Malware Analysis Report

2025-03-14 22:30

Sample ID 240304-rb1x3ada74
Target b24eaa2502c9bb6d741e56302451a47c
SHA256 e7337744b755cc039f32348a645ac4cdac01fec4f4725403e2b7d677e7c3c245
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e7337744b755cc039f32348a645ac4cdac01fec4f4725403e2b7d677e7c3c245

Threat Level: Shows suspicious behavior

The file b24eaa2502c9bb6d741e56302451a47c was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Adds Run key to start application

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

NTFS ADS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 14:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 14:01

Reported

2024-03-04 14:04

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe"

Signatures

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\`K• oßø) C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\eH•¦²ßø, C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\PíW••‡ã8¤ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\fE•׫Þx\ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÔS•Þâø C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ДW•—Cã¸Ý C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\PH•—ªß8U C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\†T•N²ãxÏ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ЮK•0߸ç C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\PK•Nß8R C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\¡M•Ý3áxè C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\-W•>”ãød C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ð J•Ï߸C C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\rM•€áø; C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\KM•§‹áx C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Q•½Íâø^ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\PxW•µžã81 C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\PYH•?Ñß8 C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\PPO•öÄà8 C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÐQ•&Ñâ¸M C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÐNI•.ภC:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\PÔI•Vèß8 C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÐI•]à¸L C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\PR•GÈá8P C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÐìH•gšß¸¥ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÐÌE•šÞ¸… C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\[K•žsßø C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ð>H•§£ß¸w C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\‡L•ÕìàxÎ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ïR•žáx¦ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ W•=›ãxB C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\PöE•Nú< C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\PÏI•ÿìß8† C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ìN•§Kàø¥ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÐYL•¶+ḠC:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\СS•Öõá¸è C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÐÆP• `⸏ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ОQ•uµâ¸× C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\óQ•7»âøº C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\6E•ž›Þø C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ð.V•Ý'ã¸g C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ªW•fBãxã C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\¸T•m«ãøñ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Q• ÐâxS C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\6E•­›Þø C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÐÿJ•ÞÔÞ¸¶ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\±K•×ßøø C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ H•®ßøC C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÐDO•àภ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\P7R•þ¾á8~ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\zR•Îáx3 C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\¬P•¯Nâøå C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ЭJ•žËÞ¸ä C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\éP••\âø  C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\PáE••“Þ8¨ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ M•^áøi C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\aV•†4ãx( C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÐÑW•å‰ã¸˜ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\bW•ןãx+ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\BaiduBar.dll C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ð\N•eXà¸f C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ЖL•Néà¸ß C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ð&M•Þ\á¸o C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÐÂK•B߸‹ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÐBV•]:㸠C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\sE•~©Þø: C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\úK•:ßø³ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÐS•þ:â¸G C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\úK•…:ßø³ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÐBV•N:㸠C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÐBV•W:㸠C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\sE•‡©Þø: C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\sE•©Þø: C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\úK•v:ßø³ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe

"C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe"

Network

N/A

Files

\Program Files (x86)\baidu\bar\BDBar_tmp\BaiduBar.dll

MD5 1b8f4df33e4b9a3ea2e4616a148b35b4
SHA1 c4ebaa3dfcc8ed0311807c5a812f5a4a02dd6e9b
SHA256 1413011151fc984be69fa146ea07acc692e18bd3993e20b8654a2b4134937852
SHA512 90b41c98d09ec27ed401af0016fb2852b030d18f93ceb40486d825993f03884f00a3996332b4f673394825723fc2cb0c9bb24fe2944c5e6a8456aaf21c88c762

memory/2760-14-0x0000000002E40000-0x0000000002F96000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-04 14:01

Reported

2024-03-04 14:04

Platform

win10v2004-20240226-en

Max time kernel

120s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\BaiduInstall = "C:\\Windows\\system32\\rundll32.exe C:\\PROGRA~2\\baidu\\bar\\BaiduBar.dll,Install" C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\L C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\̐ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ôº C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÔÛ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\¯ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ É C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\L C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\A C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\̬ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Œs C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T½ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ À C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T— C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\΃ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Œ& C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\L‹ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ô C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Tí C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ìm C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ ø C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T• C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Tà C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ô  C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ { C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ôb C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\”õ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ g C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ŒÔ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\  C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Œ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ê C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ôƒ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Œý C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\”· C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ŒÁ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ › C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ìî C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\LH C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ k C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ӣ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ô‰ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ìÿ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Œ÷ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\”” C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ì( C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\” C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ô C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ӭ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ü C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\L4 C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Œ¾ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Œ– C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ôë C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\L˜ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÔÄ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\”C C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\  C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\V C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ý C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Lý C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÌÏ C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\{0ô:@Y C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe

"C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2636 -ip 2636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 1012

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Program Files (x86)\baidu\bar\BDBar_tmp\BaiduBar.dll

MD5 1b8f4df33e4b9a3ea2e4616a148b35b4
SHA1 c4ebaa3dfcc8ed0311807c5a812f5a4a02dd6e9b
SHA256 1413011151fc984be69fa146ea07acc692e18bd3993e20b8654a2b4134937852
SHA512 90b41c98d09ec27ed401af0016fb2852b030d18f93ceb40486d825993f03884f00a3996332b4f673394825723fc2cb0c9bb24fe2944c5e6a8456aaf21c88c762

memory/2636-16-0x00000000031F0000-0x0000000003346000-memory.dmp