09898bc0055037297b066967b81ebe49dd61d7d187ecab74811fdb17663c

SHA512
e72328d815e3b7e014af2b6117e84ec190e5342b55f7f5473dc003c2b9376fbb0dbb5aa45da2fa497cf354b3253cbf502dd7789dadcf3de062bd8eea2f1998ba

Download Submit
C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDMStringUtils.dll

Filesize
48KB

MD5
4b59d902f51020f623dbe2046cb545c1

SHA1
4486f834e9f41a34985ceb1c0013925a07ccfc1c

SHA256
5f54d0d27b2f4aa3581d6a68c4d049a98269f72fec4a3baabc560a10ecc9c355

SHA512
866ccd63d0bd8822ef41a8a74c74860cf0858a4a52a82fee4f56a8261e85c004451feb3cc42b0974eef08db2fe3198307b95122948b33339356fca676e072894

Download Submit
C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDMTinyXml.dll

Filesize
176KB

MD5
9b8a0d2008f246b4c52a0e258fbf09ea

SHA1
7d867ddf103f5b42990452397f8fee737d33c695

SHA256
d2715c29cdeed6489e59a19c7f0139626eb71c51be4d5d7d779f8aa3a932a8d1

SHA512
4d62beb5d03834910160919df48e35476377ae19acf7ad5f4b729a4470985e95a98edf5ba365ebcc328c52fcb97d79694cf942554383c1a9b8a494cb3bb1f357

Download Submit
C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDShellExt.dll

Filesize
416KB

MD5
6fcd374dc6935ace94ddb1056d2ef77a

SHA1
4b787d63888259fcdad0b6c2e510495df1c16a3c

SHA256
ace12d38a2c2a6175eea15712248dbc1300de2bd2c08be1d260bbc112ac65dc7

SHA512
1bd9cd344a1329dbff696ceb74a9692a5734c644ec201480fdce5484bd6ae9a052e493c5c862dccec89c42068493b44624a03074c82f3ba75047c3a5675e10b9

Download Submit
C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDShellExt64.dll

Filesize
408KB

MD5
e202409a69eac5a70ff866734e1f2bdb

SHA1
0d5a0eed9a27fe34f6a033c027ba7f7ae655d882

SHA256
c7de70f0445a09939a3ba4e7d0a0a8788a473792b80dfb540924816e2c22cf44

SHA512
3ce67be79405c21ef9dd720afe624117d94b90bdbc125751d52a0d38cf916492f36e34f8cbde6417aafa18869f2a014fdb117cb776dfd9ceaf04cc0df5311dc8

Download Submit
C:\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BaiduSd.exe

Filesize
369KB

MD5
55e1c29ae1e2b905734d72b10a970469

SHA1
d3583dcc28e60e347f9b824e1215a1de0788daef

SHA256
b4d9c5409e2c03d15952dca1c53d76f00c946506c96dd906cde6bb99d9540bbb

SHA512
8e215b3b82ca6710f770d84bafd9a3e998e16046e6388f59bebae59ec111d8976de410139168300907ddc1f86158f1f29719612b4e2b6105989896a67868058c

Download Submit
C:\Program Files (x86)\Common Files\Baidu\BDDownload\106\bddownloader.exe

Filesize
1.5MB

MD5
cdf79647be9d0dd3da36b4d10d747377

SHA1
6bc79e01a3759a412a676f59d02ab9f0069fe942

SHA256
780129c2d52aa602af4c0656da0806fb778049519fb97893cd95c83bdbe1d51f

SHA512
bfdb34a68b88992058a5b0aa8105c6a89e1d01f740880858b2aae612f4a9ed65c02b213af8e6af4a425ee2f94fb56dd667958d0365c0acfc6e253233ed8c339e

