Malware Analysis Report

2024-07-28 05:16

Sample ID 240605-cf2ylabg45
Target 2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe
SHA256 61412215fb26d53852080768f435afcfa050319f0431cc1c4f0ac6e203eeb5e2
Tags
adware bootkit discovery persistence stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

61412215fb26d53852080768f435afcfa050319f0431cc1c4f0ac6e203eeb5e2

Threat Level: Shows suspicious behavior

The file 2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware bootkit discovery persistence stealer

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Installs/modifies Browser Helper Object

Writes to the Master Boot Record (MBR)

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of SendNotifyMessage

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Browser Extensions
T1176
Pre-OS Boot
T1542
Bootkit
T1542.003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Pre-OS Boot
T1542
Bootkit
T1542.003
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-05 02:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{88096372-571E-45A5-8425-A63E5EE37B4C} C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{88096372-571E-45A5-8425-A63E5EE37B4C}\ = "Baidu MiniDownloader Browser Helper" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\ = "ICloudCtl" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl.1\ = "Baidu MiniDownloader Browser Helper" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl\ = "Baidu MiniDownloader Browser Helper" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\Programmable C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\ = "BDDLBHO 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\TypeLib C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0 C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\0 C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02} C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132} C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl\CurVer C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl.1\CLSID C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\ = "ICloudCtl" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick.1\CLSID\ = "{9AF85209-24E7-4031-80FA-D32BA8BAE55E}" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\ = "IBDDLIEPlugin" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C1CA1971-84DF-4FEC-AF76-3C3FDB6226E6}\ = "BDDLBHO" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0 C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BDDLBHO.DLL\AppID = "{C1CA1971-84DF-4FEC-AF76-3C3FDB6226E6}" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\HELPDIR\ C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl\CurVer\ = "BDDLBHO.CloudCtl.1" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\HELPDIR\ C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1} C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\TypeLib\ = "{41AA1C76-EC23-4d0f-80A1-7E0DA3A4D46A}" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\TypeLib\ = "{1C7FB80F-D97E-4130-8CC8-75231844E132}" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\ProgID\ = "BDIEHelper.JSOnClick.1" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl.1 C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl\CLSID\ = "{88096372-571E-45A5-8425-A63E5EE37B4C}" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick.1 C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick\CurVer C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\TypeLib\ = "{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\TypeLib\ = "{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\0 C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02} C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\ProgID\ = "BDDLBHO.CloudCtl.1" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick.1\ = "BDDownload IE JSOnClick Helper" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl.1\CLSID\ = "{88096372-571E-45A5-8425-A63E5EE37B4C}" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1} C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick\CurVer\ = "BDIEHelper.JSOnClick.1" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\ = "IBDDLIEPlugin" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\TypeLib C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E} C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\TypeLib C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C1CA1971-84DF-4FEC-AF76-3C3FDB6226E6} C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BDDLBHO.DLL C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick.1\CLSID C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2272 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe
PID 2272 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe
PID 2272 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe

"C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 dr.br.baidu.com udp
US 8.8.8.8:53 cfg.download.iyuntian.com udp
US 8.8.8.8:53 rc.download.iyuntian.com udp
US 8.8.8.8:53 dtrp.download.iyuntian.com udp
US 8.8.8.8:53 utk.download.iyuntian.com udp
US 8.8.8.8:53 jp.download.iyuntian.com udp
US 8.8.8.8:53 tk.download.iyuntian.com udp
US 8.8.8.8:53 res.download.iyuntian.com udp
US 8.8.8.8:53 sn.download.iyuntian.com udp
US 8.8.8.8:53 res2.download.iyuntian.com udp
US 8.8.8.8:53 dlsw.baidu.com udp
US 8.8.8.8:53 res3.download.iyuntian.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BDIEHelper.dll

MD5 962928acbfb8223c419615ceb8baca5f
SHA1 574e3815ea8683c75a360a6b527d6e27eda68247
SHA256 6b894c1f5de423d08f5f28bcb52c95589c1a474c75f90563606f440d9a668125
SHA512 d656838985cd0641e3e9f268059b5c2f30ef98411867eb28bceb268c0085d559d65a611d0429265e513d4b1e08dc77bcfed6cbb13c5be946dbebd8d05d428980

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BDDLBHO.dll

MD5 0f35053b980e7a3d93018c10928dd3ba
SHA1 28b6a54b5e0bb10b5bd24300f6f49090cef9c582
SHA256 20a792f1c76588866a9e0667c4d74e4c8123a1a55eb0956b93fcdf3109c153e8
SHA512 491e084d130342f66071b279f904e7444e5c6363094025a11c010664c366420b23397cc19afc9a05f4c1209df709ab3ec4485278c559f2029cf77808c235e71e

C:\Users\Admin\AppData\Local\Temp\nst441F.tmp\InstallHelper.dll

MD5 e8f6633f06b6b7e576fd764f97fe8573
SHA1 d149d067c9d53bcb8d20ac006da581a8e43daf84
SHA256 53c9cd1bbb9c595708ff00297694492135202649066551a354f0f8475e4c41c8
SHA512 9587c452cdb4c103bb9347eb7f0ff43759ff4b7ba53de2d9446807b24b954af1547c227df05069a91c49f39dbd181f5890784101d74727deeffcc032b01cc6ca

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe

MD5 1b5c78bd3dfb6f09903e4c48e5aa8e0d
SHA1 3921aa3cb3bae513896c449133d4cfe2c07a338d
SHA256 f2bbf8e694843c144d0df7f26c27105ffff36a7bfbde39811f2740f2339e276f
SHA512 a9ac7bd7f8433a2f060eec9de29989044d5be96108fe8759b226f095bc68de4cc4467133e839cff6f01df31b7817d79bc84715fcc3374d4f3f2e22407c776446

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\Basic.dll

MD5 68126329883772fc76c11c9330d59f10
SHA1 9bb01572084607ceeb11525b14eb187b91acec8d
SHA256 7d0b68fa571ab446ce2622c220644bfe7f61f72020e70bbdb138458b0dd06ce1
SHA512 d8a9bd76bd7ef9a739b4249725a8abb48c5c89487470386b488af4f0a0a5fcaed08ee86167bae041d770fdcd9992ea820a7395daceb5070b240c0f2412e21b13

