300fe6224578b1254a43444f7e1783dd608a6c065d4e6089e7560e719fc787b2

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

baid.exe
Size

227KB
MD5

b0af6e16283c6a34400c6859e35b236d
SHA1

d114c3a26e79b11facbeb42b8cea528bc903aaa5
SHA256

2f765008ab3b84766ac87b1e508ed5ae0c421c21fd5a74d5070bda0cf1502810
SHA512

51cce66b80cc73c339295988a38b6b678285192417189533e8afe1f8dfe66430ad7496fef0dbb76e1b240831fbe63767b8f0180edef9aa7c4e2a16d4c053273a
SSDEEP

6144:Bu3dwQ0I2XyxnAy0SN41nv2DiJXBfWjNs6sm0P65:kN3qY4h2DiXdWRbszS5

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

baid.exe

pid	Process
2300	baid.exe
2300	baid.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

baid.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B580CF65-E151-49C3-B73F-70B13FCA8E86}	baid.exe

Drops file in Program Files directory 3 IoCs

Processes:

baid.exe

description	ioc	Process
File opened for modification	C:\Progra~1\Baidu\bar\SET4164.tmp	baid.exe
File created	C:\Progra~1\Baidu\bar\SET4164.tmp	baid.exe
File opened for modification	C:\Progra~1\Baidu\bar\BaiDuBar.dll	baid.exe

Drops file in Windows directory 1 IoCs

Processes:

baid.exe

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	baid.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

baid.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷¸è´Ê\Contexts = 10	baid.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷MP3	baid.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷MP3\Contexts = 10	baid.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷¸è´Ê	baid.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷Ìù°É\Contexts = 10	baid.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-´ÊµäËÑË÷\Contexts = 10	baid.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷Ìù°É	baid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷Í¼Æ¬\ = "res://C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll/BAIDUIMG.HTM"	baid.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷Í¼Æ¬\Contexts = 10	baid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷¸è´Ê\ = "res://C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll/BAIDULYRIC.HTM"	baid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷Ìù°É\ = "res://C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll/BAIDUPOST.HTM"	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar	baid.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷ÍøÒ³	baid.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷ÍøÒ³\Contexts = 10	baid.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷ÐÂÎÅ	baid.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷Í¼Æ¬	baid.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-´ÊµäËÑË÷	baid.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷Ìù°É	baid.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{B580CF65-E151-49C3-B73F-70B13FCA8E86} = 00	baid.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷Í¼Æ¬	baid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷MP3\ = "res://C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll/BAIDUMP3.HTM"	baid.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷¸è´Ê	baid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷ÍøÒ³\ = "res://C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll/BAIDUSEARCH.HTM"	baid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷ÐÂÎÅ\ = "res://C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll/BAIDUNEWS.HTM"	baid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-´ÊµäËÑË÷\ = "res://C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll/BAIDU_DIC.HTM"	baid.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-´ÊµäËÑË÷	baid.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷ÍøÒ³	baid.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt	baid.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷ÐÂÎÅ	baid.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷ÐÂÎÅ\Contexts = 10	baid.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷MP3	baid.exe

Modifies registry class 64 IoCs

Processes:

baid.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}\ProgID\ = "MimeFilter.AdFilter.1"	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}\TypeLib	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\CurVer\ = "BaiduBar.Tool.1"	baid.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\InprocServer32	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\TypeLib	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\ = "IAdFilter"	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MimeFilter.AdFilter	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}\TypeLib\Version = "1.0"	baid.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ProgID	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}\Programmable	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\CLSID	baid.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\ProxyStubClsid32	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}\ = "AdFilter Class"	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\TypeLib	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}	baid.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Baidu.1	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{89FDCC4B-8D91-49B0-81A6-18BCFF582735}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}\ProxyStubClsid32	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MimeFilter.AdFilter.1\ = "AdFilter Class"	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{89FDCC4B-8D91-49B0-81A6-18BCFF582735}\TypeLib\Version = "1.0"	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{89FDCC4B-8D91-49B0-81A6-18BCFF582735}\TypeLib	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Baidu\CLSID	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}\InprocServer32\ThreadingModel = "Apartment"	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\VersionIndependentProgID	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6AFC2761-1253-427C-9A56-385B4609BE1D}\1.0	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Baidu\ = "BaiduBar"	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MimeFilter.AdFilter\CLSID\ = "{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}"	baid.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\TypeLib	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{89FDCC4B-8D91-49B0-81A6-18BCFF582735}	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\TypeLib\ = "{6AFC2761-1253-427C-9A56-385B4609BE1D}"	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Baidu	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}\VersionIndependentProgID	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}\InprocServer32\ = "C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll"	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\InprocServer32\ = "C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll"	baid.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Baidu.1\CLSID	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6AFC2761-1253-427C-9A56-385B4609BE1D}\1.0\FLAGS	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}\ = "ITool"	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MimeFilter.AdFilter.1\CLSID\ = "{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}"	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}\VersionIndependentProgID\ = "MimeFilter.AdFilter"	baid.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}\TypeLib	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\InprocServer32\ThreadingModel = "Apartment"	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\TypeLib	baid.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Baidu\CurVer	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool.1\CLSID\ = "{A7F05EE4-0426-454F-8013-C41E3596E9E9}"	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\InprocServer32	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{89FDCC4B-8D91-49B0-81A6-18BCFF582735}\ = "IBaidu"	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}\ProxyStubClsid32	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\VersionIndependentProgID	baid.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}\VersionIndependentProgID	baid.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\ProgID	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MimeFilter.AdFilter.1\CLSID	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{89FDCC4B-8D91-49B0-81A6-18BCFF582735}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\TypeLib\ = "{6AFC2761-1253-427C-9A56-385B4609BE1D}"	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6AFC2761-1253-427C-9A56-385B4609BE1D}\1.0\HELPDIR\ = "C:\\Progra~1\\Baidu\\bar\\"	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ProgID	baid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MimeFilter.AdFilter.1	baid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}\TypeLib\ = "{6AFC2761-1253-427C-9A56-385B4609BE1D}"	baid.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

baid.exe

description	pid	Process
Token: SeRestorePrivilege	2300	baid.exe
Token: SeRestorePrivilege	2300	baid.exe
Token: SeRestorePrivilege	2300	baid.exe
Token: SeRestorePrivilege	2300	baid.exe
Token: SeRestorePrivilege	2300	baid.exe
Token: SeRestorePrivilege	2300	baid.exe
Token: SeRestorePrivilege	2300	baid.exe
Token: SeRestorePrivilege	2300	baid.exe
Token: SeBackupPrivilege	2300	baid.exe

C:\Users\Admin\AppData\Local\Temp\baid.exe
"C:\Users\Admin\AppData\Local\Temp\baid.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\°Ù¶È³¬¼¶ËÑ°Ô\°ïÖúÖ¸ÄÏ.url

Filesize
127B

MD5
d10620d94a4bcf18082d42c4171ca514

SHA1
4171adbf386ca788ad3b2b28a9d22717243938fd

SHA256
a3eda9c70339478639a0159a97fac437472595eeda99c07767b33a43850dc92b

SHA512
fc4fb3af2368840f0be621de128c84e2092c39aa835cbb6a282cb692b15f00a65c43ec303662ade23919cce64dbe10344662abe64470269824f507153d2c7ddc

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\°Ù¶È³¬¼¶ËÑ°Ô\¹ã¸æÀ¹½Ø.url

Filesize
123B

MD5
3e467f2735c1e58d2634c3fe8f436334

SHA1
cea7862c5f9f31492c1dcb2bca4cb25787df565a

SHA256
85de95bf7dd047e20f10c0a47c12b21655c31657e72539a40d2b7aea044b301e

SHA512
1130fedbb8403bc1e68b51361f615bd8acbde53bd5a30c02e4e5ed7dc87c160a7237fee96fe58e16011f64e7e9e19b01e25e027c2054fb2cf5816a8f5dd69ad0

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\°Ù¶È³¬¼¶ËÑ°Ô\À¬»øÇåÀí.url

Filesize
126B

MD5
d95495e899435953a6783c0314c1350e

SHA1
347f83d0dd498633d4be0e6690126c8313169d23

SHA256
2829ea044762270b03bb27322b72df3ffc81b4b94deccf185876b9408f5ddbaf

SHA512
3d72d2b3780c4b11d2155c4cd74eadd31cf7ae037052a9432d942f08f8d7bf5f369e59885d7e1cad14dd846bf82cf358f1de96ae18da9f882b474b16ffff4624