Download Submit
C:\Program Files\58611\G40458_s_0529.exe

Filesize
11.7MB

MD5
0ae79089d0ad62f542b8895c229cb4b6

SHA1
fd64d068d10708472e62693f18fd4e00f728e659

SHA256
8d0bbe035f96bb9ad2f7a2057d96f29ebb4ce0cc559526fe2cf5c00a154898f5

SHA512
a7b6aa49403e14bcdf74156b391ebecf0b0c7e62d243a8e3198a5e54997dbf6d550670326b955d1f873ebf7715f079090b5aa6b52521193a7ceb9e8ee22ee339

Download Submit
C:\Program Files\58611\G40458_s_0529.exe

Filesize
11.7MB

MD5
0ae79089d0ad62f542b8895c229cb4b6

SHA1
fd64d068d10708472e62693f18fd4e00f728e659

SHA256
8d0bbe035f96bb9ad2f7a2057d96f29ebb4ce0cc559526fe2cf5c00a154898f5

SHA512
a7b6aa49403e14bcdf74156b391ebecf0b0c7e62d243a8e3198a5e54997dbf6d550670326b955d1f873ebf7715f079090b5aa6b52521193a7ceb9e8ee22ee339

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDDownloader_Installer\1.0.106.1[2022-11-23-11-12-8]\7z.dll

Filesize
362KB

MD5
03b2dee014eaba40724a921c6ec96e1a

SHA1
72fbb682f2f2f0720fdfc3d18e616d6e8bf1e8a8

SHA256
9dddb8165707497518463c6835534b5e22fd4b7ab9bb3faae504302dd5c1c4b9

SHA512
06e7cec599c548eaf2bde4a783e252e90f96d3040363c7cb68ca3e862b35852ec74d7f0fae575f0a55dddb77da63de33c4cdc8993c0977eb851a5100b2490839

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDDownloader_Installer\1.0.106.1[2022-11-23-11-12-8]\BDDownloader.exe

Filesize
1.5MB

MD5
cdf79647be9d0dd3da36b4d10d747377

SHA1
6bc79e01a3759a412a676f59d02ab9f0069fe942

SHA256
780129c2d52aa602af4c0656da0806fb778049519fb97893cd95c83bdbe1d51f

SHA512
bfdb34a68b88992058a5b0aa8105c6a89e1d01f740880858b2aae612f4a9ed65c02b213af8e6af4a425ee2f94fb56dd667958d0365c0acfc6e253233ed8c339e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDDownloader_Installer\1.0.106.1[2022-11-23-11-12-8]\bdcomproxy.dll

Filesize
68KB

MD5
ef79f0961cff2ca0dbdba1907b12f39a

SHA1
03882e9682f938fe71cef6b737af4e56029919a8

SHA256
51d35e04be31224bcc2b46d2152c38fa34670f6d9708555f139e4328515b6577

SHA512
5e733c08b51aafcfb3fa6e87cdfd90623ce7b9732821bb8d1936abcb2df731c5aa38b5f0faf50d6bfff89154df28b1184b75215a1b3e0a8a7b9865ae55c7c5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDDownloader_Installer\1.0.106.1[2022-11-23-11-12-8]\bddownloader.exe

Filesize
1.5MB

MD5
cdf79647be9d0dd3da36b4d10d747377

SHA1
6bc79e01a3759a412a676f59d02ab9f0069fe942

SHA256
780129c2d52aa602af4c0656da0806fb778049519fb97893cd95c83bdbe1d51f

SHA512
bfdb34a68b88992058a5b0aa8105c6a89e1d01f740880858b2aae612f4a9ed65c02b213af8e6af4a425ee2f94fb56dd667958d0365c0acfc6e253233ed8c339e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDDownloader_Installer\1.0.106.1[2022-11-23-11-12-8]\dl.dll

