2b1cb463731d798783eb5786ef6eb5adcdfaaa77bc58ce090f8f5e8fac11acfe

Analysis

max time kernel
38s
max time network
42s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe
Size

321KB
MD5

d142e94f80fd713e31e2f12d419627d8
SHA1

670694de28ed2361b9f53d86ba128fe2281220d7
SHA256

2b1cb463731d798783eb5786ef6eb5adcdfaaa77bc58ce090f8f5e8fac11acfe
SHA512

f60624e8fe4ce9c2041fdec767341f0c7561a1976ee6458364a37cfffa01924cb54a0e2bc0233d7782ae6cab4a0464c421ad7a56bd2c0f456b15e60d56517bcd
SSDEEP

6144:wiLs+Lop94KLMZ4hD2tUfBxboPRY4aLxXGf1:wiQ+o9TYFtUJB9nVGf1

Score

7^/10

adware discovery evasion execution stealer trojan upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2308	info2asp.exe
2624	iePlayer.exe
2496	Update.exe

Loads dropped DLL 8 IoCs

pid	Process
1120	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe
2840	WerFault.exe
2840	WerFault.exe
2840	WerFault.exe
2840	WerFault.exe
1120	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe
1120	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe
1456	regsvr32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1120-0-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1120-10-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1120-28-0x0000000000400000-0x0000000000452000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iePlayer.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B05CB5FE-1E22-43C7-93E2-4CF04C87B3CC}\ = "bhoRay2009 Class"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B05CB5FE-1E22-43C7-93E2-4CF04C87B3CC}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B05CB5FE-1E22-43C7-93E2-4CF04C87B3CC}	regsvr32.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\baidu\info2asp.exe	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe
File created	C:\Windows\baidu\ATLcom.dll	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe
File created	C:\Windows\baidu\shortcut.js	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe
File created	C:\Windows\baidu\iePlayer.exe	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe
File created	C:\Windows\baidu\Update.exe	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2840	2308	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iePlayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	info2asp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe

