549f05d9c10be5e43c6b2eb0a370b048ccf98a0a1f05f02280b541f20aa7304e

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

549f05d9c10be5e43c6b2eb0a370b048ccf98a0a1f05f02280b541f20aa7304e.exe
Size

31.5MB
MD5

825c74709ea3d2f5f19ba58f4d995cba
SHA1

d43f1c0983f212ea808fa73b2921b5c0fb0ac42a
SHA256

549f05d9c10be5e43c6b2eb0a370b048ccf98a0a1f05f02280b541f20aa7304e
SHA512

ffa696d104047ff9243b1aa4179f8c3762615e33cb7eadf5e9b439e5263dda458227a0a12437810383a80961f745f78e64b4985aa67c65ef7fcd82cde447c063
SSDEEP

786432:haXj+hzDp2e6W3dJzZji9iRKpL+f3WmB3f0AUKX:haz+jvX3bzZjUL+Pr3fhD

Score

8^/10

bootkit discovery evasion persistence

Malware Config

Signatures

Drops file in Drivers directory 11 IoCs

Processes:

BaiduProtect_Setup.exeBaiduProtect.exeG0724_s_804390000.execmd.exe

description	ioc	process
File created	C:\Windows\system32\DRIVERS\bd0001.sys	BaiduProtect_Setup.exe
File created	C:\Windows\system32\DRIVERS\BDArKit.sys	BaiduProtect.exe
File opened for modification	C:\Windows\system32\DRIVERS\bd0001.sys	G0724_s_804390000.exe
File created	C:\Windows\system32\DRIVERS\bd0002.sys	G0724_s_804390000.exe
File created	C:\Windows\system32\DRIVERS\BDMNetMon.sys	G0724_s_804390000.exe
File created	C:\windows\SysWOW64\drivers\BrowserSafe.sys	cmd.exe
File opened for modification	C:\windows\SysWOW64\drivers\BrowserSafe.sys	cmd.exe
File opened for modification	C:\Windows\system32\DRIVERS\bd0004.sys	BaiduProtect.exe
File created	C:\Windows\system32\DRIVERS\BDArKit.sys	G0724_s_804390000.exe
File opened for modification	C:\Windows\system32\DRIVERS\bd0001.sys	BaiduProtect_Setup.exe
File created	C:\Windows\system32\DRIVERS\bd0004.sys	BaiduProtect.exe

Executes dropped EXE 21 IoCs

Processes:

9e_BaiduAn_ID=34975,BWS=804423166,.exeunstall.exe9EPostService.exe9EPostService.exeBrowserSafe.exeG0724_s_804390000.exeBDABrowserProtect.exeBaiduProtect_Setup.exeBaiduProtect.exeBaiduProtect.exeBDABrowserProtect.exeBDDownloader.exeBDDownloader.exebddownloader.exeBaiduAn.exeBaiduAn.exeBaiduAnSvc.exeBaiduAnSvc.exeBDSGBugRpt.exeBaiduAnTray.exeBDALeakfixer.exe

pid	process
532	9e_BaiduAn_ID=34975,BWS=804423166,.exe
668	unstall.exe
820	9EPostService.exe
880	9EPostService.exe
1908	BrowserSafe.exe
916	G0724_s_804390000.exe
1964	BDABrowserProtect.exe
1732	BaiduProtect_Setup.exe
1504	BaiduProtect.exe
1896	BaiduProtect.exe
1208	BDABrowserProtect.exe
1976	BDDownloader.exe
1144	BDDownloader.exe
940	bddownloader.exe
944	BaiduAn.exe
556	BaiduAn.exe
732	BaiduAnSvc.exe
568	BaiduAnSvc.exe
1776	BDSGBugRpt.exe
1208	BaiduAnTray.exe
2032	BDALeakfixer.exe

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

304 netsh.exe

pid	process
304	netsh.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\BaiduAn\\2.3.0.2225\\BDSWShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}\InProcServer32\ = "C:\\Program Files (x86)\\Baidu\\BaiduAn\\2.3.0.2225\\BDSWShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe

Sets service image path in registry 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

G0724_s_804390000.exeBaiduAnSvc.exeBaiduProtect.exeBaiduProtect_Setup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\bd0001\ImagePath = "system32\\DRIVERS\\bd0001.sys"	G0724_s_804390000.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\BDArKit\ImagePath = "system32\\DRIVERS\\BDArKit.sys"	G0724_s_804390000.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\BDMNetMon\ImagePath = "system32\\DRIVERS\\BDMNetMon.sys"	BaiduAnSvc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\BDArKit\ImagePath = "system32\\DRIVERS\\BDArKit.sys"	BaiduAnSvc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\bd0004\ImagePath = "system32\\DRIVERS\\bd0004.sys"	BaiduProtect.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\BDArKit\ImagePath = "system32\\DRIVERS\\BDArKit.sys"	BaiduProtect.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\bd0002\ImagePath = "system32\\DRIVERS\\bd0002.sys"	G0724_s_804390000.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\BDMNetMon\ImagePath = "system32\\DRIVERS\\BDMNetMon.sys"	G0724_s_804390000.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\bd0001\ImagePath = "system32\\DRIVERS\\bd0001.sys"	BaiduAnSvc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\bd0002\ImagePath = "system32\\DRIVERS\\bd0002.sys"	BaiduAnSvc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\bd0001\ImagePath = "system32\\DRIVERS\\bd0001.sys"	BaiduProtect_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\bd0001\ImagePath = "system32\\DRIVERS\\bd0001.sys"	BaiduProtect.exe

Loads dropped DLL 64 IoCs

Processes:

9e_BaiduAn_ID=34975,BWS=804423166,.execmd.exeG0724_s_804390000.exeBDABrowserProtect.exeBaiduProtect_Setup.exeBaiduProtect.exeBaiduProtect.exe

pid	process
532	9e_BaiduAn_ID=34975,BWS=804423166,.exe
532	9e_BaiduAn_ID=34975,BWS=804423166,.exe
532	9e_BaiduAn_ID=34975,BWS=804423166,.exe
532	9e_BaiduAn_ID=34975,BWS=804423166,.exe
532	9e_BaiduAn_ID=34975,BWS=804423166,.exe
532	9e_BaiduAn_ID=34975,BWS=804423166,.exe
532	9e_BaiduAn_ID=34975,BWS=804423166,.exe
532	9e_BaiduAn_ID=34975,BWS=804423166,.exe
532	9e_BaiduAn_ID=34975,BWS=804423166,.exe
1768	cmd.exe
532	9e_BaiduAn_ID=34975,BWS=804423166,.exe
532	9e_BaiduAn_ID=34975,BWS=804423166,.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
1964	BDABrowserProtect.exe
1964	BDABrowserProtect.exe
1732	BaiduProtect_Setup.exe
1732	BaiduProtect_Setup.exe
1732	BaiduProtect_Setup.exe
1732	BaiduProtect_Setup.exe
1732	BaiduProtect_Setup.exe
1732	BaiduProtect_Setup.exe
1732	BaiduProtect_Setup.exe
1732	BaiduProtect_Setup.exe
1732	BaiduProtect_Setup.exe
1732	BaiduProtect_Setup.exe
1732	BaiduProtect_Setup.exe
1504	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1504	BaiduProtect.exe
1896	BaiduProtect.exe
1504	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1732	BaiduProtect_Setup.exe
1732	BaiduProtect_Setup.exe
1732	BaiduProtect_Setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

BaiduAnSvc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaiduAnTray = "\"C:\\Program Files (x86)\\Baidu\\BaiduAn\\2.3.0.2225\\BaiduAnTray.exe\" -stmd=3"	BaiduAnSvc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 6 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

BaiduProtect.exeG0724_s_804390000.exeBaiduAnSvc.exeBaiduAnSvc.exeBaiduAnTray.exeBDALeakfixer.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	BaiduProtect.exe
File opened for modification	\??\PhysicalDrive0	G0724_s_804390000.exe
File opened for modification	\??\PhysicalDrive0	BaiduAnSvc.exe
File opened for modification	\??\PhysicalDrive0	BaiduAnSvc.exe
File opened for modification	\??\PhysicalDrive0	BaiduAnTray.exe
File opened for modification	\??\PhysicalDrive0	BDALeakfixer.exe

Drops file in System32 directory 3 IoCs

Processes:

BaiduProtect_Setup.exeBDSGBugRpt.exe

description	ioc	process
File created	C:\Windows\system32\bd64_x64.dll	BaiduProtect_Setup.exe
File created	C:\Windows\system32\bd64_x86.dll	BaiduProtect_Setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	BDSGBugRpt.exe

Drops file in Program Files directory 64 IoCs

Processes:

BDABrowserProtect.exeG0724_s_804390000.exeBaiduProtect_Setup.exeBaiduProtect.exeBDDownloader.exe

description	ioc	process
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BrowserProtect\BDABrowserProtect.exe	BDABrowserProtect.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\BDMWindowsLib.dll	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\bdmmainframeplugins\PluginSetup.xml	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\bdsg0001.dll	BaiduProtect_Setup.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\FTSysFixer\SysFixerLuaScript.dat	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\Skins\Tips\win8_1_num_2_speed.png	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\BDASWAcc.exe	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\BDLogicUtils.dll	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\RTPPlugins\RtpContainerConfig.xml	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\uninst.exe	BaiduProtect_Setup.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\websafe\WebSafe.dll	G0724_s_804390000.exe
File opened for modification	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BDABrowserProtect.exe	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\Skins\Default\Unknownfile.rdb	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BDMSafePlugins\SafePluginContainerConfig.xml	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\BDLogicUtils.dll	BaiduProtect_Setup.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BrowserProtect\BDMNet.dll	BDABrowserProtect.exe
File opened for modification	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\GameNoDisturb.ini	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\RTPPlugins\BDMSOAccServicePlugin.dll	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\plugins\BDSGRtpDyn_ContainerConfig.xml	BaiduProtect_Setup.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\Skins\Default\BDMTray.rdb	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\Skins\Tips\win8_1_num_7_speed.png	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\plugins\BdsdTestPlugin.dll	BaiduProtect_Setup.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\Skins\Default\Patcher.rdb	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\Skins\Default\SiteInspection.rdb	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\GCCallbackBind.dll	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BDMSafePlugins\BDMPatcherPlugin.dll	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\FTSOManager\SOGarbageConfig.xml	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\licenses\directui license.txt	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\bdmantivirus\bduf.dll	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\Skins\Tips\win8_1_minute_speed.png	G0724_s_804390000.exe
File created	C:\Program Files (x86)\ssk	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\PluginManager\PluginConfig.db	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\BaiduAnSvc.exe	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\FTSOManager\BDMSOLiveAccStrategyMgr.dll	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\bdmantivirus\systemfile.dat	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\bdmantivirus\BDKitUtils.dll	G0724_s_804390000.exe
File opened for modification	C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\Data\apps.db	BaiduProtect.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BrowserProtect\ProtectConfig.xml	BDABrowserProtect.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BrowserProtect\BDBrowserProtecter.png	BDABrowserProtect.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\FTSOManager\SOPluginCleanerConfig.dat	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\Skins\Default\SysFixer.rdb	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Common Files\Baidu\BDDownload\107\bddownloader.exe	BDDownloader.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BDMSafePlugins\BDMSysFixerPlugin.dll	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\plugins\Microsoft.VC80.CRT\msvcr80.dll	BaiduProtect_Setup.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\FTSOManager\SOCleanerConfig.dat	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\bdmmainframeplugins\MainframePluginContainerConfig.xml	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\ad.dll	BaiduProtect_Setup.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BrowserProtect\BDKitUtils.dll	BDABrowserProtect.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\bdmmainframeplugins\BDMSafePlugin.dll	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\FTSOManager\SORegCleanerScript.dat	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\drivers\BDEnhanceBoost.sys	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\BDMStringUtils.dll	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BDMCoolyPlugins\BDMSOAccCoolyPlugin.dll	G0724_s_804390000.exe
File opened for modification	C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\Data\apps.db-journal	BaiduProtect.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\dnw.xml	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\licenses\duilib license.txt	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\SysRepLib.dat	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\HotPlugins.xml	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BDMSafePlugins\BDMKVMainPlugin.dll	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest	BaiduProtect_Setup.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\Skins\Default\Softmgr.rdb	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\Skins\Tips\win8_1_num_4_speed.png	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\DriverManager.dll	G0724_s_804390000.exe
File created	C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\bdmkvscanplugin\BDMKVScanPluginContainerConfig.xml	G0724_s_804390000.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\9e_BaiduAn_ID=34975,BWS=804423166,.exe	nsis_installer_1
C:\9e_BaiduAn_ID=34975,BWS=804423166,.exe	nsis_installer_2
C:\9e_BaiduAn_ID=34975,BWS=804423166,.exe	nsis_installer_1
C:\9e_BaiduAn_ID=34975,BWS=804423166,.exe	nsis_installer_2

Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1148 taskkill.exe
2000 taskkill.exe
1300 taskkill.exe
1568 taskkill.exe
908 taskkill.exe
1252 taskkill.exe
1776 taskkill.exe

pid	process
1148	taskkill.exe
2000	taskkill.exe
1300	taskkill.exe
1568	taskkill.exe
908	taskkill.exe
1252	taskkill.exe
1776	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

9e_BaiduAn_ID=34975,BWS=804423166,.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	9e_BaiduAn_ID=34975,BWS=804423166,.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main	9e_BaiduAn_ID=34975,BWS=804423166,.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

Processes:

9e_BaiduAn_ID=34975,BWS=804423166,.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.919yi.cn/?id=34975&m=7E4CDA66D2DC&s=Mfb8757536b1f924ac1d9dd3ed1719c3c"	9e_BaiduAn_ID=34975,BWS=804423166,.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.919yi.cn/?id=34975&m=7E4CDA66D2DC&s=Mfb8757536b1f924ac1d9dd3ed1719c3c"	9e_BaiduAn_ID=34975,BWS=804423166,.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

BaiduProtect.exeBDSGBugRpt.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	BaiduProtect.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	BaiduProtect.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	BaiduProtect.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	BDSGBugRpt.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exebddownloader.exeRegSvr32.exeregsvr32.exeG0724_s_804390000.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDDownloadProxy.Downloader\CurVer\ = "BDDownloadProxy.Downloader.1"	bddownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ = "_IDownloaderEvents"	bddownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\ProgID\ = "BDSWShellExt.BDSWShellExtMenu.1"	RegSvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ = "_IDownloaderEvents"	bddownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ABDSWShellExt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDDownloadProxy.Downloader.1	bddownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\AppID = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"	bddownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"	bddownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{70891BDB-3BE3-45A9-96B6-184ABA962091}\1.0\0\win64\ = "C:\\Program Files (x86)\\Baidu\\BaiduAn\\2.3.0.2225\\BDSWShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDDownloadProxy.Downloader.1\CLSID\ = "{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}"	bddownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "IDownloader"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}\ = "IBDSWShellExtMenu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}\ = "DownloadProxy"	bddownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}	bddownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32	bddownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDSWShellExt.BDSWShellExtMenu\CurVer	RegSvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\AppID = "{A8B81847-1462-4756-9D4A-F506BC5361CD}"	RegSvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}\NumMethods	RegSvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}\NumMethods\ = "3"	RegSvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\ = "Downloader Class"	bddownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0	bddownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDSWShellExt.BDSWShellExtMenu.1\CLSID	RegSvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\ = "DownloadProxy 1.0 Type Library"	bddownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\FLAGS	bddownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\Version = "1.0"	bddownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\ProgID\ = "BDDownloadProxy.Downloader.1"	bddownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib	bddownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32\ = "C:\\program files (x86)\\common files\\baidu\\bddownload\\107\\bdcomproxy.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\shell\opendlg\command\ = "\"C:\\Program Files (x86)\\Baidu\\BaiduAn\\2.3.0.2225\\BDAFileHelper.exe\" -file=\"%1\""	G0724_s_804390000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDSWShellExt.BDSWShellExtMenu\ = "BDSWShellExtMenu Class"	RegSvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DownloadProxy.EXE\AppID = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"	bddownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDDownloadProxy.Downloader	bddownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDDownloadProxy.Downloader\CLSID\ = "{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}"	bddownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}\ = "IBDSWShellExtMenu"	RegSvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}	bddownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\Version = "1.0"	bddownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ = "IDownloader_2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDSWShellExt.BDSWShellExtMenu.1\ = "BDSWShellExtMenu Class"	RegSvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}	bddownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDDownloadProxy.Downloader\CurVer	bddownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\VersionIndependentProgID\ = "BDDownloadProxy.Downloader"	bddownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDDownloadProxy.Downloader.1\CLSID	bddownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\VersionIndependentProgID	bddownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib	bddownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\Version = "1.0"	bddownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{70891BDB-3BE3-45A9-96B6-184ABA962091}\1.0\FLAGS	RegSvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}\ProxyStubClsid32\ = "{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}"	RegSvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDSWShellExt.BDSWShellExtMenu.1\ = "BDSWShellExtMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"	bddownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDSWShellExt.BDSWShellExtMenu	RegSvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A8B81847-1462-4756-9D4A-F506BC5361CD}\ = "BDSWShellExt"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\VersionIndependentProgID\ = "BDSWShellExt.BDSWShellExtMenu"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

G0724_s_804390000.exeBDABrowserProtect.exeBaiduProtect_Setup.exeBaiduProtect.exeBaiduAnSvc.exe

pid	process
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
916	G0724_s_804390000.exe
1964	BDABrowserProtect.exe
1964	BDABrowserProtect.exe
1732	BaiduProtect_Setup.exe
1732	BaiduProtect_Setup.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
1896	BaiduProtect.exe
568	BaiduAnSvc.exe
568	BaiduAnSvc.exe
568	BaiduAnSvc.exe
568	BaiduAnSvc.exe
568	BaiduAnSvc.exe
1896	BaiduProtect.exe
568	BaiduAnSvc.exe
568	BaiduAnSvc.exe
568	BaiduAnSvc.exe
568	BaiduAnSvc.exe
568	BaiduAnSvc.exe
568	BaiduAnSvc.exe
568	BaiduAnSvc.exe
568	BaiduAnSvc.exe
568	BaiduAnSvc.exe
568	BaiduAnSvc.exe
568	BaiduAnSvc.exe
568	BaiduAnSvc.exe
568	BaiduAnSvc.exe
568	BaiduAnSvc.exe
568	BaiduAnSvc.exe
568	BaiduAnSvc.exe
568	BaiduAnSvc.exe