Filesize
1.9MB

MD5
db1d8b5dad17e4d22722e27bcf9804c3

SHA1
a78d5013075a7f5ac4495a6d2dbd59ff54485c62

SHA256
faa7fedbf4ad3cc287360e7b3966f4b2c9e4b5f0e184a72e10a9f9081141c6d7

SHA512
3ba7131e2562c94207f3aaea74180d25b42450f7840390460916a73bce20d2b54585117acc9e11f3139f04200d90e962b40ae4ec9937a42ec1291b34ebad1c9c

Download Submit
C:\program files (x86)\common files\baidu\bddownload\106\bdcomproxy.dll

Filesize
68KB

MD5
ef79f0961cff2ca0dbdba1907b12f39a

SHA1
03882e9682f938fe71cef6b737af4e56029919a8

SHA256
51d35e04be31224bcc2b46d2152c38fa34670f6d9708555f139e4328515b6577

SHA512
5e733c08b51aafcfb3fa6e87cdfd90623ce7b9732821bb8d1936abcb2df731c5aa38b5f0faf50d6bfff89154df28b1184b75215a1b3e0a8a7b9865ae55c7c5f7

Download Submit
C:\program files (x86)\common files\baidu\bddownload\106\bddownloader.exe

Filesize
1.5MB

MD5
cdf79647be9d0dd3da36b4d10d747377

SHA1
6bc79e01a3759a412a676f59d02ab9f0069fe942

SHA256
780129c2d52aa602af4c0656da0806fb778049519fb97893cd95c83bdbe1d51f

SHA512
bfdb34a68b88992058a5b0aa8105c6a89e1d01f740880858b2aae612f4a9ed65c02b213af8e6af4a425ee2f94fb56dd667958d0365c0acfc6e253233ed8c339e

Download Submit
\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDCooly.dll

Filesize
43KB

MD5
b23e16f7ab426d84f7d28dfb1b61ecb1

SHA1
22e930a2fcc18ca16246b9499f6d315f340bd66e

SHA256
e37017bad2a60441d1d46f6231c5be3e6387746d67dfe3826ad83522375fae34

SHA512
3e1f9a8d8feea44b1b89a759297a3315c149103d9e475e79b3688a7f1e74398ffadf682b0205fce6ca3bae42f60dca55103664a797c297fcee0998b16af6632b

Download Submit
\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDDownloader.exe

Filesize
1.5MB

MD5
a3e4c0f9702c4d94f48327ab4bd4f623

SHA1
7c36ebff98e86c8ed2959af50503b1d391b70507

SHA256
4ddf50a979d7b1f4775fca7cda656763922e01c8d5721c6de81447976fa4001c

SHA512
20f315b1eb2d7cd7706065e9b56020b769101e2ddd5b494148dd604b53576fe54774a695cbe0ee208c1634ff96061bee8fbd6c702fe081cc2dc8a103c5133165

Download Submit
\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDKVWsc.exe

Filesize
381KB

MD5
4095c145259e889746755494ceb74eb7

SHA1
0d53b58d1681495e824d6ab436e43c7c90e307a0

SHA256
5ef115f87f3a0fc0e5103d67e54ef59db2cbaff6a19aacc5fd9c717f731c0e92

SHA512
6717a29d5ba04445eb77ada071c1a287f9a7a0b077c1ea7936281147c3566629260761641c7f13069314cd320305cccbc283188c91312d09d17225b5c080873a

Download Submit
\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDKVWsc.exe

Filesize
381KB

MD5
4095c145259e889746755494ceb74eb7

SHA1
0d53b58d1681495e824d6ab436e43c7c90e307a0

SHA256
5ef115f87f3a0fc0e5103d67e54ef59db2cbaff6a19aacc5fd9c717f731c0e92

SHA512
6717a29d5ba04445eb77ada071c1a287f9a7a0b077c1ea7936281147c3566629260761641c7f13069314cd320305cccbc283188c91312d09d17225b5c080873a

Download Submit
\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDLogicUtils.dll