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\Protocol.dll

MD5 6416ec89c15c7e82f746645bf59b70de
SHA1 c611dde65206c03913acb5177f428eb226cd4ac7
SHA256 34a223dcc8ca4c834a5918a8d7626b1c4d16205b65e5c82e83fd0f2966be8856
SHA512 8842335663c9357576620cd3b1c631c76d14675b7a9e7a6f48afe3b443a37b307daa6d6650e00bec2e670da2c921fc0c53988daf73b900a63c17671d4a0b723a

memory/2960-87-0x0000000002690000-0x000000000271E000-memory.dmp

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\min.png

MD5 923b44bc2d6c32bbf987d8e454c1b9c9
SHA1 e353390e66c7796f038439bbcb3154d2d172f881
SHA256 85ccfff45347ae28d8e86f55b7f55481e024eadd0e8164725723d80191a93833
SHA512 9c2a96fc7d96c89544126312e61b05604c7e15830777999e8e552800356eaa08f894376d1367dbbfcc314898cc4a3907f36b568b57ab531702bb6c5c82e0bbe6

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\error.png

MD5 cb296e6c32e6c1cf3417cfaefd507cdf
SHA1 68087748339614ff078270b613375a27d8c21c37
SHA256 5d02a4d8d5369c5510b6e48381662915850ba71f4bcf463e49f11112da4d55fd
SHA512 d5f215f266e12042f3bdc057edc9c91ee1fee46d215cba99f8980569759e1cce758d1a458c46b9affa3a5efe0149f5234be30267879df62eb0eeb269f6a5c81b

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\loading.png

MD5 bbdd7761a126f4d08ffdf7bc24d4ebc1
SHA1 dfef5e0b1fe35e090446c2e1f73a50cb64e9f125
SHA256 949f346fb21087d2f39ff02b2eab49f4b298480e013e84efc34a134f7666dd1b
SHA512 14d4e70df23b3058f5e67d91fc9d31222faf1057f2efa97c43c0e866f1fe831c22752a178a6f851637a355f06204d1d1ac60cefdb220e6e91a388af6165a53fe

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\progressbar_bk.png

MD5 952624e2c93702a3d85067b3976d0737
SHA1 6664c57c2939cd5e098ac97f83b427e85c03e9dd
SHA256 e39b1f8c487b20fe81f4cadded3dd225df0352b8b3beb9f18b9571179e9dcf86
SHA512 d62e7dbdaf74f76608203619645511e7b166fdf62b6d7769cedf5d1395ac022bf3b3d9720984f2e78bbc21292d9734a846e5f33288f15839402cc02b4a8c0084

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\download.png

MD5 8cec8cd49cc6ab2407b208734f894ee0
SHA1 26fe0bd4adf364ac3368650827198b3f0bc434b2
SHA256 a764be59fc441edcf556cbdfa8a88c2a61d85755dec568033181cec259de80a9
SHA512 fb0cd310e9a4bd20c25aba7c9b42e6d96fe61a3a423b9131ba039409bee02c19ce54fafbe96327de000e02923ad0fcb47fb3f16ed212a38c52df15c0c4370a61

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\buttonpath.png

MD5 556c3293e239354ae8d4512626627500
SHA1 e6c1ff2b818e605ac193c54bb6a6fdcd381788f5
SHA256 e06a763a9a4f7e7f892371b7b0d8d75a646585f7e94afe96c64b34d067f89471
SHA512 e65845941d2ba177ef2d050109a9440d04c490c2ad82b5f34c5f825fb274ebf101852d89c142e05c82c3774a354b6ffcbf3225cb64b56e4bdf6d68ccb72fae0a

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\config.png

MD5 870a7927e4162c105f1088961f302bf5
SHA1 780584cdb540356bf5750818503c95c0f1b8b5af
SHA256 49054a271dee8fa537abbabdf51ff9ff344730f9b220e2836ef5a413a55acc06
SHA512 ecee075be135ae09ad68cc921c9ef63528758a79080f7414e183a9a405269b50c25322d1e508aeb08a9ae60d91e85fc5c465e954900dc38b86224197322f7df5

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\path.png

MD5 9ab2c49c8358224707492f661219504d
SHA1 dbd27803ecd4117d85844bf434319788cb078ea9
SHA256 e7f035cb1bc7c2b0961eefc2c4ad80252efda45ae4279b28f1287a1e7feede34
SHA512 48416191cc4da9ab8becbb96a498959f4768d173a7103fc9427503695f11ab382a355e7de1fa64a29f40bd5ebcf4e66201c7c5416adb0cfd0773446640f4ea03

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\softlogo_1.png

MD5 805915e2e8578ab10a22e438cc88bd7e
SHA1 9c854d56f58acd23abd610a5521c1820999e0b24
SHA256 019bb4ef81de698251f1d76643bac2cff8bb832766e03bba749d14715bc5b24d
SHA512 4d61911424858b052f58ac736db499100fd984b13866534286755f223e0c9fef79f7a5b0df99fc00f0c135dcbb83da21628ab8760082aa576f7078a0ecc5b0fc

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\logo.png

MD5 eb9c7029a97b82489d568505f2d6ef07
SHA1 397b2d40a174b4ecbb789f6db5a983e593da2cc4
SHA256 ad801e96ea10f05a704329a685d9743eb364eec2766689ef115415f5bdc0a30d
SHA512 d9ec79d732bcd1a377a61bf9aeed2dd18e17710dc920f548085e6207e1a0a39718cfae6c875b28f2e04a2720593b9763141a5f93b95a9732be89a0a7fe60d664

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\mainbnd.png

MD5 7df626695c6d6a89a11cf5a283364df3
SHA1 28d29b2d7c3216d9d906fd58e2ffa0cee95adfa6
SHA256 c6d6eccd6de98a2c728b8a5276eb9eff8ee118aee22b2b04426c5fd3ef273998
SHA512 413b7c77813163adc1be77ba646b6e19c6dc55302861b2ee13b311cdebb723e2b774b7b74228cbd3f30cc4690e0fe1f4100540f812b1aa8b43acc7011e6d8bb5