Suspicious behavior: LoadsDriver 23 IoCs

Processes:

pid process

460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460

pid	process
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeG0724_s_804390000.exeBDABrowserProtect.exeBaiduProtect_Setup.exeBaiduProtect.exeBaiduAnSvc.exeBaiduAnTray.exe

description	pid	process
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	1300	taskkill.exe
Token: SeDebugPrivilege	1568	taskkill.exe
Token: SeDebugPrivilege	908	taskkill.exe
Token: SeDebugPrivilege	1252	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	1148	taskkill.exe
Token: SeDebugPrivilege	916	G0724_s_804390000.exe
Token: SeDebugPrivilege	916	G0724_s_804390000.exe
Token: SeDebugPrivilege	916	G0724_s_804390000.exe
Token: SeDebugPrivilege	916	G0724_s_804390000.exe
Token: SeDebugPrivilege	916	G0724_s_804390000.exe
Token: SeDebugPrivilege	916	G0724_s_804390000.exe
Token: SeDebugPrivilege	916	G0724_s_804390000.exe
Token: SeDebugPrivilege	916	G0724_s_804390000.exe
Token: SeDebugPrivilege	916	G0724_s_804390000.exe
Token: SeDebugPrivilege	916	G0724_s_804390000.exe
Token: SeDebugPrivilege	916	G0724_s_804390000.exe
Token: SeDebugPrivilege	916	G0724_s_804390000.exe
Token: SeDebugPrivilege	916	G0724_s_804390000.exe
Token: SeDebugPrivilege	916	G0724_s_804390000.exe
Token: SeDebugPrivilege	916	G0724_s_804390000.exe
Token: SeDebugPrivilege	916	G0724_s_804390000.exe
Token: SeDebugPrivilege	916	G0724_s_804390000.exe
Token: SeDebugPrivilege	916	G0724_s_804390000.exe
Token: SeDebugPrivilege	916	G0724_s_804390000.exe
Token: SeDebugPrivilege	916	G0724_s_804390000.exe
Token: SeDebugPrivilege	916	G0724_s_804390000.exe
Token: SeDebugPrivilege	1964	BDABrowserProtect.exe
Token: SeDebugPrivilege	1964	BDABrowserProtect.exe
Token: SeDebugPrivilege	1732	BaiduProtect_Setup.exe
Token: SeDebugPrivilege	1732	BaiduProtect_Setup.exe
Token: SeLoadDriverPrivilege	1732	BaiduProtect_Setup.exe
Token: SeLoadDriverPrivilege	1896	BaiduProtect.exe
Token: SeLoadDriverPrivilege	916	G0724_s_804390000.exe
Token: SeLoadDriverPrivilege	568	BaiduAnSvc.exe
Token: SeLoadDriverPrivilege	568	BaiduAnSvc.exe
Token: 33	1208	BaiduAnTray.exe
Token: SeIncBasePriorityPrivilege	1208	BaiduAnTray.exe
Token: 33	1208	BaiduAnTray.exe
Token: SeIncBasePriorityPrivilege	1208	BaiduAnTray.exe

Suspicious use of FindShellTrayWindow 17 IoCs

Processes:

BaiduAnTray.exe

pid	process
1208	BaiduAnTray.exe
1208	BaiduAnTray.exe
1208	BaiduAnTray.exe
1208	BaiduAnTray.exe
1208	BaiduAnTray.exe
1208	BaiduAnTray.exe
1208	BaiduAnTray.exe
1208	BaiduAnTray.exe
1208	BaiduAnTray.exe
1208	BaiduAnTray.exe
1208	BaiduAnTray.exe
1208	BaiduAnTray.exe
1208	BaiduAnTray.exe
1208	BaiduAnTray.exe
1208	BaiduAnTray.exe
1208	BaiduAnTray.exe
1208	BaiduAnTray.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

BaiduAnTray.exe

pid process

1208 BaiduAnTray.exe
1208 BaiduAnTray.exe
1208 BaiduAnTray.exe
1208 BaiduAnTray.exe
1208 BaiduAnTray.exe
1208 BaiduAnTray.exe
1208 BaiduAnTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

549f05d9c10be5e43c6b2eb0a370b048ccf98a0a1f05f02280b541f20aa7304e.exe9e_BaiduAn_ID=34975,BWS=804423166,.execmd.exe

description	pid	process	target process
PID 1092 wrote to memory of 532	1092	549f05d9c10be5e43c6b2eb0a370b048ccf98a0a1f05f02280b541f20aa7304e.exe	9e_BaiduAn_ID=34975,BWS=804423166,.exe
PID 1092 wrote to memory of 532	1092	549f05d9c10be5e43c6b2eb0a370b048ccf98a0a1f05f02280b541f20aa7304e.exe	9e_BaiduAn_ID=34975,BWS=804423166,.exe
PID 1092 wrote to memory of 532	1092	549f05d9c10be5e43c6b2eb0a370b048ccf98a0a1f05f02280b541f20aa7304e.exe	9e_BaiduAn_ID=34975,BWS=804423166,.exe
PID 1092 wrote to memory of 532	1092	549f05d9c10be5e43c6b2eb0a370b048ccf98a0a1f05f02280b541f20aa7304e.exe	9e_BaiduAn_ID=34975,BWS=804423166,.exe
PID 1092 wrote to memory of 532	1092	549f05d9c10be5e43c6b2eb0a370b048ccf98a0a1f05f02280b541f20aa7304e.exe	9e_BaiduAn_ID=34975,BWS=804423166,.exe
PID 1092 wrote to memory of 532	1092	549f05d9c10be5e43c6b2eb0a370b048ccf98a0a1f05f02280b541f20aa7304e.exe	9e_BaiduAn_ID=34975,BWS=804423166,.exe
PID 1092 wrote to memory of 532	1092	549f05d9c10be5e43c6b2eb0a370b048ccf98a0a1f05f02280b541f20aa7304e.exe	9e_BaiduAn_ID=34975,BWS=804423166,.exe
PID 532 wrote to memory of 668	532	9e_BaiduAn_ID=34975,BWS=804423166,.exe	unstall.exe
PID 532 wrote to memory of 668	532	9e_BaiduAn_ID=34975,BWS=804423166,.exe	unstall.exe
PID 532 wrote to memory of 668	532	9e_BaiduAn_ID=34975,BWS=804423166,.exe	unstall.exe
PID 532 wrote to memory of 668	532	9e_BaiduAn_ID=34975,BWS=804423166,.exe	unstall.exe
PID 532 wrote to memory of 668	532	9e_BaiduAn_ID=34975,BWS=804423166,.exe	unstall.exe
PID 532 wrote to memory of 668	532	9e_BaiduAn_ID=34975,BWS=804423166,.exe	unstall.exe
PID 532 wrote to memory of 668	532	9e_BaiduAn_ID=34975,BWS=804423166,.exe	unstall.exe
PID 532 wrote to memory of 1884	532	9e_BaiduAn_ID=34975,BWS=804423166,.exe	cmd.exe
PID 532 wrote to memory of 1884	532	9e_BaiduAn_ID=34975,BWS=804423166,.exe	cmd.exe
PID 532 wrote to memory of 1884	532	9e_BaiduAn_ID=34975,BWS=804423166,.exe	cmd.exe
PID 532 wrote to memory of 1884	532	9e_BaiduAn_ID=34975,BWS=804423166,.exe	cmd.exe
PID 532 wrote to memory of 1884	532	9e_BaiduAn_ID=34975,BWS=804423166,.exe	cmd.exe
PID 532 wrote to memory of 1884	532	9e_BaiduAn_ID=34975,BWS=804423166,.exe	cmd.exe
PID 532 wrote to memory of 1884	532	9e_BaiduAn_ID=34975,BWS=804423166,.exe	cmd.exe
PID 1884 wrote to memory of 2000	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 2000	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 2000	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 2000	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 2000	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 2000	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 2000	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1300	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1300	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1300	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1300	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1300	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1300	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1300	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1568	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1568	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1568	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1568	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1568	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1568	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1568	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 908	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 908	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 908	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 908	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 908	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 908	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 908	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1252	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1252	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1252	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1252	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1252	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1252	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1252	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1776	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1776	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1776	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1776	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1776	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1776	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1776	1884	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 1148	1884	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\549f05d9c10be5e43c6b2eb0a370b048ccf98a0a1f05f02280b541f20aa7304e.exe
"C:\Users\Admin\AppData\Local\Temp\549f05d9c10be5e43c6b2eb0a370b048ccf98a0a1f05f02280b541f20aa7304e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\9e_BaiduAn_ID=34975,BWS=804423166,.exe
"C:\9e_BaiduAn_ID=34975,BWS=804423166,.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:532

C:\Users\Admin\AppData\Local\Temp\nsy1769.tmp\unstall.exe
C:\Users\Admin\AppData\Local\Temp\nsy1769.tmp\unstall.exe
3⤵
- Executes dropped EXE
PID:668

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\nsy1769.tmp\9EÈí¼þ°²×°ÓÅ»¯.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im 2345Update.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im 2345SafeGuard.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im 2345Safe.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im QQPCTray.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im BaiduSdTray.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im BaiduAnTray.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im "SoftWare SVC.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\9ENetwork\Uninst.bat""
3⤵
PID:932

C:\Program Files (x86)\9ENetwork\9EPostService.exe
"C:\Program Files (x86)\9ENetwork\9EPostService.exe" -install
3⤵
- Executes dropped EXE
PID:820

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\nsy1769.tmp\9EService.bat
3⤵
- Drops file in Drivers directory
- Loads dropped DLL
PID:1768

C:\Users\Admin\AppData\Local\Temp\nsy1769.tmp\BrowserSafe.exe
"BrowserSafe.exe"
4⤵
- Executes dropped EXE
PID:1908

C:\Users\Admin\AppData\Local\Temp\nsy1769.tmp\G0724_s_804390000.exe
C:\Users\Admin\AppData\Local\Temp\nsy1769.tmp\G0724_s_804390000.exe /supplyid=804423166
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\SysWOW64\cacls.exe
"cacls" "C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225" /T /E /C /G SYSTEM:F
4⤵
PID:2020