Filesize
252KB

MD5
ee66741056b4a37421d5de01b897aee3

SHA1
91ff4821161f38bc7408f30aed402c57ac1c105b

SHA256
cc99024d2960b4ed55f44aa0d50431b2f17b8959ba225ad943ea2557fa2a8d88

SHA512
73d97408e9896ef2180c611577c6fd23ad61f627413b29bf054f5b49e6561add24ada196c39da67e180c7d69ef576c2d51653df727c15d458418d0343e6ce6e2

Download Submit
\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDMBase.dll

Filesize
936KB

MD5
350329be769648dbaf47eeaa6cdc120f

SHA1
8ef565a63f726749571c2980d52d8c3e74b19a7f

SHA256
fc1683bc7d1e0f888b755d2164630126e8868fe3606626b2e33dd7136e85196a

SHA512
b316040b91f8250643ad1ceb36619798c54abf79818eac5b25b72885808443942b55f993509c092e2984860d2189cb10ce18a8e21d2fd9a2e62e49057da83d58

Download Submit
\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDMFrameWork.dll

Filesize
276KB

MD5
93d734ae40875f4340388208d046b460

SHA1
ee054c44222164436edb30c30559ff32886101c2

SHA256
54649aff6c0c484c1af42181dcb399bc71d6296a8a1bc0f5ef15110527a98553

SHA512
6da63b939a604fd250c1332bf60c8a3eafdafbd64d31f16a70229417c7803b4b2c785568b157f84536957702d6ad4c932d734282dd9dfaec74f12119ae77dbc1

Download Submit
\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDMMsg.dll

Filesize
32KB

MD5
c9d9a790f4b3e522a6c87d14ecd02099

SHA1
e31df4a8c938dd4bf45a1e68c5613c635811177b

SHA256
12f9048c7cfe5c832fd970bcb294b1ddfeba5f2243df90b9041ba218569d2816

SHA512
1d0a4d8f4efde8619ddc5665d1fa22210b15d5eef58d7fae9eb7e6fd1c5f289912bec81a0678964fddb277f6784612c8fe5b5e66aa5dcb087544e48aab016454

Download Submit
\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDMSkin.dll

Filesize
1.3MB

MD5
4ab03490fde54a1860aa89e943b8fbed

SHA1
0a4c5cc6e5281bd6c346037a6d021ec8de1b5bd1

SHA256
f1cb09898bc0055037297b066967b81ebe49dd61d7d187ecab74811fdb17663c

SHA512
e72328d815e3b7e014af2b6117e84ec190e5342b55f7f5473dc003c2b9376fbb0dbb5aa45da2fa497cf354b3253cbf502dd7789dadcf3de062bd8eea2f1998ba

Download Submit
\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDMStringUtils.dll

Filesize
48KB

MD5
4b59d902f51020f623dbe2046cb545c1

SHA1
4486f834e9f41a34985ceb1c0013925a07ccfc1c

SHA256
5f54d0d27b2f4aa3581d6a68c4d049a98269f72fec4a3baabc560a10ecc9c355

SHA512
866ccd63d0bd8822ef41a8a74c74860cf0858a4a52a82fee4f56a8261e85c004451feb3cc42b0974eef08db2fe3198307b95122948b33339356fca676e072894

Download Submit
\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDMTinyXml.dll

Filesize
176KB

MD5
9b8a0d2008f246b4c52a0e258fbf09ea

SHA1
7d867ddf103f5b42990452397f8fee737d33c695

SHA256
d2715c29cdeed6489e59a19c7f0139626eb71c51be4d5d7d779f8aa3a932a8d1

SHA512
4d62beb5d03834910160919df48e35476377ae19acf7ad5f4b729a4470985e95a98edf5ba365ebcc328c52fcb97d79694cf942554383c1a9b8a494cb3bb1f357

Download Submit
\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDShellExt.dll