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\°Ù¶È³¬¼¶ËÑ°Ô\ÆÁ±ÎÁÐ±í.url

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\°Ù¶È³¬¼¶ËÑ°Ô\ÏµÍ³¼ÓËÙ.url

Filesize
123B

MD5
57c64c9d4155ae2ffbae9647f233bd16

SHA1
7cd3d4e8f2b5008eb1811208d75239082b5eb7da

SHA256
643ca07421266240b5331e923b4f7a30be3144a550637bf9c61f9e9973d957aa

SHA512
f28eda995d6abdea3eeda02909dafa331639b5664e71ba53fd7761068e615e23b7bc2b7993f0b7a677d94494b44439b1816997c1523a548d38b0679f366d7cf9

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\°Ù¶È³¬¼¶ËÑ°Ô\ÐÞ¸´¹¦ÄÜ.url

Filesize
126B

MD5
0af1d9ee3aed5f7b34e7268134ea416b

SHA1
f981dc2c1bfb6172c7d527d8c9c273fb1f2ea856

SHA256
276b59b2946a0055f5e96bb06b7dc2b33b64b682ea5389b6d2d8918ca27bc38c

SHA512
15e44e2341e04c3248462bf2e24016e66f1ac498cd29e752ee7f963e3d7b297ce9329f631282dfeb016fd80e9a8260001bfa2dc5e649dfcf44b240bdcc6016dd

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\°Ù¶È³¬¼¶ËÑ°Ô\ÒþË½±£»¤.url

Filesize
126B

MD5
32999fa80e4f6c6561346a99595a8f23

SHA1
47880460d7ab5cb47c0b5aed6a7f2710cfbf4dd4

SHA256
73bbd206aab8a1775ead488d8004b87a6de5d74926aad0f19084e6eede7b09bf

SHA512
afd3caee0c4bf56c91ef5af0cc4bff55b55ec251399e7b0ef4543fc23e6e264fa625935b845a3a74e7902726883cf9406b0d969502c0c0432bde0953efc8e97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BaiduBar.dll

Filesize
342KB

MD5
d2a4042ffa73af68e1e92c007410b8a6

SHA1
9c423bab8f323add1f1dc6cd1a98ee243be457a1

SHA256
14f9d44e6cb456769c5d72b11aa0c1f0eb54d8702a80b1cde98542610272707a

SHA512
de22dd94472e2ecc41b32c90cd3c793203772b6837f2e85a34f49840e7b0631eb039709254015afc9c69ea8b7b07ab9205b9d907e183c390099255f74087f2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.inf

Filesize
587B

MD5
0c3994fbab1f2de3f85bc4307eaf807c

SHA1
0b069e8f556ccb1bd8e25cffd7dbeed004a19af8

SHA256
1f0d3ec96e317b505d6ed2e73f2f9af7b885214f2693d19eed61da2a764b2661

SHA512
a51ac973bc7b3987e572d26ef03c704857790f94dac445bbcb04d33733ba468599b2373a75357694c205d762e096e23138e9edb497fb5dc3ffd8a67e3bbd86dd

Download Submit
\PROGRA~1\Baidu\bar\BaiDuBar.dll

Filesize
267KB

MD5
ba3027661cf23145d3c5d81119e74473

SHA1
df926785a90dfd8347d7039013cd94c244bab2be

SHA256
391ff6e6480e2290409db75e9ab0ce3b102efe24ee9066145be1514b63223c41

SHA512
2404d46baf2ed60ed6e1840d27e68e9192e97d59f174fe6fbcd4dc817e64afdabdc24773be8538e804d167ad18ee771c03e8811c4ac2d506c4ea274f8d906bd0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL

Filesize
90KB

MD5
d553b62a8136d41289513c6405efea2d

SHA1
db48c3fd3993ff20511e47ffad14bfbdb9f438eb

SHA256
ce7cfb626807084186b248bbf2ef776eac086da936146f7d44956c2fcfaec1f8

SHA512
4a3767e8ac1e684a9a6eaced921b9599e34d5a4e83f034c7fe42bd8fd707a2b86f51ad485933fed5015554c3f9c4cf4b1357832964cc170d8cba86092fc9d2e2

Download Submit