C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BDABrowserProtect.exe
"C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BDABrowserProtect.exe" /supplyid=804423166 /installmode=2 /S /D=C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BrowserProtect
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BrowserProtect\BaiduProtect_Setup.exe
"C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BrowserProtect\BaiduProtect_Setup.exe" /S
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\BaiduProtect.exe
"C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\BaiduProtect.exe" -s
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504

C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BrowserProtect\BDABrowserProtect.exe
"C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BrowserProtect\BDABrowserProtect.exe" --exit=1 --lockbrowser=iexplore.exe
4⤵
- Executes dropped EXE
PID:1208

C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\BDDownloader.exe
"C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\BDDownloader.exe"
4⤵
- Executes dropped EXE
PID:1976

C:\Users\Admin\AppData\Local\Temp\BDDownloader_Installer\1.0.107.0[2022-11-29-22-43-37]\BDDownloader.exe
"C:\Users\Admin\AppData\Local\Temp\BDDownloader_Installer\1.0.107.0[2022-11-29-22-43-37]\BDDownloader.exe" /install
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1144

C:\program files (x86)\common files\baidu\bddownload\107\bddownloader.exe
"C:\program files (x86)\common files\baidu\bddownload\107\bddownloader.exe" -RegServer
6⤵
- Executes dropped EXE
- Modifies registry class
PID:940

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="百度高速下载器" dir=in program="C:\program files (x86)\common files\baidu\bddownload\107\bddownloader.exe" description="C:\program files (x86)\common files\baidu\bddownload\107\bddownloader.exe" action=allow
7⤵
- Modifies Windows Firewall
PID:304

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\program files (x86)\common files\baidu\bddownload\107\bdcomproxy.dll"
7⤵
- Modifies registry class
PID:936

C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\BaiduAn.exe
"C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\BaiduAn.exe" -mod=BDCooly.dll -install
4⤵
- Executes dropped EXE
PID:944

C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\BaiduAn.exe
"C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\BaiduAn.exe" -mod=BDCooly.dll -oldv= -newv=2.3.0.2225
4⤵
- Executes dropped EXE
PID:556

C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\BaiduAnSvc.exe
"C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\BaiduAnSvc.exe" -s
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:732

C:\Windows\SysWOW64\RegSvr32.exe
"RegSvr32.exe" /s "C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\BDSWShellExt.dll"
4⤵
- Modifies registry class
PID:1408

C:\Windows\SysWOW64\RegSvr32.exe
"RegSvr32.exe" /s "C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\BDSWShellExt64.dll"
4⤵
PID:1756

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\BDSWShellExt64.dll"
5⤵
- Registers COM server for autorun
- Modifies registry class
PID:1208

C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\BaiduAnTray.exe
"C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\BaiduAnTray.exe"
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1208

C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\BDALeakfixer.exe
"C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\BDALeakfixer.exe"
5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2032

C:\Program Files (x86)\9ENetwork\9EPostService.exe
"C:\Program Files (x86)\9ENetwork\9EPostService.exe"
1⤵
- Executes dropped EXE
PID:880

C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\BaiduProtect.exe
"C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\BaiduProtect.exe" -r
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\BDSGBugRpt.exe
"C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\BDSGBugRpt.exe" /BSOD
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1776

C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\BaiduAnSvc.exe
"C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\BaiduAnSvc.exe" -r
1⤵
- Executes dropped EXE
- Sets service image path in registry
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\9e_BaiduAn_ID=34975,BWS=804423166,.exe
Filesize
31.9MB

MD5
6dcf00aaaa3dbf72a292d2658e7dc73b

SHA1
a29ebde73b237224cab5874768d615630128e372

SHA256
cacdd0eaa2f82130dfe25c1e9da2d3f79e13b378d5d47689e0d300b24289245e

SHA512
dc40c7dc814716aee57a1ee7834fa738d69995930ccfdd16f1255019d0a22b9684ad01395cea0e3792fbfa97e13d88e341496e3d83d963e1639550ffc76dc58e

Download Submit
C:\9e_BaiduAn_ID=34975,BWS=804423166,.exe
Filesize
31.9MB

MD5
6dcf00aaaa3dbf72a292d2658e7dc73b

SHA1
a29ebde73b237224cab5874768d615630128e372

SHA256
cacdd0eaa2f82130dfe25c1e9da2d3f79e13b378d5d47689e0d300b24289245e

SHA512
dc40c7dc814716aee57a1ee7834fa738d69995930ccfdd16f1255019d0a22b9684ad01395cea0e3792fbfa97e13d88e341496e3d83d963e1639550ffc76dc58e

Download Submit
C:\Program Files (x86)\9ENetwork\9EPostService.exe
Filesize
337KB

MD5
f2a894e4a554b97cbdac7e0a04331334

SHA1
c7004b63f4d677201f339e4ec086ede76eedf73f

SHA256
020756fcefe510aecb136d0d8225a4cd76c97a0201ecb1530c3e9ff6bc346bba

SHA512
35a94c2cd4b837a287b367f2572cd579ccf7827e29e0f19c3085665e27ec0f8df760af2f1b6feb3fe3471f3397589bf8bab4a1083903745844c3933c4ad4005b

Download Submit
C:\Program Files (x86)\9ENetwork\9EPostService.exe
Filesize
337KB

MD5
f2a894e4a554b97cbdac7e0a04331334

SHA1
c7004b63f4d677201f339e4ec086ede76eedf73f

SHA256
020756fcefe510aecb136d0d8225a4cd76c97a0201ecb1530c3e9ff6bc346bba

SHA512
35a94c2cd4b837a287b367f2572cd579ccf7827e29e0f19c3085665e27ec0f8df760af2f1b6feb3fe3471f3397589bf8bab4a1083903745844c3933c4ad4005b

Download Submit
C:\Program Files (x86)\9ENetwork\Uninst.bat
Filesize
25B

MD5
df11eb2122a389000fb19f7c272850e7

SHA1
d7c65b844d63d3524e42297d816c60740f4794d8

SHA256
52707973cc664a5338c16e010748d868817c1aedd33b9b87add5e6a72d4c32d9

SHA512
d0c6e9a4101db6b2b1d80037051ef6d50fd5e100fb10ec49ea7054b42a9f6b5fa26b456525e15dd502120c7b5d3910e107998ce65a0501cbcdf0e19abf796ac9

Download Submit
C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BDABrowserProtect.exe
Filesize
5.5MB

MD5
7623fdd5816aca66af09ac8f591a3058

SHA1
e1a71a6f71bc277afe160dcdf894cb81a1a92736

SHA256
dc0fb6953c61010675372b48265f63ddc01f22807abc5a93b9cc72c43a2b74cc

SHA512
b1e6532041502b3b92b208f563b17825b2817a6ec182ee4500f70b883f4f79c9b3ef0be745a73bf24d15e49ade2f34e98cc5cd1cb79a5ef84c5e130e5bd4e0d3

Download Submit
C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BDABrowserProtect.exe
Filesize
5.5MB

MD5
7623fdd5816aca66af09ac8f591a3058

SHA1
e1a71a6f71bc277afe160dcdf894cb81a1a92736

SHA256
dc0fb6953c61010675372b48265f63ddc01f22807abc5a93b9cc72c43a2b74cc

SHA512
b1e6532041502b3b92b208f563b17825b2817a6ec182ee4500f70b883f4f79c9b3ef0be745a73bf24d15e49ade2f34e98cc5cd1cb79a5ef84c5e130e5bd4e0d3

Download Submit
C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BrowserProtect\BaiduProtect_Setup.exe
Filesize
3.1MB

MD5
7d1931c7d4f92f8357667719e6073116

SHA1
080f6c906c9feedff44713f9ebf0867d3208b226

SHA256
d6118cc75232d498f802a86bca7086a5e2c4b7edca018ad7e58cd941b14c3863

SHA512
2daa8abf346848c744cb4c7e21c3a8bf88d9cd22af42974931e4b20df2393f5415ea95772d33bf27dd00e258f85f8bae34e923a127f18250e9ee0d2563b880e8

Download Submit
C:\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BrowserProtect\BaiduProtect_Setup.exe
Filesize
3.1MB

MD5
7d1931c7d4f92f8357667719e6073116

SHA1
080f6c906c9feedff44713f9ebf0867d3208b226

SHA256
d6118cc75232d498f802a86bca7086a5e2c4b7edca018ad7e58cd941b14c3863

SHA512
2daa8abf346848c744cb4c7e21c3a8bf88d9cd22af42974931e4b20df2393f5415ea95772d33bf27dd00e258f85f8bae34e923a127f18250e9ee0d2563b880e8

Download Submit
C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\BDLogicUtils.dll
Filesize
743KB

MD5
1dc8b973e455c5780ff9292b134ba53f

SHA1
b79882210e4d103e3d46a758c1d3740584322ffb

SHA256
a192bda1c99b1482cab9b85e20438e10205082aae9c4b7ee71019704421be3de

SHA512
01da5931528a00d08aa42f6b3fc4c5f49f9eeb2827f84ecda2eaa0bb55690f3c06600962678a87878c87a96e3f9762ff06e91d17506e36ec937db8b80753915d

Download Submit
C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\BDMNet.dll
Filesize
1.2MB