Filesize
416KB

MD5
6fcd374dc6935ace94ddb1056d2ef77a

SHA1
4b787d63888259fcdad0b6c2e510495df1c16a3c

SHA256
ace12d38a2c2a6175eea15712248dbc1300de2bd2c08be1d260bbc112ac65dc7

SHA512
1bd9cd344a1329dbff696ceb74a9692a5734c644ec201480fdce5484bd6ae9a052e493c5c862dccec89c42068493b44624a03074c82f3ba75047c3a5675e10b9

Download Submit
\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDShellExt64.dll

Filesize
408KB

MD5
e202409a69eac5a70ff866734e1f2bdb

SHA1
0d5a0eed9a27fe34f6a033c027ba7f7ae655d882

SHA256
c7de70f0445a09939a3ba4e7d0a0a8788a473792b80dfb540924816e2c22cf44

SHA512
3ce67be79405c21ef9dd720afe624117d94b90bdbc125751d52a0d38cf916492f36e34f8cbde6417aafa18869f2a014fdb117cb776dfd9ceaf04cc0df5311dc8

Download Submit
\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BDShellExt64.dll

Filesize
408KB

MD5
e202409a69eac5a70ff866734e1f2bdb

SHA1
0d5a0eed9a27fe34f6a033c027ba7f7ae655d882

SHA256
c7de70f0445a09939a3ba4e7d0a0a8788a473792b80dfb540924816e2c22cf44

SHA512
3ce67be79405c21ef9dd720afe624117d94b90bdbc125751d52a0d38cf916492f36e34f8cbde6417aafa18869f2a014fdb117cb776dfd9ceaf04cc0df5311dc8

Download Submit
\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BaiduSd.exe

Filesize
369KB

MD5
55e1c29ae1e2b905734d72b10a970469

SHA1
d3583dcc28e60e347f9b824e1215a1de0788daef

SHA256
b4d9c5409e2c03d15952dca1c53d76f00c946506c96dd906cde6bb99d9540bbb

SHA512
8e215b3b82ca6710f770d84bafd9a3e998e16046e6388f59bebae59ec111d8976de410139168300907ddc1f86158f1f29719612b4e2b6105989896a67868058c

Download Submit
\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\BaiduSd.exe

Filesize
369KB

MD5
55e1c29ae1e2b905734d72b10a970469

SHA1
d3583dcc28e60e347f9b824e1215a1de0788daef

SHA256
b4d9c5409e2c03d15952dca1c53d76f00c946506c96dd906cde6bb99d9540bbb

SHA512
8e215b3b82ca6710f770d84bafd9a3e998e16046e6388f59bebae59ec111d8976de410139168300907ddc1f86158f1f29719612b4e2b6105989896a67868058c

Download Submit
\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\explugin\ieBaiduSDDetectPlug.dll

Filesize
112KB

MD5
d620be8483f68c0546d0c5143b02c3c6

SHA1
fe303e0a9faa95253d27880347e2d3a769afd435

SHA256
9f5586eda4be41cf3eaadd33edcd0c358e6a826ee85f7661322cc01ccc40e2bb

SHA512
8929983cbbac6001d725119008538e962582ad600d05ef01565ff7915cbab8f21116b3efd3d346c999780a30300c2bfc0ed31ec6de23246de0547a8f5e57cece

Download Submit
\Program Files (x86)\Baidu\BaiduSd\1.8.0.1255\uninst.exe

Filesize
831KB

MD5
6310e9f314e8aaa084926812bfc30d6b

SHA1
9a19a68d081013a2ad7fd74d21f798659c6939da

SHA256
ae7d723462fa8be26e46d25e4a000083399d3082200cc4ea82ea4c5f0e15349c

SHA512
afc4259854e75b1258306eb63a06dc95afa4ba1eb95fdb329b651a991bb6c85eec570b132b8ca1631ce85b34ce5c94ab47826095d73d068f71dfa056b4a04dad

Download Submit
\Program Files (x86)\Common Files\Baidu\BDDownload\106\bdcomproxy.dll

