Overview
overview
7Static
static
32b2c904bb1...18.exe
windows7-x64
32b2c904bb1...18.exe
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...it.exe
windows7-x64
1$PLUGINSDI...it.exe
windows10-2004-x64
1360Inst-qvod001.exe
windows7-x64
7360Inst-qvod001.exe
windows10-2004-x64
7Baidu-ASBar.exe
windows7-x64
1Baidu-ASBar.exe
windows10-2004-x64
3$PROGRAM_F...ar.dll
windows7-x64
7$PROGRAM_F...ar.dll
windows10-2004-x64
7Baidu-Tool...cb.exe
windows7-x64
1Baidu-Tool...cb.exe
windows10-2004-x64
3$PROGRAM_F...rX.dll
windows7-x64
7$PROGRAM_F...rX.dll
windows10-2004-x64
7Codecs/Col...ax.dll
windows7-x64
1Codecs/Col...ax.dll
windows10-2004-x64
1Codecs/Rea...ax.dll
windows7-x64
1Codecs/Rea...ax.dll
windows10-2004-x64
1Codecs/asf...ax.dll
windows7-x64
1Codecs/asf...ax.dll
windows10-2004-x64
1Codecs/atrc.dll
windows7-x64
1Codecs/atrc.dll
windows10-2004-x64
1Codecs/cook.dll
windows7-x64
1Codecs/cook.dll
windows10-2004-x64
1Codecs/drvc.dll
windows7-x64
1Codecs/drvc.dll
windows10-2004-x64
1Codecs/raac.dll
windows7-x64
1Codecs/raac.dll
windows10-2004-x64
1Analysis
-
max time kernel
14s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
08/07/2024, 05:40
Static task
static1
Behavioral task
behavioral1
Sample
2b2c904bb1cbc51c113183f1988480de_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral2
Sample
2b2c904bb1cbc51c113183f1988480de_JaffaCakes118.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/QvodInit.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/QvodInit.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
360Inst-qvod001.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral10
Sample
360Inst-qvod001.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Baidu-ASBar.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral12
Sample
Baidu-ASBar.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PROGRAM_FILES/Baidu/AddressBar/AddressBar_Tmp/AddressBar.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral14
Sample
$PROGRAM_FILES/Baidu/AddressBar/AddressBar_Tmp/AddressBar.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Baidu-Toolbar-utf8kb_cb.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral16
Sample
Baidu-Toolbar-utf8kb_cb.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduBarX.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral18
Sample
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduBarX.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Codecs/ColorFilter.ax.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral20
Sample
Codecs/ColorFilter.ax.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Codecs/RealMediaSplitter.ax.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral22
Sample
Codecs/RealMediaSplitter.ax.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Codecs/asfsplliter.ax.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral24
Sample
Codecs/asfsplliter.ax.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Codecs/atrc.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral26
Sample
Codecs/atrc.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Codecs/cook.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral28
Sample
Codecs/cook.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Codecs/drvc.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral30
Sample
Codecs/drvc.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Codecs/raac.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral32
Sample
Codecs/raac.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
General
-
Target
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduBarX.dll
-
Size
2.3MB
-
MD5
8c70775e64828cf1bc974aa850862620
-
SHA1
77fcbd8f8a9d2f5ea9051f26da104bef50195881
-
SHA256
7216f4e16b6ca0c2b3b9f6c28bd1618802e0963c72c26a7285fefaf0fe95aa9c
-
SHA512
2c5d699a5d80222b1b310f1f059643186b9d4755da502b840b5a2c6daff3fbfa836e45d3d98150c72a76b47077637400a2c2856e07ee9628e07017b93877bbaf
-
SSDEEP
49152:9VVPl8AlDw6JPul9zjJ+rEC0KaTda845t20Tu1IA2Nvvf:9VLPlD1BufPJ+h3vj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2964 BarBroker.exe -
Loads dropped DLL 8 IoCs