MD5
31a58ec93b9b2653ef590b9c421a2182

SHA1
4dc8ab28e1b935f91895d34865a16a6532234a49

SHA256
1ee556e333283819201a4844a6360a38f74e4ca5195a420bd8bbf367575583ea

SHA512
5759e2beeb4df35d15f275c94a69d3e65ffc3c0e7c66c10dc4aace4baa9608c697201fdda03ee468dc6c7cb2bd56a745903e9eb0a7cd17efb6bbfe4419133cfc

Download Submit
C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\BaiduProtect.exe
Filesize
1.1MB

MD5
8eb226d284aa1737104560466b54e7b4

SHA1
b2fdd1f239f6371a8f4082e3e2fc2b3ea9af1e21

SHA256
b41358dc40cfc3fd5d3b95ca6cc765fbaafb37d0591a2780f7a95d243bff96ee

SHA512
e99c3904a67b635352b07558fa6e04c2617c4a13c24d83e2aaf782d47a739f3d6930e492ee2f6ac3a25f0ae9dfdc3ef8bb0075478a587a8c3f60a8967a684c08

Download Submit
C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\BaiduProtect.exe
Filesize
1.1MB

MD5
8eb226d284aa1737104560466b54e7b4

SHA1
b2fdd1f239f6371a8f4082e3e2fc2b3ea9af1e21

SHA256
b41358dc40cfc3fd5d3b95ca6cc765fbaafb37d0591a2780f7a95d243bff96ee

SHA512
e99c3904a67b635352b07558fa6e04c2617c4a13c24d83e2aaf782d47a739f3d6930e492ee2f6ac3a25f0ae9dfdc3ef8bb0075478a587a8c3f60a8967a684c08

Download Submit
C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\DriverManager.dll
Filesize
171KB

MD5
61f7af0d55b2fdc9f43d5713a1a1c141

SHA1
860f5d5413b13d50e39163caa1bf646c418ddef8

SHA256
3a2b9d349779418b16f8853ce75fe5064eecab0ce6f6cf3c53bdcaaeec45d761

SHA512
e5377a792b7a9e9d11e34480cf0f7b1306c9a73474e04897c5c8700fa05c8929b7260349c8be6fb839b23ce5c90abd1c805045afa7c80737793b77728e064f37

Download Submit
C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\plugins\BDSGRtp_ContainerConfig.xml
Filesize
454B

MD5
8d38bb8d4cec297c49f2b1eb32cdfc13

SHA1
c8307bea68b595157cdbe2023c81f4227824d586

SHA256
dc62a06c30d192084cc779ee79424b569279db81cf4614223dab166270e4742e

SHA512
9054636648da4831367dbcf1fb5502320290008f07b223b02f64ebb24f3aaf289618a82cc7ede14c2348e1bccf2a14fadd98350ed95e3119014d957d2b9c9a48

Download Submit
C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\plugins\BDSGRtp_pluginConfig.xml
Filesize
980B

MD5
53863e42f70b18d08ccca175000cc62a

SHA1
03373aa3f4d43531cd75e4df5bab6441be332192

SHA256
bf44512421e0f64d3b989cff08f2232869c84dd2984b7b5f48aa3c09bc4304fb

SHA512
e6519bb75a2b44b99eac8e18fdc4fa49e86582de08af6d3d20d9afd75aefc5ee6a33f107e49cbea4ddd8547862124fefbfa6354858d852c1edfeaf422ae0eda9

Download Submit
C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\plugins\HIPS.dll
Filesize
1.8MB

MD5
45fc3910c38ec8d30aa1711b0281e13e

SHA1
708229702feadd14e4b101cd3395a250b704ab8c

SHA256
47de8bdcf2527f97ee01141d3a339d8d839dbb9edca39148ff719f9ae54bf31a

SHA512
2aa61f2116d830018a02111c856343da5d013de9961fb2b2ba61c095a0e3cf16bdec135428229f22578595e9aa506a436fe1bc2e3cd98326611f3c400291271f

Download Submit
C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\plugins\baiduanRepair.dll
Filesize
539KB

MD5
1101752e725495fc43399e9d219aa768

SHA1
a8613d49cf1fb5f335954628b588bfa88be4f0ce

SHA256
94f3c4bcde1d91d48ec25686c46f2d8b6722014dc4efde541a46f2cb3d805b9b

SHA512
c25bb4172cf556e75f0d6392c5e55cb039e83a19fd7b709bbde6d537a7bcff469e0e53721028d5aa93162a6763d5718c4d373f0b9c948bc1434d94516dd50600

Download Submit
C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\plugins\baidusdRepair.dll
Filesize
539KB

MD5
ff5bc18ba721533a4e45960f605900b7

SHA1
df948edd47e135bfbc1b10450c051db37f52ba2c

SHA256
d46da8cc27b46df9482c30674a3fa440d14853014dad66c7d33ff092737086c7

SHA512
e700cd1948d43e36b05bd5d3d780abdbe992497eedfce3fbc52c61a58b4f9c6648856873cb7e621e294dd81a8dff09f83f27d523677b067102ebd39e9dd024b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1769.tmp\9EService.bat
Filesize
102B

MD5
331743b4f8d22620f1ae92c81ceebcc1

SHA1
9df307c5ccde2513d28cf84ad567cf1bddfc2643

SHA256
e1e9de188ddcc83781cce6399f12b246908cc4e4d807b014f8ec46abd550747e

SHA512
19e7f21125d3fefa2da739c944d8ff93641ad0859c838b2aaecf5c00e29f8cc137ad82c0218531a1627ec6cd0b2946359509c3a0847b5b00e937164570509b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1769.tmp\9EÈí¼þ°²×°ÓÅ»¯.bat
Filesize
272B

MD5
a09204b2cbd497696c179fe039d093aa

SHA1
4200b0bc2bbf78c6016a22c52a828e08127c6c9d

SHA256
5eff4bc25680d9f9cedded6a1b5887d9a5bee870ad600788846e548e567c3250

SHA512
2225b9c1d6b300cf0ca37a67750553b707af7ec3d8603b7b8af9ffd486ca2f3f670c146ed4c848756a2b8afee2835e251067de8bffb7a0663ca28fdea3bd3aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1769.tmp\BrowserSafe.exe
Filesize
59KB

MD5
fc64aca920320598d669cacacb6b8a76

SHA1
ed73b2a623a089884eef51aec9f3ff112fc207dc

SHA256
f96208c3006653c372accdf53ba148419486eb4555fedcb3af20f9308bc0fe2f

SHA512
5f49b0adbc64104e4b87596f4fc31cbf81241ab31e16e78c8845ba56f6efff9040ac9905ad2b23c1f38b60cff4fa4d8f205a57c416fa959ff0202839e05f41e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1769.tmp\BrowserSafe.exe
Filesize
59KB

MD5
fc64aca920320598d669cacacb6b8a76

SHA1
ed73b2a623a089884eef51aec9f3ff112fc207dc

SHA256
f96208c3006653c372accdf53ba148419486eb4555fedcb3af20f9308bc0fe2f

SHA512
5f49b0adbc64104e4b87596f4fc31cbf81241ab31e16e78c8845ba56f6efff9040ac9905ad2b23c1f38b60cff4fa4d8f205a57c416fa959ff0202839e05f41e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1769.tmp\BrowserSafe.sys
Filesize
13KB

MD5
d833d5b4eaa59a95ee31a9a0b3b4dbe2

SHA1
360ceadbb15c48dadf6b15ff4bcfd9e2240b4af6

SHA256
8699400e9de5397242486e170a57d3f91cc3907d2c521490d76d4c4325b902a1

SHA512
468c1e1a293164585ec6a3473ab710ec2f75df187a93de48be77391b20aeed0060f0025dacd0c4b458b89c758470a4da0fbba47b701348fb2a70477aef2cfa28

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1769.tmp\G0724_s_804390000.exe
Filesize
31.3MB

MD5
1bdcf635141bb798a3abe0b7d4b4f5a4

SHA1
76d5b1842e9624b2fdf43df8fd7ac84d49aac2e3

SHA256
d202069ec298680f8b8e20346e10e9fba23b4619b182181c9afc4a988424c4f0

SHA512
7d86240ea12235bc9be8825f9492508d77517314f5032544ef6e7adb2cbe90321a760fc15e5b97c2aafc2ef1e3c1188965cce12f9b446d4935944356f0ce8b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1769.tmp\G0724_s_804390000.exe
Filesize
31.3MB

MD5
1bdcf635141bb798a3abe0b7d4b4f5a4

SHA1
76d5b1842e9624b2fdf43df8fd7ac84d49aac2e3

SHA256
d202069ec298680f8b8e20346e10e9fba23b4619b182181c9afc4a988424c4f0

SHA512
7d86240ea12235bc9be8825f9492508d77517314f5032544ef6e7adb2cbe90321a760fc15e5b97c2aafc2ef1e3c1188965cce12f9b446d4935944356f0ce8b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1769.tmp\unstall.exe
Filesize
48KB

MD5
8e246d4564feebf4092e5b8e80f7a81c

SHA1
cbe6081e8d9727457cb7cf025467c054e775864c

SHA256
4996502d49b42f62248cc907613baf622b866830064f20d974f172ebfb9653b7

SHA512
c216fac77efefcd814f06ba3fd0cc20c36b7f8c0a74fee9386c4918badf1a52b8fc6f8733c11ce09da9f74b68e709c8122ddfdeefb99cd087fa6513274c9cd54