Filesize
68KB

MD5
ef79f0961cff2ca0dbdba1907b12f39a

SHA1
03882e9682f938fe71cef6b737af4e56029919a8

SHA256
51d35e04be31224bcc2b46d2152c38fa34670f6d9708555f139e4328515b6577

SHA512
5e733c08b51aafcfb3fa6e87cdfd90623ce7b9732821bb8d1936abcb2df731c5aa38b5f0faf50d6bfff89154df28b1184b75215a1b3e0a8a7b9865ae55c7c5f7

Download Submit
\Program Files (x86)\Common Files\Baidu\BDDownload\106\bddownloader.exe

Filesize
1.5MB

MD5
cdf79647be9d0dd3da36b4d10d747377

SHA1
6bc79e01a3759a412a676f59d02ab9f0069fe942

SHA256
780129c2d52aa602af4c0656da0806fb778049519fb97893cd95c83bdbe1d51f

SHA512
bfdb34a68b88992058a5b0aa8105c6a89e1d01f740880858b2aae612f4a9ed65c02b213af8e6af4a425ee2f94fb56dd667958d0365c0acfc6e253233ed8c339e

Download Submit
\Program Files (x86)\Common Files\Baidu\BDDownload\106\bddownloader.exe

Filesize
1.5MB

MD5
cdf79647be9d0dd3da36b4d10d747377

SHA1
6bc79e01a3759a412a676f59d02ab9f0069fe942

SHA256
780129c2d52aa602af4c0656da0806fb778049519fb97893cd95c83bdbe1d51f

SHA512
bfdb34a68b88992058a5b0aa8105c6a89e1d01f740880858b2aae612f4a9ed65c02b213af8e6af4a425ee2f94fb56dd667958d0365c0acfc6e253233ed8c339e

Download Submit
\Program Files\58611\G40458_s_0529.exe

Filesize
11.7MB

MD5
0ae79089d0ad62f542b8895c229cb4b6

SHA1
fd64d068d10708472e62693f18fd4e00f728e659

SHA256
8d0bbe035f96bb9ad2f7a2057d96f29ebb4ce0cc559526fe2cf5c00a154898f5

SHA512
a7b6aa49403e14bcdf74156b391ebecf0b0c7e62d243a8e3198a5e54997dbf6d550670326b955d1f873ebf7715f079090b5aa6b52521193a7ceb9e8ee22ee339

Download Submit
\Users\Admin\AppData\Local\Temp\BDDownloader_Installer\1.0.106.1[2022-11-23-11-12-8]\bddownloader.exe

Filesize
1.5MB

MD5
cdf79647be9d0dd3da36b4d10d747377

SHA1
6bc79e01a3759a412a676f59d02ab9f0069fe942

SHA256
780129c2d52aa602af4c0656da0806fb778049519fb97893cd95c83bdbe1d51f

SHA512
bfdb34a68b88992058a5b0aa8105c6a89e1d01f740880858b2aae612f4a9ed65c02b213af8e6af4a425ee2f94fb56dd667958d0365c0acfc6e253233ed8c339e

Download Submit
\Users\Admin\AppData\Local\Temp\BDDownloader_Installer\1.0.106.1[2022-11-23-11-12-8]\bddownloader.exe

Filesize
1.5MB

MD5
cdf79647be9d0dd3da36b4d10d747377

SHA1
6bc79e01a3759a412a676f59d02ab9f0069fe942

SHA256
780129c2d52aa602af4c0656da0806fb778049519fb97893cd95c83bdbe1d51f

SHA512
bfdb34a68b88992058a5b0aa8105c6a89e1d01f740880858b2aae612f4a9ed65c02b213af8e6af4a425ee2f94fb56dd667958d0365c0acfc6e253233ed8c339e