pid Process 2372 regsvr32.exe 2372 regsvr32.exe 2372 regsvr32.exe 2372 regsvr32.exe 2372 regsvr32.exe 2372 regsvr32.exe 2372 regsvr32.exe 2372 regsvr32.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\NoExplorer = "1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\id = "bdbar" regsvr32.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Baidu\Toolbar\rc.dll regsvr32.exe File created C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe regsvr32.exe File created C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll regsvr32.exe File opened for modification C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll regsvr32.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\AppName = "BarBroker.exe" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\AppPath = "%ProgramFiles(x86)%\\Baidu\\Toolbar" BarBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\Policy = "3" BarBroker.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{B580CF65-E151-49C3-B73F-70B13FCA8E86} = "12" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2} BarBroker.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool.1\ = "°Ù¶È¹¤¾ßÀ¸¸¨Öú¶ÔÏó" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker\ = "BDBroker Class" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand.1\CLSID\ = "{B580CF65-E151-49C3-B73F-70B13FCA8E86}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.1\ = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage\CurVer\ = "BaiduBarEx.BDHomePage.4" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\TypeLib BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage\ = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker.1 BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ = "Baidu Toolbar" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker\CurVer BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\VersionIndependentProgID\ = "BaiduBar.Tool" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}\1.0\HELPDIR BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE\CLSID\ = "{77FEF28E-EB96-44FF-B511-3185DEA48697}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker.1\ = "BDBroker Class" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\ = "BDBroker Class" BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand\CurVer\ = "BaiduBarX.ToolBand.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}\1.0\FLAGS BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\TypeLib\Version = "1.0" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\VersionIndependentProgID\ = "BaiduBarX.BandIE" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\LocalServer32\ = "\"C:\\Program Files (x86)\\Baidu\\Toolbar\\BarBroker.exe\"" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}\1.0\ = "BarBroker 1.0 Type Library" BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.3\ = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\ = "BarBroker" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\ = "ITool" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\ = "IBDHomePage" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.3\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.1\CLSID\ = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\TypeLib\Version = "1.0" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\VersionIndependentProgID\ = "BaiduBarEx.BDHomePage" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE\CurVer\ = "BaiduBarX.BandIE.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BarBroker.EXE BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\CurVer\ = "BaiduBar.Tool.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.4 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.2 regsvr32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2372 2268 regsvr32.exe 30 PID 2268 wrote to memory of 2372 2268 regsvr32.exe 30 PID 2268 wrote to memory of 2372 2268 regsvr32.exe 30 PID 2268 wrote to memory of 2372 2268 regsvr32.exe 30 PID 2268 wrote to memory of 2372 2268 regsvr32.exe 30 PID 2268 wrote to memory of 2372 2268 regsvr32.exe 30 PID 2268 wrote to memory of 2372 2268 regsvr32.exe 30 PID 2372 wrote to memory of 2964 2372 regsvr32.exe 31 PID 2372 wrote to memory of 2964 2372 regsvr32.exe 31 PID 2372 wrote to memory of 2964 2372 regsvr32.exe 31 PID 2372 wrote to memory of 2964 2372 regsvr32.exe 31
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe"C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe" -RegServer3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
PID:2964
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD58c70775e64828cf1bc974aa850862620
SHA177fcbd8f8a9d2f5ea9051f26da104bef50195881
SHA2567216f4e16b6ca0c2b3b9f6c28bd1618802e0963c72c26a7285fefaf0fe95aa9c
SHA5122c5d699a5d80222b1b310f1f059643186b9d4755da502b840b5a2c6daff3fbfa836e45d3d98150c72a76b47077637400a2c2856e07ee9628e07017b93877bbaf
-
Filesize
221KB
MD5dea4340d1295890634b894f3f9def140
SHA1d6fa4ec2463775fbb59055522546a53257ab1d76
SHA256617526fef62a0be7c40e3a9e99ca358d2ec4db3751fa1a8a9b00fc1cdd6c0405
SHA512ada53ccf483a395947d31ccb4967469f128eaee20f5671c372fbd921db6e4f263aa4d3a91b7d8b8f3b17cf634db1b13a72695eb16391a403917925236d3ede9d
-
Filesize
361KB
MD52020d680fb0c37c7980dc76c6ea3ece6
SHA170e8eca8550dcf09bacb3736d86c505c39da2317
SHA256dcff68acdeb530eb9e98417375c070832680fef8749ea3ba86651e3dac7d2c07
SHA51294de5ca902f540fd4f5d34f3da91b9c9113e378735706f6be956556eef74070ac9a84223fcce0bd6a4b9f904fa352dc56ab37ad937ba42faf224313791f678a7