Download Submit
\Program Files (x86)\9ENetwork\9EPostService.exe
Filesize
337KB

MD5
f2a894e4a554b97cbdac7e0a04331334

SHA1
c7004b63f4d677201f339e4ec086ede76eedf73f

SHA256
020756fcefe510aecb136d0d8225a4cd76c97a0201ecb1530c3e9ff6bc346bba

SHA512
35a94c2cd4b837a287b367f2572cd579ccf7827e29e0f19c3085665e27ec0f8df760af2f1b6feb3fe3471f3397589bf8bab4a1083903745844c3933c4ad4005b

Download Submit
\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BDABrowserProtect.exe
Filesize
5.5MB

MD5
7623fdd5816aca66af09ac8f591a3058

SHA1
e1a71a6f71bc277afe160dcdf894cb81a1a92736

SHA256
dc0fb6953c61010675372b48265f63ddc01f22807abc5a93b9cc72c43a2b74cc

SHA512
b1e6532041502b3b92b208f563b17825b2817a6ec182ee4500f70b883f4f79c9b3ef0be745a73bf24d15e49ade2f34e98cc5cd1cb79a5ef84c5e130e5bd4e0d3

Download Submit
\Program Files (x86)\Baidu\BaiduAn\2.3.0.2225\plugins\BrowserProtect\BaiduProtect_Setup.exe
Filesize
3.1MB

MD5
7d1931c7d4f92f8357667719e6073116

SHA1
080f6c906c9feedff44713f9ebf0867d3208b226

SHA256
d6118cc75232d498f802a86bca7086a5e2c4b7edca018ad7e58cd941b14c3863

SHA512
2daa8abf346848c744cb4c7e21c3a8bf88d9cd22af42974931e4b20df2393f5415ea95772d33bf27dd00e258f85f8bae34e923a127f18250e9ee0d2563b880e8

Download Submit
\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\BDLogicUtils.dll
Filesize
743KB

MD5
1dc8b973e455c5780ff9292b134ba53f

SHA1
b79882210e4d103e3d46a758c1d3740584322ffb

SHA256
a192bda1c99b1482cab9b85e20438e10205082aae9c4b7ee71019704421be3de

SHA512
01da5931528a00d08aa42f6b3fc4c5f49f9eeb2827f84ecda2eaa0bb55690f3c06600962678a87878c87a96e3f9762ff06e91d17506e36ec937db8b80753915d

Download Submit
\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\BDLogicUtils.dll
Filesize
743KB

MD5
1dc8b973e455c5780ff9292b134ba53f

SHA1
b79882210e4d103e3d46a758c1d3740584322ffb

SHA256
a192bda1c99b1482cab9b85e20438e10205082aae9c4b7ee71019704421be3de

SHA512
01da5931528a00d08aa42f6b3fc4c5f49f9eeb2827f84ecda2eaa0bb55690f3c06600962678a87878c87a96e3f9762ff06e91d17506e36ec937db8b80753915d

Download Submit
\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\BDMNet.dll
Filesize
1.2MB

MD5
31a58ec93b9b2653ef590b9c421a2182

SHA1
4dc8ab28e1b935f91895d34865a16a6532234a49

SHA256
1ee556e333283819201a4844a6360a38f74e4ca5195a420bd8bbf367575583ea

SHA512
5759e2beeb4df35d15f275c94a69d3e65ffc3c0e7c66c10dc4aace4baa9608c697201fdda03ee468dc6c7cb2bd56a745903e9eb0a7cd17efb6bbfe4419133cfc

Download Submit
\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\BaiduProtect.exe
Filesize
1.1MB

MD5
8eb226d284aa1737104560466b54e7b4

SHA1
b2fdd1f239f6371a8f4082e3e2fc2b3ea9af1e21

SHA256
b41358dc40cfc3fd5d3b95ca6cc765fbaafb37d0591a2780f7a95d243bff96ee

SHA512
e99c3904a67b635352b07558fa6e04c2617c4a13c24d83e2aaf782d47a739f3d6930e492ee2f6ac3a25f0ae9dfdc3ef8bb0075478a587a8c3f60a8967a684c08

Download Submit
\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\BaiduProtect.exe
Filesize
1.1MB

MD5
8eb226d284aa1737104560466b54e7b4

SHA1
b2fdd1f239f6371a8f4082e3e2fc2b3ea9af1e21

SHA256
b41358dc40cfc3fd5d3b95ca6cc765fbaafb37d0591a2780f7a95d243bff96ee

SHA512
e99c3904a67b635352b07558fa6e04c2617c4a13c24d83e2aaf782d47a739f3d6930e492ee2f6ac3a25f0ae9dfdc3ef8bb0075478a587a8c3f60a8967a684c08

Download Submit
\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\DriverManager.dll
Filesize
171KB

MD5
61f7af0d55b2fdc9f43d5713a1a1c141

SHA1
860f5d5413b13d50e39163caa1bf646c418ddef8

SHA256
3a2b9d349779418b16f8853ce75fe5064eecab0ce6f6cf3c53bdcaaeec45d761

SHA512
e5377a792b7a9e9d11e34480cf0f7b1306c9a73474e04897c5c8700fa05c8929b7260349c8be6fb839b23ce5c90abd1c805045afa7c80737793b77728e064f37

Download Submit
\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\DriverManager.dll
Filesize
171KB

MD5
61f7af0d55b2fdc9f43d5713a1a1c141

SHA1
860f5d5413b13d50e39163caa1bf646c418ddef8

SHA256
3a2b9d349779418b16f8853ce75fe5064eecab0ce6f6cf3c53bdcaaeec45d761

SHA512
e5377a792b7a9e9d11e34480cf0f7b1306c9a73474e04897c5c8700fa05c8929b7260349c8be6fb839b23ce5c90abd1c805045afa7c80737793b77728e064f37

Download Submit
\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\drivers\bd0001.sys
Filesize
101KB

MD5
b727c4ffc9990c3b7c2bd594e6ee70de

SHA1
71b090f4957cebe2af64aa7f8ae1d5b83f8ca665

SHA256
1e0b50e489cb00f3fcf92f544501460d7c45f757e0ed9f2b4697d9540a1695e6

SHA512
fdc60553a64c8275cd074114c93395217608c7e174c9bdf185d8a372e413973dbaefb44a18e41797b204363f377b7db994d889f8e35c1a491eee69cdccbacf8c

Download Submit
\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\drivers\bd0001.sys
Filesize
101KB

MD5
b727c4ffc9990c3b7c2bd594e6ee70de

SHA1
71b090f4957cebe2af64aa7f8ae1d5b83f8ca665

SHA256
1e0b50e489cb00f3fcf92f544501460d7c45f757e0ed9f2b4697d9540a1695e6

SHA512
fdc60553a64c8275cd074114c93395217608c7e174c9bdf185d8a372e413973dbaefb44a18e41797b204363f377b7db994d889f8e35c1a491eee69cdccbacf8c

Download Submit
\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\drivers\bd64_x64.dll
Filesize
40KB

MD5
e8384859bdd6af71f5f3c60ab5bf3f98

SHA1
a06f5f00e8b30ac02a2465e35c08269673caeb59

SHA256
84aff463fbd4d58eb8be4b7f61d3bf6dfe1960ca6aae17cd9705017860c2c84c

SHA512
f75fd3ac4ccb6989562f738b2e8b3066e28069550e8b40d082429964f0fec7550420b0a9e47cfb391167ec518ac617d6f90e1501d89ef91185050472a18f7da0

Download Submit
\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\drivers\bd64_x64.dll
Filesize
40KB

MD5
e8384859bdd6af71f5f3c60ab5bf3f98

SHA1
a06f5f00e8b30ac02a2465e35c08269673caeb59

SHA256
84aff463fbd4d58eb8be4b7f61d3bf6dfe1960ca6aae17cd9705017860c2c84c

SHA512
f75fd3ac4ccb6989562f738b2e8b3066e28069550e8b40d082429964f0fec7550420b0a9e47cfb391167ec518ac617d6f90e1501d89ef91185050472a18f7da0

Download Submit
\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\drivers\bd64_x86.dll
Filesize
38KB

MD5
2ef0728ac5460c5eb0d11204a7de940b

SHA1
1e62ba6cb0cabc589dbccbe1e7950d335ae47cd8

SHA256
47bc2e10d0758e747bca1d7c82ed4e2b896c66c804037a0a3d2b3894a51c5d03

SHA512
04c33b2db77c7d53c16ab3d2cea3dd1159b098ec28c4e95cb75dcc1e6fc84c537ba93e13d19cf76248066c60fb2a5047274a4c9b11cac54fad29b284da561463

Download Submit
\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\drivers\bd64_x86.dll
Filesize
38KB

MD5
2ef0728ac5460c5eb0d11204a7de940b

SHA1
1e62ba6cb0cabc589dbccbe1e7950d335ae47cd8

SHA256
47bc2e10d0758e747bca1d7c82ed4e2b896c66c804037a0a3d2b3894a51c5d03

SHA512
04c33b2db77c7d53c16ab3d2cea3dd1159b098ec28c4e95cb75dcc1e6fc84c537ba93e13d19cf76248066c60fb2a5047274a4c9b11cac54fad29b284da561463

Download Submit
\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\plugins\HIPS.dll
Filesize
1.8MB

MD5
45fc3910c38ec8d30aa1711b0281e13e

SHA1
708229702feadd14e4b101cd3395a250b704ab8c

SHA256
47de8bdcf2527f97ee01141d3a339d8d839dbb9edca39148ff719f9ae54bf31a

SHA512
2aa61f2116d830018a02111c856343da5d013de9961fb2b2ba61c095a0e3cf16bdec135428229f22578595e9aa506a436fe1bc2e3cd98326611f3c400291271f

Download Submit
\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\plugins\baiduanRepair.dll
Filesize
539KB