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\close.png

MD5 b3135d97cfb54651847910382a8a932f
SHA1 66c114ef8fce8d49651be3bd3580d277c27bb342
SHA256 657bc0eac3efda11154ed7459cbe6be18bfd35a57dfc74de1462beee927758f1
SHA512 a6a9c8dec951550fb5906adf73535421d20d89210f8ca5cd32b4e5ac737c4161496864495e2fe916bfdeac5bf18ab77940a7edeaec9969eedde60e45edbea78b

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\config.ini

MD5 26bcef869d69507949ca423a1b1029f5
SHA1 8fe5e407db804a73629d23817ee9b788194f15fe
SHA256 71f84f6a0f2848e5b51380808ac102eab741e9d55f5cc8b21a65f2b53d41286e
SHA512 370bc7a081b75c0452027bcc6770391f8c7f50a4de14b317dc0ab2c15f2f5b020eef066662fc3ab3fd4f781ee4b765928cfa84c97be46f56fe1ea7bef20b9d90

memory/2960-81-0x0000000000A50000-0x0000000000ABF000-memory.dmp

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\Report.dll

MD5 ccaa1fdca4d505fe683f63ea031eebf8
SHA1 d966a8053260376fc27451184aa6d1ab0f8f8ad0
SHA256 63442dbc6be0ce4aa233ae265f15fea2d3dcbd09ee5799bb58ac49450cffdea2
SHA512 3f3a3f2c90b16f33626f8f40c375df18e1b1f10c639f3979981f2591447afb04ee281e8b75b364afbb72657b76fc3003096bc652da799a3b6ebb8a75f11bc299

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\pause.png

MD5 c0b9c4a8d9cac7a62783bbe117e56bce
SHA1 bf078e083bd87a3507e81a62f6f2108b3e4f2295
SHA256 07600e1f3ca1b55d0ae1253d88db0d57e75380a735db1f7b33b5fd3ecfb14e8d
SHA512 511c8eedc1b5afe821f6932735746af6000e3e6fd5943cd2134dff8b31129cff4184d963fbfc74064cf7677d0873cabb2fec9bacc3e93a3716c34a97ca2deed2

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\dl.dll

MD5 ba7f2f6a04d1e8afe0990be4656faeb5
SHA1 3d522057cf25ec9d7f34a49dd4ec68a6fb50753b
SHA256 109cdc7ab3650386d91803bc38a6ae6b061a182ff57105ec00be641e9a70f17e
SHA512 62c54388bfdb8d4de9702fdfebc26bf40bca1a92a8ad2949b012a4a671fc01d6c1c927203938d36f11e6e0b0ec4f39b489f12f68cd3b57d006c45238eccf9d35

memory/2960-110-0x0000000004660000-0x000000000484D000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win10v2004-20240508-en

Max time kernel

130s

Max time network

100s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\BDDLBHO.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{88096372-571E-45A5-8425-A63E5EE37B4C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{88096372-571E-45A5-8425-A63E5EE37B4C}\ = "Baidu MiniDownloader Browser Helper" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\ = "Baidu MiniDownloader Browser Helper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\TypeLib\ = "{1C7FB80F-D97E-4130-8CC8-75231844E132}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\ = "ICloudCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_\\BDDLBHO.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\TypeLib\ = "{1C7FB80F-D97E-4130-8CC8-75231844E132}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl.1\ = "Baidu MiniDownloader Browser Helper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\ProgID\ = "BDDLBHO.CloudCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\HELPDIR\ C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\ = "BDDLBHO 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\AppID = "{C1CA1971-84DF-4FEC-AF76-3C3FDB6226E6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\TypeLib\ = "{1C7FB80F-D97E-4130-8CC8-75231844E132}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl\ = "Baidu MiniDownloader Browser Helper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_\\BDDLBHO.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\VersionIndependentProgID\ = "BDDLBHO.CloudCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C1CA1971-84DF-4FEC-AF76-3C3FDB6226E6}\ = "BDDLBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl.1\CLSID\ = "{88096372-571E-45A5-8425-A63E5EE37B4C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl\CurVer\ = "BDDLBHO.CloudCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C1CA1971-84DF-4FEC-AF76-3C3FDB6226E6} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BDDLBHO.DLL C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl\CLSID\ = "{88096372-571E-45A5-8425-A63E5EE37B4C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\ = "ICloudCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BDDLBHO.DLL\AppID = "{C1CA1971-84DF-4FEC-AF76-3C3FDB6226E6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4480 wrote to memory of 4036 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4480 wrote to memory of 4036 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4480 wrote to memory of 4036 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\BDDLBHO.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$_2_\BDDLBHO.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Protocol.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 812 wrote to memory of 3092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 812 wrote to memory of 3092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 812 wrote to memory of 3092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Protocol.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Protocol.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3092-0-0x0000000001520000-0x000000000158F000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Update.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4352 wrote to memory of 4340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4352 wrote to memory of 4340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4352 wrote to memory of 4340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Update.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Update.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/4340-0-0x00000000012E0000-0x000000000134F000-memory.dmp

memory/4340-2-0x0000000002C90000-0x0000000002D1E000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win10v2004-20240426-en

Max time kernel

91s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\npBDDLPlug.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4444 wrote to memory of 4876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4444 wrote to memory of 4876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4444 wrote to memory of 4876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\npBDDLPlug.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\npBDDLPlug.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4876 -ip 4876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win10v2004-20240426-en

Max time kernel

91s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_2_\uninstaller.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3484 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\$_2_\uninstaller.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 3484 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\$_2_\uninstaller.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 3484 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\$_2_\uninstaller.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$_2_\uninstaller.exe

"C:\Users\Admin\AppData\Local\Temp\$_2_\uninstaller.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$_2_\

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 05608ae6e2722d380f583f31404fd031
SHA1 e3786a5c5bc31d177f9e4ee53969f8350b67bdd0
SHA256 6fef0ce7b8a97f818c0156386acbcde1783c9b1cb16d1c7ffc08e3919fdd8f74
SHA512 85040c2847ce25d9c4acb2d8688559f0d13b105a22df42e6dc43a8d7e8c2b325d74d015faf4c2812fe06a124708421c513505548c27ba7213bf9ba823649de44