Modifies registry class 50 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4ADFB5F-F6D4-4D00-A88E-B785E2BD2391}\1.0\HELPDIR\ = "C:\\Windows\\baidu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64C80684-8B59-459F-BFCA-356E28D79688}\ = "IbhoRay2009"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64C80684-8B59-459F-BFCA-356E28D79688}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64C80684-8B59-459F-BFCA-356E28D79688}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ATLcom.bhoRay2009.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ATLcom.bhoRay2009	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B05CB5FE-1E22-43C7-93E2-4CF04C87B3CC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4ADFB5F-F6D4-4D00-A88E-B785E2BD2391}\1.0\ = "ATLcom 1.0 ÀàÐÍ¿â"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64C80684-8B59-459F-BFCA-356E28D79688}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64C80684-8B59-459F-BFCA-356E28D79688}\TypeLib\ = "{B4ADFB5F-F6D4-4D00-A88E-B785E2BD2391}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64C80684-8B59-459F-BFCA-356E28D79688}\ = "IbhoRay2009"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B05CB5FE-1E22-43C7-93E2-4CF04C87B3CC}\TypeLib\ = "{B4ADFB5F-F6D4-4D00-A88E-B785E2BD2391}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B05CB5FE-1E22-43C7-93E2-4CF04C87B3CC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B05CB5FE-1E22-43C7-93E2-4CF04C87B3CC}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64C80684-8B59-459F-BFCA-356E28D79688}\TypeLib\ = "{B4ADFB5F-F6D4-4D00-A88E-B785E2BD2391}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B05CB5FE-1E22-43C7-93E2-4CF04C87B3CC}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B05CB5FE-1E22-43C7-93E2-4CF04C87B3CC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4ADFB5F-F6D4-4D00-A88E-B785E2BD2391}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64C80684-8B59-459F-BFCA-356E28D79688}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64C80684-8B59-459F-BFCA-356E28D79688}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ATLcom.bhoRay2009.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ATLcom.bhoRay2009.1\CLSID\ = "{B05CB5FE-1E22-43C7-93E2-4CF04C87B3CC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ATLcom.bhoRay2009\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ATLcom.bhoRay2009\CLSID\ = "{B05CB5FE-1E22-43C7-93E2-4CF04C87B3CC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4ADFB5F-F6D4-4D00-A88E-B785E2BD2391}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64C80684-8B59-459F-BFCA-356E28D79688}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ATLcom.DLL\AppID = "{DDD096FC-ADD6-4914-BCF7-4976E7BC66C9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ATLcom.bhoRay2009\ = "bhoRay2009 Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ATLcom.bhoRay2009\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4ADFB5F-F6D4-4D00-A88E-B785E2BD2391}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4ADFB5F-F6D4-4D00-A88E-B785E2BD2391}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64C80684-8B59-459F-BFCA-356E28D79688}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{DDD096FC-ADD6-4914-BCF7-4976E7BC66C9}\ = "ATLcom"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4ADFB5F-F6D4-4D00-A88E-B785E2BD2391}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ATLcom.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B05CB5FE-1E22-43C7-93E2-4CF04C87B3CC}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64C80684-8B59-459F-BFCA-356E28D79688}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4ADFB5F-F6D4-4D00-A88E-B785E2BD2391}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4ADFB5F-F6D4-4D00-A88E-B785E2BD2391}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4ADFB5F-F6D4-4D00-A88E-B785E2BD2391}\1.0\0\win32\ = "C:\\Windows\\baidu\\ATLcom.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{DDD096FC-ADD6-4914-BCF7-4976E7BC66C9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B05CB5FE-1E22-43C7-93E2-4CF04C87B3CC}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B05CB5FE-1E22-43C7-93E2-4CF04C87B3CC}\ProgID\ = "ATLcom.bhoRay2009.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B05CB5FE-1E22-43C7-93E2-4CF04C87B3CC}\VersionIndependentProgID\ = "ATLcom.bhoRay2009"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64C80684-8B59-459F-BFCA-356E28D79688}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64C80684-8B59-459F-BFCA-356E28D79688}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ATLcom.bhoRay2009.1\ = "bhoRay2009 Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ATLcom.bhoRay2009\CurVer\ = "ATLcom.bhoRay2009.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B05CB5FE-1E22-43C7-93E2-4CF04C87B3CC}\ = "bhoRay2009 Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B05CB5FE-1E22-43C7-93E2-4CF04C87B3CC}\InprocServer32\ = "C:\\Windows\\baidu\\ATLcom.dll"	regsvr32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2624	iePlayer.exe
2624	iePlayer.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 2308	1120	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe	29
PID 1120 wrote to memory of 2308	1120	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe	29
PID 1120 wrote to memory of 2308	1120	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe	29
PID 1120 wrote to memory of 2308	1120	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe	29
PID 2308 wrote to memory of 2840	2308	info2asp.exe	30
PID 2308 wrote to memory of 2840	2308	info2asp.exe	30
PID 2308 wrote to memory of 2840	2308	info2asp.exe	30
PID 2308 wrote to memory of 2840	2308	info2asp.exe	30
PID 1120 wrote to memory of 2796	1120	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe	31
PID 1120 wrote to memory of 2796	1120	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe	31
PID 1120 wrote to memory of 2796	1120	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe	31
PID 1120 wrote to memory of 2796	1120	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe	31
PID 1120 wrote to memory of 2624	1120	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe	32
PID 1120 wrote to memory of 2624	1120	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe	32
PID 1120 wrote to memory of 2624	1120	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe	32
PID 1120 wrote to memory of 2624	1120	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe	32
PID 2796 wrote to memory of 1456	2796	wscript.exe	33
PID 2796 wrote to memory of 1456	2796	wscript.exe	33
PID 2796 wrote to memory of 1456	2796	wscript.exe	33
PID 2796 wrote to memory of 1456	2796	wscript.exe	33
PID 2796 wrote to memory of 1456	2796	wscript.exe	33
PID 2796 wrote to memory of 1456	2796	wscript.exe	33
PID 2796 wrote to memory of 1456	2796	wscript.exe	33
PID 1120 wrote to memory of 2496	1120	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe	34
PID 1120 wrote to memory of 2496	1120	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe	34
PID 1120 wrote to memory of 2496	1120	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe	34
PID 1120 wrote to memory of 2496	1120	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe	34
PID 1120 wrote to memory of 2496	1120	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe	34
PID 1120 wrote to memory of 2496	1120	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe	34
PID 1120 wrote to memory of 2496	1120	d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\baidu\info2asp.exe
  C:\Windows\baidu\info2asp.exe 0ECF425C63BA9ACDBA47BEF4ED72944104DF6AFDB457BD8183FBA579EA41783397D3B712A66FD4610ED517291C47C3467ADC55E55E
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 308
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2840
- C:\Windows\SysWOW64\wscript.exe
  wscript.exe C:\Windows\baidu\shortcut.js //B
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s C:\Windows\baidu\ATLcom.dll
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1456
- C:\Windows\baidu\iePlayer.exe
  C:\Windows\baidu\iePlayer.exe 0ECF425C63BA9ACDBA47BEF4ED72944104DF6AFDB457BD8183FBA579EA41783397D3B712A66FD4610ED517291C47C3467ADC55E55E
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2624
- C:\Windows\baidu\Update.exe
  C:\Windows\baidu\Update.exe 0ECF425C63BA9ACDBA47BEF4ED72944104DF6AFDB457BD8183FBA579EA41783397D3B712A66FD4610ED517291C47C3467ADC55E55E
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\baidu\iePlayer.exe