MD5
1101752e725495fc43399e9d219aa768

SHA1
a8613d49cf1fb5f335954628b588bfa88be4f0ce

SHA256
94f3c4bcde1d91d48ec25686c46f2d8b6722014dc4efde541a46f2cb3d805b9b

SHA512
c25bb4172cf556e75f0d6392c5e55cb039e83a19fd7b709bbde6d537a7bcff469e0e53721028d5aa93162a6763d5718c4d373f0b9c948bc1434d94516dd50600

Download Submit
\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.2.8.49\plugins\baidusdRepair.dll
Filesize
539KB

MD5
ff5bc18ba721533a4e45960f605900b7

SHA1
df948edd47e135bfbc1b10450c051db37f52ba2c

SHA256
d46da8cc27b46df9482c30674a3fa440d14853014dad66c7d33ff092737086c7

SHA512
e700cd1948d43e36b05bd5d3d780abdbe992497eedfce3fbc52c61a58b4f9c6648856873cb7e621e294dd81a8dff09f83f27d523677b067102ebd39e9dd024b6

Download Submit
\Users\Admin\AppData\Local\Temp\nso88D2.tmp\BDMSkin.dll
Filesize
1.2MB

MD5
468e0ee03a56de50eec1c052fca6633e

SHA1
5436557a567ba1d4aa6780fd0cf3fc81174200fa

SHA256
1ca614c64baa61191b1c8381d068391aeaa7fe61f81a84242d4a1a3055bf2e30

SHA512
76e1b8529a7e0aaaf0af378bddf437b565f69d78811f9cb2cb8c3b32955769c8f3bc25ff4162f7ab8d88e2f279f5f1222b85b54ae5c03458a7b3f9d11f3ba376

Download Submit
\Users\Admin\AppData\Local\Temp\nso88D2.tmp\InstallHelper.dll
Filesize
1.1MB

MD5
b9af526c02bf5ffcde9fa97ac9fbb410

SHA1
b32ac9cd86f9154cfda2c0feda3abba8935dd86e

SHA256
9155be77e89ca7e3aca22783b7f84be274118e6e95b83c016d488e528f3aa4d4

SHA512
09c96a8ecddb09cd0cca579eec434c1ade2d05556b529c4e69ed0448df9cf24b4c50b5bab20eed9fac98ec31d5f774faa6809a56219c01df5a31b1d058d3fd37

Download Submit
\Users\Admin\AppData\Local\Temp\nso88D2.tmp\System.dll
Filesize
19KB

MD5
35d7b29c3ed690a8b0cd323917677b42

SHA1
ad74d2babe09f94838e408c8f9f77b6b56c644f5

SHA256
714bd22a836a7f164b848541b8bf8ac80a20ff38e10e412bf9ef518620a80b8c

SHA512
abc6f37b7306de737adf998607e81304ecc1589ac8e3164651b237def11b424a190e84608f4f6ce44a63ce225d93be7c617a736c82fb6b9077c5222c2e17b67d

Download Submit
\Users\Admin\AppData\Local\Temp\nso88D2.tmp\nsExec.dll
Filesize
14KB

MD5
5c8c57de64daea7d3098261c76888067

SHA1
5b69091e79a6611e97e12aa208283315f64b4231

SHA256
d39434e9e0388d4b8e1b0b57b6fef81544f9a9db64c4de2211077b08d13ce853

SHA512
b6a19d428214b5f88fe985f8f2cb0cb412542267d67141daf958f5c78a930e993dca288a95ea2417c9355dfee9c6e556ac17150c1eb843ae3c2e6f7ea9475693

Download Submit
\Users\Admin\AppData\Local\Temp\nsoAFD2.tmp\bpInstallHelper.dll
Filesize
212KB

MD5
b0a0c7ededd303fd466c707b76da9078

SHA1
de2edbf7c703b1b33f507e290755bc25236d0e32

SHA256
deba7901ef9a886a34842dd57c4c0d97490d10da3565166127b6bf1ae914395a

SHA512
aed599cfef1d54e587b4505c34025b21f61347e540ff20899e98c9017466664d031d971446d8838845e4de26a2752258b8ba5ba1c7512a8dd7e3565778645f0a

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1769.tmp\BrowserSafe.exe
Filesize
59KB

MD5
fc64aca920320598d669cacacb6b8a76

SHA1
ed73b2a623a089884eef51aec9f3ff112fc207dc

SHA256
f96208c3006653c372accdf53ba148419486eb4555fedcb3af20f9308bc0fe2f

SHA512
5f49b0adbc64104e4b87596f4fc31cbf81241ab31e16e78c8845ba56f6efff9040ac9905ad2b23c1f38b60cff4fa4d8f205a57c416fa959ff0202839e05f41e4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1769.tmp\G0724_s_804390000.exe
Filesize
31.3MB

MD5
1bdcf635141bb798a3abe0b7d4b4f5a4

SHA1
76d5b1842e9624b2fdf43df8fd7ac84d49aac2e3

SHA256
d202069ec298680f8b8e20346e10e9fba23b4619b182181c9afc4a988424c4f0

SHA512
7d86240ea12235bc9be8825f9492508d77517314f5032544ef6e7adb2cbe90321a760fc15e5b97c2aafc2ef1e3c1188965cce12f9b446d4935944356f0ce8b2e

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1769.tmp\Md5dll.dll
Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1769.tmp\System.dll
Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1769.tmp\nsExec.dll
Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1769.tmp\nsExec.dll
Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1769.tmp\nsExec.dll
Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1769.tmp\nsExec.dll
Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1769.tmp\nsExec.dll
Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1769.tmp\nsExec.dll
Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1769.tmp\unstall.exe
Filesize
48KB

MD5
8e246d4564feebf4092e5b8e80f7a81c

SHA1
cbe6081e8d9727457cb7cf025467c054e775864c

SHA256
4996502d49b42f62248cc907613baf622b866830064f20d974f172ebfb9653b7

SHA512
c216fac77efefcd814f06ba3fd0cc20c36b7f8c0a74fee9386c4918badf1a52b8fc6f8733c11ce09da9f74b68e709c8122ddfdeefb99cd087fa6513274c9cd54

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB4A2.tmp\InstallHelper.dll
Filesize
259KB

MD5
c43b117a2e73c52537b599a921928c8f

SHA1
89000b81161e9e9108b31996550983334b993fbb

SHA256
16e77610644fa909f3ca3f88e87dafaac0d111623d82b5c6ed1b481b6aed7ac3

SHA512
41cb5f459020c92a3e3590bbb66eff6834c848db60d83708bb061353dd165f3037694f2e026e17a85397799e3d006d8ea31024cad6a3eba362b5b0d14201bd77

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB4A2.tmp\System.dll
Filesize
19KB

MD5
f52eb281e29da8065e18805617ac2cbc

SHA1
341481101614a595f0f8e6c1212a5a3b5e6ea426

SHA256
21805996ea8b483e5c722a80897b51af9a42636af0b27bed86560825bd079cc6

SHA512
f8649371d3575c37bbd246c27acdf61a6c8c52642b53e8bf3eec042a6d363855d17ccf6cfed9e586b66164565a3fb8c56939a15e907d3517e5f511fda3bb8dce

