Malware Analysis Report

2025-08-11 04:30

Sample ID 250115-tr9w1szjcn
Target JaffaCakes118_5bfd9050b9ea3dc1d6e79c909cfc5c8a
SHA256 9b73ac24c82e9f6793c9d5720c1c3895a1d8b75c43f3ab5e916fc7b56cafe2ab
Tags
discovery adware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9b73ac24c82e9f6793c9d5720c1c3895a1d8b75c43f3ab5e916fc7b56cafe2ab

Threat Level: Shows suspicious behavior

The file JaffaCakes118_5bfd9050b9ea3dc1d6e79c909cfc5c8a was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery adware stealer

Loads dropped DLL

Executes dropped EXE

Installs/modifies Browser Helper Object

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Unsigned PE

NSIS installer

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-15 16:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1552 wrote to memory of 3640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1552 wrote to memory of 3640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1552 wrote to memory of 3640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3640 -ip 3640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 608

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win7-20240903-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 236

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

152s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\AddressBar.dll

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E11E187A-43D3-FCD1-29C4-8F05573F5F94} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E11E187A-43D3-FCD1-29C4-8F05573F5F94}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "http://www.baidu.com/index.php?tn=baidudg&addresssearch=1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url2 = "http://www.baidu.com/index.php?tn=baidudg&addresssearch=2" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "http://www.baidu.com/index.php?tn=kwmusic_adr&addresssearch=1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppName = "ASBarBroker.exe" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "%ProgramFiles(x86)%\\Baidu\\AddressBar" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppName = "ASBarBroker.exe" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\URL = "http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=kwmusic_adr" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4} C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\DisplayName = "百度一下,你就知道" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\FaviconURL = "http://www.baidu.com/favicon.ico" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url2 = "http://www.baidu.com/index.php?tn=kwmusic_adr&addresssearch=2" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAM_FILES\\Baidu\\{E11E187A-43D3-FCD1-29C4-8F05573F5F94}" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4} C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAM_FILES\\Baidu\\{E11E187A-43D3-FCD1-29C4-8F05573F5F94}" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie={inputEncoding}&from=ie8" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\E11E187A-43D3-FCD1-29C4-8F05573F5F94.Addr\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\E11E187A-43D3-FCD1-29C4-8F05573F5F94.Addr\CLSID\ = "{E11E187A-43D3-FCD1-29C4-8F05573F5F94}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\E11E187A-43D3-FCD1-29C4-8F05573F5F94.Addr\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\VersionIndependentProgID\ = "AddressSearch.JsObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASBarBroker.BDBroker.1 C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}\1.0 C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\TypeLib\ = "{F9BC0421-BB5C-447d-8547-BB45AFA80A4D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASBarBroker.BDBroker C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\Programmable\ C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.JsObject.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\TypeLib\ = "{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\ProgID C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAM_FILES\\Baidu\\{E11E187A-43D3-FCD1-29C4-8F05573F5F94}\\AddressBar.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\Programmable\ C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\TypeLib\ = "{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\ = "ASBarBroker" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\ = "BDBroker Class" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\E11E187A-43D3-FCD1-29C4-8F05573F5F94.Addr\ = "E11E187A-43D3-FCD1-29C4-8F05573F5F94 Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.JsObject\CLSID\ = "{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\ = "SnavHttpProtocol Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol\CurVer\ = "AddressSearch.SnavHttpProtocol.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\ = "IJsObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E11E187A-43D3-FCD1-29C4-8F05573F5F94}\ProgID\ = "E11E187A-43D3-FCD1-29C4-8F05573F5F94.Addr.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\ = "JsObject Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\ProgID\ = "AddressSearch.JsObject.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\VersionIndependentProgID\ = "AddressSearch.SnavHttpProtocol" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\AppID = "{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.JsObject\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.JsObject.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol.1\CLSID\ = "{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ASBarBroker.BDBroker.1\CLSID\ = "{91878E42-FC03-4785-B513-1F9E613D1027}" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E11E187A-43D3-FCD1-29C4-8F05573F5F94}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\E11E187A-43D3-FCD1-29C4-8F05573F5F94.Addr.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\TypeLib\ = "{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\TypeLib C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\AddressBar.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\AddressBar.dll

C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe

"C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe" -RegServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\{E11E187A-43D3-FCD1-29C4-8F05573F5F94}\AddressBar.dll