C:\Users\Admin\AppData\Local\Temp\nsi5C0C.tmp\InstallHelper.dll

MD5 e8f6633f06b6b7e576fd764f97fe8573
SHA1 d149d067c9d53bcb8d20ac006da581a8e43daf84
SHA256 53c9cd1bbb9c595708ff00297694492135202649066551a354f0f8475e4c41c8
SHA512 9587c452cdb4c103bb9347eb7f0ff43759ff4b7ba53de2d9446807b24b954af1547c227df05069a91c49f39dbd181f5890784101d74727deeffcc032b01cc6ca

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallHelper.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1368 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1368 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1368 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1368 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1368 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1368 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2056 wrote to memory of 2476 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2056 wrote to memory of 2476 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2056 wrote to memory of 2476 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2056 wrote to memory of 2476 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallHelper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallHelper.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 228

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win7-20240220-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Protocol.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 1588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 1588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 1588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 1588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 1588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 1588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 1588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Protocol.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Protocol.dll,#1

Network

N/A

Files

memory/1588-1-0x00000000001F0000-0x000000000025F000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win7-20240215-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_2_\uninstaller.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_2_\uninstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\$_2_\uninstaller.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2260 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\$_2_\uninstaller.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2260 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\$_2_\uninstaller.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2260 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\$_2_\uninstaller.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$_2_\uninstaller.exe

"C:\Users\Admin\AppData\Local\Temp\$_2_\uninstaller.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$_2_\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 05608ae6e2722d380f583f31404fd031
SHA1 e3786a5c5bc31d177f9e4ee53969f8350b67bdd0
SHA256 6fef0ce7b8a97f818c0156386acbcde1783c9b1cb16d1c7ffc08e3919fdd8f74
SHA512 85040c2847ce25d9c4acb2d8688559f0d13b105a22df42e6dc43a8d7e8c2b325d74d015faf4c2812fe06a124708421c513505548c27ba7213bf9ba823649de44

\Users\Admin\AppData\Local\Temp\nsy32B6.tmp\InstallHelper.dll

MD5 e8f6633f06b6b7e576fd764f97fe8573
SHA1 d149d067c9d53bcb8d20ac006da581a8e43daf84
SHA256 53c9cd1bbb9c595708ff00297694492135202649066551a354f0f8475e4c41c8
SHA512 9587c452cdb4c103bb9347eb7f0ff43759ff4b7ba53de2d9446807b24b954af1547c227df05069a91c49f39dbd181f5890784101d74727deeffcc032b01cc6ca

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\BDIEHelper.dll

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_\\BDIEHelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\VersionIndependentProgID\ = "BDIEHelper.JSOnClick" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick.1\ = "BDDownload IE JSOnClick Helper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\HELPDIR\ C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\ = "IBDDLIEPlugin" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick\CLSID\ = "{9AF85209-24E7-4031-80FA-D32BA8BAE55E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick\CurVer\ = "BDIEHelper.JSOnClick.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\ = "BDDownload IE JSOnClick Helper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick.1\CLSID\ = "{9AF85209-24E7-4031-80FA-D32BA8BAE55E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\ProgID\ = "BDIEHelper.JSOnClick.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\TypeLib\ = "{41AA1C76-EC23-4d0f-80A1-7E0DA3A4D46A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\ = "IBDDLIEPlugin" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\TypeLib\ = "{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_\\BDIEHelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\TypeLib\ = "{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick\ = "BDDownload IE JSOnClick Helper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\ = "BDIEHelper 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 1936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2936 wrote to memory of 1936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2936 wrote to memory of 1936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2936 wrote to memory of 1936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2936 wrote to memory of 1936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2936 wrote to memory of 1936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2936 wrote to memory of 1936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\BDIEHelper.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$_2_\BDIEHelper.dll

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win10v2004-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\BDIEHelper.dll

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick.1\ = "BDDownload IE JSOnClick Helper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick\CurVer\ = "BDIEHelper.JSOnClick.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\ = "IBDDLIEPlugin" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick.1\CLSID\ = "{9AF85209-24E7-4031-80FA-D32BA8BAE55E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick\ = "BDDownload IE JSOnClick Helper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\TypeLib\ = "{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\ = "BDDownload IE JSOnClick Helper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\ProgID\ = "BDIEHelper.JSOnClick.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\TypeLib\ = "{41AA1C76-EC23-4d0f-80A1-7E0DA3A4D46A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick\CLSID\ = "{9AF85209-24E7-4031-80FA-D32BA8BAE55E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\ = "IBDDLIEPlugin" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_\\BDIEHelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\HELPDIR\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\VersionIndependentProgID\ = "BDIEHelper.JSOnClick" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_\\BDIEHelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\ = "BDIEHelper 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\TypeLib\ = "{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4888 wrote to memory of 3432 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4888 wrote to memory of 3432 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4888 wrote to memory of 3432 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\BDIEHelper.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$_2_\BDIEHelper.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_2_\BaiduMiniDL.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\$_2_\BaiduMiniDL.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_2_\BaiduMiniDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_2_\BaiduMiniDL.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_2_\BaiduMiniDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_2_\BaiduMiniDL.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_2_\BaiduMiniDL.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$_2_\BaiduMiniDL.exe

"C:\Users\Admin\AppData\Local\Temp\$_2_\BaiduMiniDL.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dr.br.baidu.com udp
US 8.8.8.8:53 cfg.download.iyuntian.com udp
US 8.8.8.8:53 rc.download.iyuntian.com udp
US 8.8.8.8:53 utk.download.iyuntian.com udp
US 8.8.8.8:53 dtrp.download.iyuntian.com udp
US 8.8.8.8:53 tk.download.iyuntian.com udp
US 8.8.8.8:53 jp.download.iyuntian.com udp
US 8.8.8.8:53 sn.download.iyuntian.com udp
US 8.8.8.8:53 res.download.iyuntian.com udp
US 8.8.8.8:53 res.download.iyuntian.com udp
US 8.8.8.8:53 res2.download.iyuntian.com udp
US 8.8.8.8:53 dlsw.baidu.com udp
US 8.8.8.8:53 res3.download.iyuntian.com udp

Files

memory/1224-0-0x00000000002C0000-0x00000000002F2000-memory.dmp

memory/1224-6-0x0000000003070000-0x00000000030FE000-memory.dmp

memory/1224-9-0x0000000003A80000-0x0000000003C6D000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Basic.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5084 wrote to memory of 3904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5084 wrote to memory of 3904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5084 wrote to memory of 3904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Basic.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Basic.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3904 -ip 3904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 648