Filesize
64KB

MD5
bcd7327919f9a78aeb5ea8e62705cb6d

SHA1
1dcb15d024e634063ee2b05f15af59589b16ffff

SHA256
f846d5eb0aa0c5bb648f0167ccde1cb2e882cafbb5f2a3737b7879a9c2b07505

SHA512
f2b71ab5e1666882d9d8a640f81f9625ee95903278a2254697457d3cd2f4a6aaa490f77a06632d71658ffc37180b7b0a9e1dbc7ef33a2ec007f2464212af8e9b

Download Submit
C:\Windows\baidu\shortcut.js

Filesize
1KB

MD5
c7ea49bd0568bf89f387f6c5b45163ec

SHA1
6d694978c5c523ff460e890c6ea2aab43d8f615e

SHA256
07e61ebf29c13a0ff3c17b491c2c2550baf1e9ba894b19e880cfa8b660f2bf7a

SHA512
efd72c2f7c587e2fb2259e1864e47f528e9239453f4233383ac9a5f6205abed42313dc0c4fde8bc0cf686f3e94f14221a910e774194232ad31f4afef44d266b9

Download Submit
\Windows\baidu\ATLcom.dll

Filesize
90KB

MD5
8d8afbdd1977f3c5dc12775e56b7c319

SHA1
44cc86024bccaa91e29936623696594befb0a025

SHA256
1e8febc754066269b7c5f22388f4d3b7b4a7a70d382a8ae6f5daffe35ebb014b

SHA512
d669ac2137daaeedc64cbb8c4817a9c02ba3d57f2db3e82ebaea6c12c7e55cb6d2db47ca488338da065af517c5a1b27ba4fd4da41805ebc219e2f4053d6693d6

Download Submit
\Windows\baidu\Update.exe

Filesize
57KB

MD5
e4c0db0561f859b0614d2dc8119e6ef7

SHA1
d2749a469f5eb70dbd2247ab09393377706974bf

SHA256
d1e609355222a3985ff0dd2fb8989e8be74032e4a6ea2d82592525116dbfbd6b

SHA512
1b0e738e7436b798760c46d5422330909914e835bb6ae9611cbd6b861f8f8f4996a3c4e7c86e88448fca954920d27e310b665d80c6f0907e770a4d69de482966

Download Submit
\Windows\baidu\info2asp.exe

Filesize
41KB

MD5
1000b47ffbae539166a0e996216ebb36

SHA1
0803068acac00e9339fc1bcc4d2dca9752045f56

SHA256
d1558f21145f2b285a56cd926d39c9dca03fe32657b54c6467b42e443e5217cb

SHA512
2e80199bf91bb3d29b21ca4d920e04f5bf212d887314326a072e62d8e8686ff8b4eb9923c6fb4ccb10d9ccd1906bda5c5018b553b480d12bc8c6bcc27a0ed5bb

Download Submit
memory/1120-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1120-10-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1120-28-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download