Download Submit
\Users\Admin\AppData\Local\Temp\nsjAAC3.tmp\System.dll

Filesize
19KB

MD5
f52eb281e29da8065e18805617ac2cbc

SHA1
341481101614a595f0f8e6c1212a5a3b5e6ea426

SHA256
21805996ea8b483e5c722a80897b51af9a42636af0b27bed86560825bd079cc6

SHA512
f8649371d3575c37bbd246c27acdf61a6c8c52642b53e8bf3eec042a6d363855d17ccf6cfed9e586b66164565a3fb8c56939a15e907d3517e5f511fda3bb8dce

Download Submit
\Users\Admin\AppData\Local\Temp\nsjAAC3.tmp\System.dll

Filesize
19KB

MD5
f52eb281e29da8065e18805617ac2cbc

SHA1
341481101614a595f0f8e6c1212a5a3b5e6ea426

SHA256
21805996ea8b483e5c722a80897b51af9a42636af0b27bed86560825bd079cc6

SHA512
f8649371d3575c37bbd246c27acdf61a6c8c52642b53e8bf3eec042a6d363855d17ccf6cfed9e586b66164565a3fb8c56939a15e907d3517e5f511fda3bb8dce

Download Submit
\Users\Admin\AppData\Local\Temp\nsyDB06.tmp\BDMSkin.dll

Filesize
1.3MB

MD5
7e582f62e4235e841ef419a6ed2eb0f4

SHA1
7eb27e996f01a731ee8a2c3420543c8b75665849

SHA256
10c3aebe90d7d0536bf5dbd819a5cf1043058e88faf261ae7307071b13f76ed8

SHA512
a8bc2ddba3ed3b69337ad4ba19c04ddc90c62e77fb7a6b34c1de34f8cf43d4c5a229cc2c02d62dea1446ee95a4dbbaf46f59bb2e134125cb20e28013a62ee776

Download Submit
\Users\Admin\AppData\Local\Temp\nsyDB06.tmp\GetSupplyId.dll

Filesize
108KB

MD5
f1a3e3d2552723cf46f1e9aaa4741877

SHA1
560603c05014691982a18ca3fa4eb9a1670552a4

SHA256
e2ab61f602396cb75ff0745cf08c09ba6588163b34b9af93503e994df76a697e

SHA512
88c0c24ca167c15cb788bf09d777e5957337b34cfa6af7329f889ea7de1a454f5fb3570c053f0f47ed79131df1a1749e32bbd1f48462da7b6bde19af093d290a

Download Submit
\Users\Admin\AppData\Local\Temp\nsyDB06.tmp\KVInstallHelper.dll

Filesize
356KB

MD5
f62b69d432975fcde1fa72a795a6bab0

SHA1
27ce015f3f10bce44a0fcd2a021f41b8673c0770

SHA256
17cabf13174cae4f271cb07de23bdf341b86653a26b71f4dee415d98deb0a2e5

SHA512
d5d773d5c1ca626847556967950e2b298dc22acdc741dbaf9106ff231cef22ee770ff3cf539f5917a3006ec9708ca819a7307efb362fbf45f0e217f5a48ef760

Download Submit
\Users\Admin\AppData\Local\Temp\nsyDB06.tmp\KVInstallHelper.dll

Filesize
356KB

MD5
f62b69d432975fcde1fa72a795a6bab0

SHA1
27ce015f3f10bce44a0fcd2a021f41b8673c0770

SHA256
17cabf13174cae4f271cb07de23bdf341b86653a26b71f4dee415d98deb0a2e5

SHA512
d5d773d5c1ca626847556967950e2b298dc22acdc741dbaf9106ff231cef22ee770ff3cf539f5917a3006ec9708ca819a7307efb362fbf45f0e217f5a48ef760