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Report.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3272 wrote to memory of 1348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3272 wrote to memory of 1348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3272 wrote to memory of 1348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Report.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Report.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1348-0-0x0000000001500000-0x000000000156F000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win7-20240419-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_2_\Update.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$_2_\Update.exe

"C:\Users\Admin\AppData\Local\Temp\$_2_\Update.exe"

Network

N/A

Files

memory/1600-0-0x0000000000240000-0x00000000002AF000-memory.dmp

memory/1600-2-0x00000000002B0000-0x000000000033E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win7-20240221-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{88096372-571E-45A5-8425-A63E5EE37B4C} C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{88096372-571E-45A5-8425-A63E5EE37B4C}\ = "Baidu MiniDownloader Browser Helper" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\ = "Baidu MiniDownloader Browser Helper" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\ProgID\ = "BDDLBHO.CloudCtl.1" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick.1 C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\baidu\\BaiduMiniDownloader\\1.0.1.2\\BDIEHelper.dll" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\TypeLib C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\ProgID C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\Programmable C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\TypeLib\ = "{41AA1C76-EC23-4d0f-80A1-7E0DA3A4D46A}" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A} C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl\CLSID\ = "{88096372-571E-45A5-8425-A63E5EE37B4C}" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\ = "BDDLBHO 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\TypeLib C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl.1\ = "Baidu MiniDownloader Browser Helper" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\TypeLib\ = "{1C7FB80F-D97E-4130-8CC8-75231844E132}" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\TypeLib C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\ProgID C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E} C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02} C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C} C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1} C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\ = "ICloudCtl" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\VersionIndependentProgID\ = "BDIEHelper.JSOnClick" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\TypeLib C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0 C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl\ = "Baidu MiniDownloader Browser Helper" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick.1\ = "BDDownload IE JSOnClick Helper" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\TypeLib\ = "{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\TypeLib C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\ = "BDDownload IE JSOnClick Helper" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\TypeLib C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\TypeLib\ = "{1C7FB80F-D97E-4130-8CC8-75231844E132}" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BDDLBHO.DLL C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl\CurVer\ = "BDDLBHO.CloudCtl.1" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\ProgID\ = "BDIEHelper.JSOnClick.1" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\HELPDIR\ C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl\CurVer C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AF85209-24E7-4031-80FA-D32BA8BAE55E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\baidu\\BaiduMiniDownloader\\1.0.1.2\\BDIEHelper.dll" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\ = "IBDDLIEPlugin" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDIEHelper.JSOnClick\ = "BDDownload IE JSOnClick Helper" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\ = "IBDDLIEPlugin" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BDDLBHO.DLL\AppID = "{C1CA1971-84DF-4FEC-AF76-3C3FDB6226E6}" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\AppID = "{C1CA1971-84DF-4FEC-AF76-3C3FDB6226E6}" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132} C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41AA1C76-EC23-4D0F-80A1-7E0DA3A4D46A}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54232AAA-3CB4-4035-8595-90E386E43E02}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\HELPDIR\ C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C1CA1971-84DF-4FEC-AF76-3C3FDB6226E6} C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl.1\CLSID\ = "{88096372-571E-45A5-8425-A63E5EE37B4C}" C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe
PID 2160 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe
PID 2160 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe
PID 2160 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\2953032d3e8083333fbbe91041feddc0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe

"C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dr.br.baidu.com udp
US 8.8.8.8:53 cfg.download.iyuntian.com udp
US 8.8.8.8:53 rc.download.iyuntian.com udp
US 8.8.8.8:53 dtrp.download.iyuntian.com udp
US 8.8.8.8:53 utk.download.iyuntian.com udp
US 8.8.8.8:53 jp.download.iyuntian.com udp
US 8.8.8.8:53 tk.download.iyuntian.com udp
US 8.8.8.8:53 res.download.iyuntian.com udp
US 8.8.8.8:53 sn.download.iyuntian.com udp
US 8.8.8.8:53 res2.download.iyuntian.com udp
US 8.8.8.8:53 dlsw.baidu.com udp
US 8.8.8.8:53 res3.download.iyuntian.com udp

Files

\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BDIEHelper.dll

MD5 962928acbfb8223c419615ceb8baca5f
SHA1 574e3815ea8683c75a360a6b527d6e27eda68247
SHA256 6b894c1f5de423d08f5f28bcb52c95589c1a474c75f90563606f440d9a668125
SHA512 d656838985cd0641e3e9f268059b5c2f30ef98411867eb28bceb268c0085d559d65a611d0429265e513d4b1e08dc77bcfed6cbb13c5be946dbebd8d05d428980

\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BDDLBHO.dll

MD5 0f35053b980e7a3d93018c10928dd3ba
SHA1 28b6a54b5e0bb10b5bd24300f6f49090cef9c582
SHA256 20a792f1c76588866a9e0667c4d74e4c8123a1a55eb0956b93fcdf3109c153e8
SHA512 491e084d130342f66071b279f904e7444e5c6363094025a11c010664c366420b23397cc19afc9a05f4c1209df709ab3ec4485278c559f2029cf77808c235e71e

\Users\Admin\AppData\Local\Temp\nsy15C4.tmp\InstallHelper.dll

MD5 e8f6633f06b6b7e576fd764f97fe8573
SHA1 d149d067c9d53bcb8d20ac006da581a8e43daf84
SHA256 53c9cd1bbb9c595708ff00297694492135202649066551a354f0f8475e4c41c8
SHA512 9587c452cdb4c103bb9347eb7f0ff43759ff4b7ba53de2d9446807b24b954af1547c227df05069a91c49f39dbd181f5890784101d74727deeffcc032b01cc6ca

\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\BaiduMiniDL.exe

MD5 1b5c78bd3dfb6f09903e4c48e5aa8e0d
SHA1 3921aa3cb3bae513896c449133d4cfe2c07a338d
SHA256 f2bbf8e694843c144d0df7f26c27105ffff36a7bfbde39811f2740f2339e276f
SHA512 a9ac7bd7f8433a2f060eec9de29989044d5be96108fe8759b226f095bc68de4cc4467133e839cff6f01df31b7817d79bc84715fcc3374d4f3f2e22407c776446