Download Submit
memory/304-251-0x0000000000000000-mapping.dmp

Download
memory/532-55-0x0000000000000000-mapping.dmp

Download
memory/556-281-0x0000000000000000-mapping.dmp

Download
memory/568-394-0x0000000003500000-0x000000000352F000-memory.dmp

Filesize
188KB

Download
memory/568-386-0x0000000003500000-0x000000000351D000-memory.dmp

Filesize
116KB

Download
memory/568-418-0x00000000006F0000-0x0000000000706000-memory.dmp

Filesize
88KB

Download
memory/568-419-0x00000000034E0000-0x00000000034F6000-memory.dmp

Filesize
88KB

Download
memory/568-398-0x0000000005BD0000-0x0000000006918000-memory.dmp

Filesize
13.3MB

Download
memory/568-420-0x00000000034E0000-0x000000000350F000-memory.dmp

Filesize
188KB

Download
memory/568-399-0x0000000005BD0000-0x0000000006918000-memory.dmp

Filesize
13.3MB

Download
memory/568-393-0x00000000057D0000-0x0000000006518000-memory.dmp

Filesize
13.3MB

Download
memory/568-392-0x00000000057D0000-0x0000000006518000-memory.dmp

Filesize
13.3MB

Download
memory/568-421-0x00000000034E0000-0x000000000350F000-memory.dmp

Filesize
188KB

Download
memory/568-389-0x00000000057D0000-0x0000000006518000-memory.dmp

Filesize
13.3MB

Download
memory/568-402-0x0000000005AB0000-0x00000000067F8000-memory.dmp

Filesize
13.3MB

Download
memory/568-388-0x00000000057D0000-0x0000000006518000-memory.dmp

Filesize
13.3MB

Download
memory/568-415-0x00000000006F0000-0x0000000000706000-memory.dmp

Filesize
88KB

Download
memory/568-416-0x00000000006F0000-0x0000000000706000-memory.dmp

Filesize
88KB

Download
memory/568-395-0x0000000003500000-0x000000000352F000-memory.dmp

Filesize
188KB

Download
memory/568-403-0x00000000034F0000-0x000000000350D000-memory.dmp

Filesize
116KB

Download
memory/568-417-0x00000000006F0000-0x0000000000706000-memory.dmp

Filesize
88KB

Download
memory/568-400-0x00000000034F0000-0x000000000351F000-memory.dmp

Filesize
188KB

Download
memory/568-397-0x0000000005BD0000-0x0000000006918000-memory.dmp

Filesize
13.3MB

Download
memory/568-377-0x00000000034E0000-0x00000000034F6000-memory.dmp

Filesize
88KB

Download
memory/568-401-0x0000000005AB0000-0x00000000067F8000-memory.dmp

Filesize
13.3MB

Download
memory/568-387-0x0000000003500000-0x0000000003516000-memory.dmp

Filesize
88KB

Download
memory/568-396-0x0000000005BD0000-0x0000000006918000-memory.dmp

Filesize
13.3MB

Download
memory/568-378-0x00000000034E0000-0x000000000350F000-memory.dmp

Filesize
188KB

Download
memory/568-385-0x00000000056A0000-0x00000000063E8000-memory.dmp

Filesize
13.3MB

Download
memory/568-381-0x00000000056A0000-0x00000000063E8000-memory.dmp

Filesize
13.3MB

Download
memory/568-372-0x00000000006F0000-0x0000000000706000-memory.dmp

Filesize
88KB

Download
memory/568-373-0x00000000006F0000-0x0000000000706000-memory.dmp

Filesize
88KB

Download
memory/568-374-0x00000000006F0000-0x0000000000706000-memory.dmp

Filesize
88KB

Download
memory/568-375-0x0000000000790000-0x00000000007A6000-memory.dmp

Filesize
88KB

Download
memory/568-376-0x00000000034F0000-0x0000000003506000-memory.dmp

Filesize
88KB

Download
memory/568-379-0x00000000034E0000-0x000000000350F000-memory.dmp

Filesize
188KB

Download
memory/668-62-0x0000000000000000-mapping.dmp

Download
memory/732-308-0x0000000000000000-mapping.dmp

Download
memory/820-89-0x0000000000000000-mapping.dmp

Download
memory/908-75-0x0000000000000000-mapping.dmp

Download
memory/916-247-0x0000000004A80000-0x0000000004A9D000-memory.dmp

Filesize
116KB

Download
memory/916-240-0x0000000004A80000-0x0000000004AAF000-memory.dmp

Filesize
188KB

Download
memory/916-248-0x0000000004A80000-0x0000000004A9D000-memory.dmp

Filesize
116KB

Download
memory/916-246-0x0000000004C70000-0x00000000059B8000-memory.dmp

Filesize
13.3MB

Download
memory/916-245-0x0000000004C70000-0x00000000059B8000-memory.dmp

Filesize
13.3MB

Download
memory/916-267-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/916-241-0x0000000004A80000-0x0000000004AAF000-memory.dmp

Filesize
188KB

Download
memory/916-242-0x0000000004A80000-0x0000000004AAF000-memory.dmp

Filesize
188KB

Download
memory/916-229-0x0000000003C00000-0x0000000003C1B000-memory.dmp

Filesize
108KB

Download
memory/916-106-0x0000000000000000-mapping.dmp

Download
memory/916-113-0x0000000003A30000-0x0000000003B5D000-memory.dmp

Filesize
1.2MB

Download
memory/916-226-0x0000000003C20000-0x0000000003C2E000-memory.dmp

Filesize
56KB

Download
memory/916-224-0x0000000004AC0000-0x0000000004AEA000-memory.dmp

Filesize
168KB

Download
memory/932-84-0x0000000000000000-mapping.dmp

Download
memory/936-254-0x0000000000000000-mapping.dmp

Download
memory/940-243-0x0000000000000000-mapping.dmp

Download
memory/944-249-0x0000000000000000-mapping.dmp

Download
memory/1092-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1144-238-0x0000000000000000-mapping.dmp

Download
memory/1148-81-0x0000000000000000-mapping.dmp

Download
memory/1208-217-0x00000000007D0000-0x00000000008C6000-memory.dmp

Filesize
984KB

Download
memory/1208-211-0x0000000000250000-0x000000000027A000-memory.dmp

Filesize
168KB

Download
memory/1208-208-0x0000000000000000-mapping.dmp

Download
memory/1208-326-0x0000000000000000-mapping.dmp

Download
memory/1208-219-0x0000000000960000-0x000000000096B000-memory.dmp

Filesize
44KB

Download
memory/1208-209-0x00000000006D0000-0x00000000007C5000-memory.dmp

Filesize
980KB

Download
memory/1208-404-0x0000000000000000-mapping.dmp

Download
memory/1208-215-0x0000000000360000-0x00000000003A1000-memory.dmp

Filesize
260KB

Download
memory/1208-433-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/1208-213-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download
memory/1252-77-0x0000000000000000-mapping.dmp

Download
memory/1300-71-0x0000000000000000-mapping.dmp

Download
memory/1408-314-0x0000000000000000-mapping.dmp

Download
memory/1504-174-0x00000000026A0000-0x00000000027AA000-memory.dmp

Filesize
1.0MB

Download
memory/1504-177-0x0000000002D40000-0x0000000002E6D000-memory.dmp

Filesize
1.2MB

Download
memory/1504-142-0x0000000000000000-mapping.dmp

Download
memory/1568-73-0x0000000000000000-mapping.dmp

Download
memory/1732-150-0x00000000037D0000-0x00000000037FF000-memory.dmp

Filesize
188KB

Download
memory/1732-151-0x00000000037D0000-0x00000000037FF000-memory.dmp

Filesize
188KB

Download
memory/1732-195-0x0000000003910000-0x0000000003A1A000-memory.dmp

Filesize
1.0MB

Download
memory/1732-197-0x0000000004110000-0x000000000423D000-memory.dmp

Filesize
1.2MB

Download
memory/1732-199-0x00000000037D0000-0x00000000037FF000-memory.dmp

Filesize
188KB

Download
memory/1732-201-0x00000000037D0000-0x00000000037FF000-memory.dmp

Filesize
188KB

Download
memory/1732-125-0x0000000000000000-mapping.dmp

Download
memory/1732-132-0x0000000002200000-0x000000000222A000-memory.dmp

Filesize
168KB

Download
memory/1756-321-0x0000000000000000-mapping.dmp

Download
memory/1768-95-0x0000000000000000-mapping.dmp

Download
memory/1776-390-0x0000000000000000-mapping.dmp

Download
memory/1776-79-0x0000000000000000-mapping.dmp

Download
memory/1884-66-0x0000000000000000-mapping.dmp

Download
memory/1896-200-0x00000000057A0000-0x00000000064DB000-memory.dmp

Filesize
13.2MB

Download
memory/1896-172-0x0000000003DD0000-0x0000000003EFD000-memory.dmp

Filesize
1.2MB

Download
memory/1896-204-0x00000000025C0000-0x00000000025EF000-memory.dmp

Filesize
188KB

Download
memory/1896-168-0x0000000003D40000-0x0000000003DC5000-memory.dmp

Filesize
532KB

Download
memory/1896-164-0x0000000003930000-0x00000000039B6000-memory.dmp

Filesize
536KB

Download
memory/1896-160-0x0000000002080000-0x00000000020AA000-memory.dmp

Filesize
168KB

Download
memory/1896-156-0x0000000003540000-0x0000000003716000-memory.dmp

Filesize
1.8MB

Download
memory/1896-207-0x0000000002450000-0x0000000002466000-memory.dmp

Filesize
88KB

Download
memory/1896-182-0x00000000057A0000-0x00000000064DB000-memory.dmp

Filesize
13.2MB

Download
memory/1896-191-0x0000000002450000-0x0000000002466000-memory.dmp

Filesize
88KB

Download
memory/1896-205-0x00000000025C0000-0x00000000025EF000-memory.dmp

Filesize
188KB

Download
memory/1896-183-0x00000000057A0000-0x00000000064DB000-memory.dmp

Filesize
13.2MB

Download
memory/1896-184-0x00000000025C0000-0x00000000025EF000-memory.dmp

Filesize
188KB

Download
memory/1896-192-0x0000000002450000-0x0000000002466000-memory.dmp

Filesize
88KB

Download
memory/1896-180-0x0000000002440000-0x000000000246F000-memory.dmp

Filesize
188KB

Download
memory/1896-206-0x00000000057A0000-0x00000000064DB000-memory.dmp

Filesize
13.2MB

Download
memory/1896-203-0x0000000002440000-0x000000000246F000-memory.dmp

Filesize
188KB

Download
memory/1896-186-0x00000000025C0000-0x00000000025EF000-memory.dmp

Filesize
188KB

Download
memory/1896-189-0x00000000057A0000-0x00000000064DB000-memory.dmp

Filesize
13.2MB

Download
memory/1896-202-0x0000000002440000-0x000000000246F000-memory.dmp

Filesize
188KB

Download
memory/1896-185-0x00000000025C0000-0x00000000025EF000-memory.dmp

Filesize
188KB

Download
memory/1896-181-0x0000000002440000-0x000000000246F000-memory.dmp

Filesize
188KB

Download
memory/1896-176-0x0000000002C90000-0x0000000002CF6000-memory.dmp

Filesize
408KB

Download
memory/1896-190-0x00000000057A0000-0x00000000064DB000-memory.dmp

Filesize
13.2MB

Download
memory/1908-101-0x0000000000000000-mapping.dmp

Download
memory/1964-119-0x0000000000000000-mapping.dmp

Download
memory/1976-227-0x0000000000000000-mapping.dmp

Download
memory/2000-69-0x0000000000000000-mapping.dmp

Download
memory/2020-116-0x0000000000000000-mapping.dmp

Download
memory/2032-463-0x0000000000000000-mapping.dmp

Download

pid	process
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460

pid	process
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460

pid	process
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460
460