Download Submit
\Users\Admin\AppData\Local\Temp\nsyDB06.tmp\NewPih.dll

Filesize
116KB

MD5
8d8685af565a0477d509562e1b5c62b6

SHA1
bcc562120683fbbb8c5d00222e41df14eecc00de

SHA256
dc8da34c25adb4219d4c1c9f4d8de45e02eb516fcea34dac60a9e7df09fe45d7

SHA512
7f7facf2754383090143e03728f5d9e8c466574d092e66a7b21dcb55c55b98cde0086e68717691c467b697c4c60f858a8e89540bcdfc5be642910842886efd32

Download Submit
\Users\Admin\AppData\Local\Temp\nsyDB06.tmp\PluginInstallHelper.dll

Filesize
108KB

MD5
2f13d0b09d35456a28dcb5fcdc9db637

SHA1
71dc6a89abf1962ed4998d460ea8de93d48896cd

SHA256
6ecace54bf4b442d9689c35d3ce0812fc4817b394589cd9b6d97d47d9db49a30

SHA512
364b839c367ae92daf83b0724ef8a9fb6845c6ab48d4833ca3169a338ec6b5f913447613605942f4e2d28c882760fc8700d35b7bdc5183405ece8e4bc2bd8087

Download Submit
\Users\Admin\AppData\Local\Temp\nsyDB06.tmp\System.dll

Filesize
18KB

MD5
1c951bbcbc780046d6be1079a04870a4

SHA1
a5bae7d838973154e6fac69b1c5ff7d2cda01906

SHA256
d23676fbcf76355d1af68e7b32964b837243349920921b2ec74d97554809a65e

SHA512
62c3686baed2232f7d8ddc8f48a41761812b5b2a67f3a689b7a43275f077842366abc13c7e8259613bfd9df25cf467e4001337c1454aec910abce121d551e2d8

Download Submit
memory/432-82-0x0000000000000000-mapping.dmp

Download
memory/544-95-0x0000000000000000-mapping.dmp

Download
memory/624-112-0x0000000000000000-mapping.dmp

Download
memory/972-90-0x0000000000000000-mapping.dmp

Download
memory/1192-134-0x00000000001F0000-0x000000000022E000-memory.dmp

Filesize
248KB

Download
memory/1192-150-0x00000000008E0000-0x00000000008EE000-memory.dmp

Filesize
56KB

Download
memory/1192-138-0x00000000007A0000-0x0000000000889000-memory.dmp

Filesize
932KB

Download
memory/1192-146-0x0000000000330000-0x000000000035A000-memory.dmp

Filesize
168KB

Download
memory/1192-155-0x0000000000C00000-0x0000000000D48000-memory.dmp

Filesize
1.3MB

Download
memory/1192-142-0x0000000000890000-0x00000000008D4000-memory.dmp

Filesize
272KB

Download
memory/1192-126-0x0000000000000000-mapping.dmp

Download
memory/1584-114-0x0000000000000000-mapping.dmp

Download
memory/1596-109-0x0000000000000000-mapping.dmp

Download
memory/1680-120-0x0000000000000000-mapping.dmp

Download
memory/1680-121-0x000007FEFBAD1000-0x000007FEFBAD3000-memory.dmp

Filesize
8KB

Download
memory/1724-58-0x0000000000000000-mapping.dmp

Download
memory/1724-66-0x00000000006A0000-0x00000000006BC000-memory.dmp

Filesize
112KB

Download
memory/1724-79-0x0000000004FF0000-0x000000000500A000-memory.dmp

Filesize
104KB

Download
memory/1724-68-0x00000000006C0000-0x000000000071B000-memory.dmp

Filesize
364KB

Download
memory/1728-54-0x0000000076301000-0x0000000076303000-memory.dmp

Filesize
8KB

Download
memory/1728-64-0x0000000000400000-0x00000000011C6000-memory.dmp

Filesize
13.8MB

Download
memory/1728-56-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/1728-55-0x0000000000400000-0x00000000011C6000-memory.dmp

Filesize
13.8MB

Download
memory/1832-103-0x0000000000000000-mapping.dmp

Download
memory/2016-107-0x0000000000000000-mapping.dmp

Download