\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\Basic.dll

MD5 68126329883772fc76c11c9330d59f10
SHA1 9bb01572084607ceeb11525b14eb187b91acec8d
SHA256 7d0b68fa571ab446ce2622c220644bfe7f61f72020e70bbdb138458b0dd06ce1
SHA512 d8a9bd76bd7ef9a739b4249725a8abb48c5c89487470386b488af4f0a0a5fcaed08ee86167bae041d770fdcd9992ea820a7395daceb5070b240c0f2412e21b13

memory/2268-69-0x00000000002B0000-0x00000000002E2000-memory.dmp

\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\Report.dll

MD5 ccaa1fdca4d505fe683f63ea031eebf8
SHA1 d966a8053260376fc27451184aa6d1ab0f8f8ad0
SHA256 63442dbc6be0ce4aa233ae265f15fea2d3dcbd09ee5799bb58ac49450cffdea2
SHA512 3f3a3f2c90b16f33626f8f40c375df18e1b1f10c639f3979981f2591447afb04ee281e8b75b364afbb72657b76fc3003096bc652da799a3b6ebb8a75f11bc299

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\Protocol.dll

MD5 6416ec89c15c7e82f746645bf59b70de
SHA1 c611dde65206c03913acb5177f428eb226cd4ac7
SHA256 34a223dcc8ca4c834a5918a8d7626b1c4d16205b65e5c82e83fd0f2966be8856
SHA512 8842335663c9357576620cd3b1c631c76d14675b7a9e7a6f48afe3b443a37b307daa6d6650e00bec2e670da2c921fc0c53988daf73b900a63c17671d4a0b723a

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\config.ini

MD5 26bcef869d69507949ca423a1b1029f5
SHA1 8fe5e407db804a73629d23817ee9b788194f15fe
SHA256 71f84f6a0f2848e5b51380808ac102eab741e9d55f5cc8b21a65f2b53d41286e
SHA512 370bc7a081b75c0452027bcc6770391f8c7f50a4de14b317dc0ab2c15f2f5b020eef066662fc3ab3fd4f781ee4b765928cfa84c97be46f56fe1ea7bef20b9d90

memory/2268-74-0x0000000001F50000-0x0000000001FDE000-memory.dmp

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\close.png

MD5 b3135d97cfb54651847910382a8a932f
SHA1 66c114ef8fce8d49651be3bd3580d277c27bb342
SHA256 657bc0eac3efda11154ed7459cbe6be18bfd35a57dfc74de1462beee927758f1
SHA512 a6a9c8dec951550fb5906adf73535421d20d89210f8ca5cd32b4e5ac737c4161496864495e2fe916bfdeac5bf18ab77940a7edeaec9969eedde60e45edbea78b

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\softlogo.png

MD5 805915e2e8578ab10a22e438cc88bd7e
SHA1 9c854d56f58acd23abd610a5521c1820999e0b24
SHA256 019bb4ef81de698251f1d76643bac2cff8bb832766e03bba749d14715bc5b24d
SHA512 4d61911424858b052f58ac736db499100fd984b13866534286755f223e0c9fef79f7a5b0df99fc00f0c135dcbb83da21628ab8760082aa576f7078a0ecc5b0fc

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\logo.png

MD5 eb9c7029a97b82489d568505f2d6ef07
SHA1 397b2d40a174b4ecbb789f6db5a983e593da2cc4
SHA256 ad801e96ea10f05a704329a685d9743eb364eec2766689ef115415f5bdc0a30d
SHA512 d9ec79d732bcd1a377a61bf9aeed2dd18e17710dc920f548085e6207e1a0a39718cfae6c875b28f2e04a2720593b9763141a5f93b95a9732be89a0a7fe60d664

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\mainbnd.png

MD5 7df626695c6d6a89a11cf5a283364df3
SHA1 28d29b2d7c3216d9d906fd58e2ffa0cee95adfa6
SHA256 c6d6eccd6de98a2c728b8a5276eb9eff8ee118aee22b2b04426c5fd3ef273998
SHA512 413b7c77813163adc1be77ba646b6e19c6dc55302861b2ee13b311cdebb723e2b774b7b74228cbd3f30cc4690e0fe1f4100540f812b1aa8b43acc7011e6d8bb5

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\min.png

MD5 923b44bc2d6c32bbf987d8e454c1b9c9
SHA1 e353390e66c7796f038439bbcb3154d2d172f881
SHA256 85ccfff45347ae28d8e86f55b7f55481e024eadd0e8164725723d80191a93833
SHA512 9c2a96fc7d96c89544126312e61b05604c7e15830777999e8e552800356eaa08f894376d1367dbbfcc314898cc4a3907f36b568b57ab531702bb6c5c82e0bbe6

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\error.png

MD5 cb296e6c32e6c1cf3417cfaefd507cdf
SHA1 68087748339614ff078270b613375a27d8c21c37
SHA256 5d02a4d8d5369c5510b6e48381662915850ba71f4bcf463e49f11112da4d55fd
SHA512 d5f215f266e12042f3bdc057edc9c91ee1fee46d215cba99f8980569759e1cce758d1a458c46b9affa3a5efe0149f5234be30267879df62eb0eeb269f6a5c81b

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\loading.png

MD5 bbdd7761a126f4d08ffdf7bc24d4ebc1
SHA1 dfef5e0b1fe35e090446c2e1f73a50cb64e9f125
SHA256 949f346fb21087d2f39ff02b2eab49f4b298480e013e84efc34a134f7666dd1b
SHA512 14d4e70df23b3058f5e67d91fc9d31222faf1057f2efa97c43c0e866f1fe831c22752a178a6f851637a355f06204d1d1ac60cefdb220e6e91a388af6165a53fe

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\progressbar_bk.png

MD5 952624e2c93702a3d85067b3976d0737
SHA1 6664c57c2939cd5e098ac97f83b427e85c03e9dd
SHA256 e39b1f8c487b20fe81f4cadded3dd225df0352b8b3beb9f18b9571179e9dcf86
SHA512 d62e7dbdaf74f76608203619645511e7b166fdf62b6d7769cedf5d1395ac022bf3b3d9720984f2e78bbc21292d9734a846e5f33288f15839402cc02b4a8c0084

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\download.png

MD5 8cec8cd49cc6ab2407b208734f894ee0
SHA1 26fe0bd4adf364ac3368650827198b3f0bc434b2
SHA256 a764be59fc441edcf556cbdfa8a88c2a61d85755dec568033181cec259de80a9
SHA512 fb0cd310e9a4bd20c25aba7c9b42e6d96fe61a3a423b9131ba039409bee02c19ce54fafbe96327de000e02923ad0fcb47fb3f16ed212a38c52df15c0c4370a61

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\buttonpath.png

MD5 556c3293e239354ae8d4512626627500
SHA1 e6c1ff2b818e605ac193c54bb6a6fdcd381788f5
SHA256 e06a763a9a4f7e7f892371b7b0d8d75a646585f7e94afe96c64b34d067f89471
SHA512 e65845941d2ba177ef2d050109a9440d04c490c2ad82b5f34c5f825fb274ebf101852d89c142e05c82c3774a354b6ffcbf3225cb64b56e4bdf6d68ccb72fae0a

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\config.png

MD5 870a7927e4162c105f1088961f302bf5
SHA1 780584cdb540356bf5750818503c95c0f1b8b5af
SHA256 49054a271dee8fa537abbabdf51ff9ff344730f9b220e2836ef5a413a55acc06
SHA512 ecee075be135ae09ad68cc921c9ef63528758a79080f7414e183a9a405269b50c25322d1e508aeb08a9ae60d91e85fc5c465e954900dc38b86224197322f7df5

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\path.png

MD5 9ab2c49c8358224707492f661219504d
SHA1 dbd27803ecd4117d85844bf434319788cb078ea9
SHA256 e7f035cb1bc7c2b0961eefc2c4ad80252efda45ae4279b28f1287a1e7feede34
SHA512 48416191cc4da9ab8becbb96a498959f4768d173a7103fc9427503695f11ab382a355e7de1fa64a29f40bd5ebcf4e66201c7c5416adb0cfd0773446640f4ea03

C:\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\image\pause.png

MD5 c0b9c4a8d9cac7a62783bbe117e56bce
SHA1 bf078e083bd87a3507e81a62f6f2108b3e4f2295
SHA256 07600e1f3ca1b55d0ae1253d88db0d57e75380a735db1f7b33b5fd3ecfb14e8d
SHA512 511c8eedc1b5afe821f6932735746af6000e3e6fd5943cd2134dff8b31129cff4184d963fbfc74064cf7677d0873cabb2fec9bacc3e93a3716c34a97ca2deed2

\Users\Admin\AppData\Roaming\baidu\BaiduMiniDownloader\1.0.1.2\dl.dll

MD5 ba7f2f6a04d1e8afe0990be4656faeb5
SHA1 3d522057cf25ec9d7f34a49dd4ec68a6fb50753b
SHA256 109cdc7ab3650386d91803bc38a6ae6b061a182ff57105ec00be641e9a70f17e
SHA512 62c54388bfdb8d4de9702fdfebc26bf40bca1a92a8ad2949b012a4a671fc01d6c1c927203938d36f11e6e0b0ec4f39b489f12f68cd3b57d006c45238eccf9d35

memory/2268-97-0x0000000003E70000-0x000000000405D000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win10v2004-20240426-en

Max time kernel

91s

Max time network

98s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallHelper.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2900 wrote to memory of 892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2900 wrote to memory of 892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallHelper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallHelper.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 892 -ip 892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win7-20240215-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Report.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1888 wrote to memory of 2156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1888 wrote to memory of 2156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1888 wrote to memory of 2156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1888 wrote to memory of 2156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1888 wrote to memory of 2156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1888 wrote to memory of 2156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1888 wrote to memory of 2156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Report.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Report.dll,#1

Network

N/A

Files

memory/2156-1-0x0000000000430000-0x000000000049F000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Update.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2856 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2856 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2856 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2856 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2856 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2856 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Update.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Update.dll,#1

Network

N/A

Files

memory/2912-0-0x00000000001D0000-0x000000000023F000-memory.dmp

memory/2912-2-0x00000000002F0000-0x000000000037E000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\npBDDLPlug.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1684 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1684 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1684 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1684 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1684 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1684 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2928 wrote to memory of 1388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2928 wrote to memory of 1388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2928 wrote to memory of 1388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2928 wrote to memory of 1388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\npBDDLPlug.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\npBDDLPlug.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 224

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win7-20240221-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallHelper.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 2112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 2112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 2112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 2112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 2112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 2112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2112 wrote to memory of 2408 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2112 wrote to memory of 2408 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2112 wrote to memory of 2408 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2112 wrote to memory of 2408 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallHelper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallHelper.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 224

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Basic.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 2676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 2676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 2676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 2676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 2676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 2676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 2996 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2676 wrote to memory of 2996 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2676 wrote to memory of 2996 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2676 wrote to memory of 2996 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Basic.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Basic.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 276

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win10v2004-20240426-en

Max time kernel

94s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_2_\BaiduMiniDL.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\$_2_\BaiduMiniDL.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_2_\BaiduMiniDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_2_\BaiduMiniDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_2_\BaiduMiniDL.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_2_\BaiduMiniDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_2_\BaiduMiniDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_2_\BaiduMiniDL.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_2_\BaiduMiniDL.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$_2_\BaiduMiniDL.exe

"C:\Users\Admin\AppData\Local\Temp\$_2_\BaiduMiniDL.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dr.br.baidu.com udp
US 8.8.8.8:53 cfg.download.iyuntian.com udp
US 8.8.8.8:53 rc.download.iyuntian.com udp
US 8.8.8.8:53 dtrp.download.iyuntian.com udp
US 8.8.8.8:53 utk.download.iyuntian.com udp
US 8.8.8.8:53 jp.download.iyuntian.com udp
US 8.8.8.8:53 tk.download.iyuntian.com udp
US 8.8.8.8:53 res.download.iyuntian.com udp
US 8.8.8.8:53 sn.download.iyuntian.com udp
US 8.8.8.8:53 res2.download.iyuntian.com udp
US 8.8.8.8:53 dlsw.baidu.com udp
US 8.8.8.8:53 res3.download.iyuntian.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4656-0-0x0000000000A80000-0x0000000000AB2000-memory.dmp

memory/4656-2-0x0000000002390000-0x000000000241E000-memory.dmp

memory/4656-10-0x0000000005A50000-0x0000000005C3D000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win7-20240221-en

Max time kernel

120s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_2_\BugReport.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$_2_\BugReport.exe

"C:\Users\Admin\AppData\Local\Temp\$_2_\BugReport.exe"

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_2_\BugReport.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$_2_\BugReport.exe

"C:\Users\Admin\AppData\Local\Temp\$_2_\BugReport.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win10v2004-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallHelper.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 952 wrote to memory of 1616 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 952 wrote to memory of 1616 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 952 wrote to memory of 1616 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallHelper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallHelper.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1616 -ip 1616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win7-20240508-en

Max time kernel

121s

Max time network

126s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\BDDLBHO.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{88096372-571E-45A5-8425-A63E5EE37B4C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{88096372-571E-45A5-8425-A63E5EE37B4C}\ = "Baidu MiniDownloader Browser Helper" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl\CurVer\ = "BDDLBHO.CloudCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C1CA1971-84DF-4FEC-AF76-3C3FDB6226E6}\ = "BDDLBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\ = "ICloudCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\TypeLib\ = "{1C7FB80F-D97E-4130-8CC8-75231844E132}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl.1\CLSID\ = "{88096372-571E-45A5-8425-A63E5EE37B4C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\VersionIndependentProgID\ = "BDDLBHO.CloudCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_\\BDDLBHO.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\ = "ICloudCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BDDLBHO.DLL\AppID = "{C1CA1971-84DF-4FEC-AF76-3C3FDB6226E6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\TypeLib\ = "{1C7FB80F-D97E-4130-8CC8-75231844E132}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\ = "Baidu MiniDownloader Browser Helper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_\\BDDLBHO.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C1CA1971-84DF-4FEC-AF76-3C3FDB6226E6} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl\CLSID\ = "{88096372-571E-45A5-8425-A63E5EE37B4C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\TypeLib\ = "{1C7FB80F-D97E-4130-8CC8-75231844E132}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BDDLBHO.DLL C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl\ = "Baidu MiniDownloader Browser Helper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\HELPDIR\ C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl.1\ = "Baidu MiniDownloader Browser Helper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\AppID = "{C1CA1971-84DF-4FEC-AF76-3C3FDB6226E6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\ = "BDDLBHO 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BDDLBHO.CloudCtl.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88096372-571E-45A5-8425-A63E5EE37B4C}\ProgID\ = "BDDLBHO.CloudCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C7FB80F-D97E-4130-8CC8-75231844E132}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EBB8D240-4963-4069-8892-683994A6F8B1} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 2488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2988 wrote to memory of 2488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2988 wrote to memory of 2488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2988 wrote to memory of 2488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2988 wrote to memory of 2488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2988 wrote to memory of 2488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2988 wrote to memory of 2488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\BDDLBHO.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$_2_\BDDLBHO.dll

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win10v2004-20240508-en

Max time kernel

135s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_2_\Update.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$_2_\Update.exe

"C:\Users\Admin\AppData\Local\Temp\$_2_\Update.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp

Files

memory/940-1-0x0000000000A40000-0x0000000000AAF000-memory.dmp

memory/940-2-0x0000000000AB0000-0x0000000000B3E000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\dl.dll

Signatures

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\AppID = "{B85AFBF6-2E43-4F13-8AAE-332C9A18A866}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\HELPDIR\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduDl.BaiduDownload\ = "BaiduDownload Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduDl.BaiduDownload.1\CLSID\ = "{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduDl.BaiduDownload.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduDl.BaiduDownload\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\ = "BaiduDownload Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\TypeLib\ = "{25BD9BB7-33EC-4220-B725-56C470146288}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B85AFBF6-2E43-4F13-8AAE-332C9A18A866} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BaiduDl.DLL\AppID = "{B85AFBF6-2E43-4F13-8AAE-332C9A18A866}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduDl.BaiduDownload\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_\\dl.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BaiduDl.DLL C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduDl.BaiduDownload.1\ = "BaiduDownload Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduDl.BaiduDownload\CurVer\ = "BaiduDl.BaiduDownload.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B85AFBF6-2E43-4F13-8AAE-332C9A18A866}\ = "BaiduDl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduDl.BaiduDownload\CLSID\ = "{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\VersionIndependentProgID\ = "BaiduDl.BaiduDownload" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\ = "BaiduDl 1.0 ÀàÐÍ¿â" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduDl.BaiduDownload.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduDl.BaiduDownload C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_\\dl.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\ProgID\ = "BaiduDl.BaiduDownload.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2968 wrote to memory of 2800 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2968 wrote to memory of 2800 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2968 wrote to memory of 2800 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2968 wrote to memory of 2800 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2968 wrote to memory of 2800 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2968 wrote to memory of 2800 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2968 wrote to memory of 2800 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\dl.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$_2_\dl.dll

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-05 02:01

Reported

2024-06-05 02:04

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

157s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\dl.dll

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduDl.BaiduDownload.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduDl.BaiduDownload C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduDl.BaiduDownload\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\ProgID\ = "BaiduDl.BaiduDownload.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\HELPDIR\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B85AFBF6-2E43-4F13-8AAE-332C9A18A866}\ = "BaiduDl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BaiduDl.DLL C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduDl.BaiduDownload.1\CLSID\ = "{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_\\dl.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\VersionIndependentProgID\ = "BaiduDl.BaiduDownload" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\ = "BaiduDownload Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B85AFBF6-2E43-4F13-8AAE-332C9A18A866} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduDl.BaiduDownload.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduDl.BaiduDownload\ = "BaiduDownload Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\TypeLib\ = "{25BD9BB7-33EC-4220-B725-56C470146288}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_\\dl.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduDl.BaiduDownload.1\ = "BaiduDownload Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduDl.BaiduDownload\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduDl.BaiduDownload\CurVer\ = "BaiduDl.BaiduDownload.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\ = "BaiduDl 1.0 ÀàÐÍ¿â" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BaiduDl.DLL\AppID = "{B85AFBF6-2E43-4F13-8AAE-332C9A18A866}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduDl.BaiduDownload\CLSID\ = "{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\AppID = "{B85AFBF6-2E43-4F13-8AAE-332C9A18A866}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 1048 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1708 wrote to memory of 1048 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1708 wrote to memory of 1048 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\dl.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$_2_\dl.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 200.79.70.13.in-addr.arpa udp

Files

N/A