MD5 57d9f8b6e595ef4a02d8630c53fddcc3
SHA1 523dedd35613dc3221657876a3f5248e38e2a842
SHA256 c9a2b8ff0be921e2ac2ff6993f7fecc486b02969254884f89af3a19babfcf7e6
SHA512 e95f144caa3bb636fd4a085a24a41d95ac6dae1c47d729400bb65a37527863b02b15e98cb62121f2155956f8a2b177f3b1a11d9ba08881858924d9bd75be985e

memory/1092-7-0x0000000002E20000-0x0000000002F46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{E11E1~1\ASBarBroker.exe

MD5 0ebf8f583abb1ffb40c07b87eae4edb3
SHA1 ef91b3245f426b86c2b69fd9678176d3be05c009
SHA256 00a481ef9985281177c1f6cc6d055c2bdb719db224637e7eb474a3eaab6305cf
SHA512 0bca7bc46019628149afb00cd69d26fd59195c4cbecbb472f9afabf73e8b3eb1da20fdaa4ef03c0776d11b5c8532d16b40a927e4b8b68640067c145cb7e463b4

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bfd9050b9ea3dc1d6e79c909cfc5c8a.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bfd9050b9ea3dc1d6e79c909cfc5c8a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bfd9050b9ea3dc1d6e79c909cfc5c8a.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bfd9050b9ea3dc1d6e79c909cfc5c8a.exe"

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win7-20240903-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 244

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KuWoNsis_new.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 392 wrote to memory of 2264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 392 wrote to memory of 2264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 392 wrote to memory of 2264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KuWoNsis_new.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KuWoNsis_new.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2264 -ip 2264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win7-20240903-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\sobar\Baidu-TB-ASBar-Silent_kuwo.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$TEMP\sobar\Baidu-TB-ASBar-Silent_kuwo.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\sobar\Baidu-TB-ASBar-Silent_kuwo.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\sobar\Baidu-TB-ASBar-Silent_kuwo.exe"

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1452 wrote to memory of 2360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1452 wrote to memory of 2360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1452 wrote to memory of 2360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2360 -ip 2360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 35.197.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1552 wrote to memory of 540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1552 wrote to memory of 540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1552 wrote to memory of 540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 540 -ip 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win7-20241023-en

Max time kernel

118s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 224

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 224

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\ASBarBroker.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\ASBarBroker.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\ASBarBroker.exe

"C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\ASBarBroker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\AddressBar.dll

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA09512-29D2-DA79-09F9-035AEFB20428} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5CA09512-29D2-DA79-09F9-035AEFB20428}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4} C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAM_FILES\\Baidu\\{5CA09512-29D2-DA79-09F9-035AEFB20428}" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppName = "ASBarBroker.exe" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "http://www.baidu.com/index.php?tn=kwmusic_adr&addresssearch=2" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppName = "ASBarBroker.exe" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\URL = "http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=kwmusic_adr" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4} C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAM_FILES\\Baidu\\{5CA09512-29D2-DA79-09F9-035AEFB20428}" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "http://www.baidu.com/index.php?tn=baidudg&addresssearch=2" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie={inputEncoding}&from=ie8" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "http://www.baidu.com/index.php?tn=kwmusic_adr&addresssearch=1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\DisplayName = "百度一下,你就知道" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\FaviconURL = "http://www.baidu.com/favicon.ico" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4} C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "http://www.baidu.com/index.php?tn=baidudg&addresssearch=1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "%ProgramFiles(x86)%\\Baidu\\AddressBar" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ASBarBroker.BDBroker.1\CLSID\ = "{91878E42-FC03-4785-B513-1F9E613D1027}" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\Programmable\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\TypeLib\ = "{F9BC0421-BB5C-447d-8547-BB45AFA80A4D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\VersionIndependentProgID\ = "AddressSearch.JsObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ASBarBroker.BDBroker\CLSID\ = "{91878E42-FC03-4785-B513-1F9E613D1027}" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\ = "IBDBroker" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASBarBroker.BDBroker.1 C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CA09512-29D2-DA79-09F9-035AEFB20428}\ProgID\ = "5CA09512-29D2-DA79-09F9-035AEFB20428.Addr.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\TypeLib\ = "{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CA09512-29D2-DA79-09F9-035AEFB20428}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAM_FILES\\Baidu\\{5CA09512-29D2-DA79-09F9-035AEFB20428}\\AddressBar.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\ProgID\ = "AddressSearch.SnavHttpProtocol.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\TypeLib\ = "{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0\HELPDIR\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CA09512-29D2-DA79-09F9-035AEFB20428}\Programmable\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CA09512-29D2-DA79-09F9-035AEFB20428}\VersionIndependentProgID\ = "5CA09512-29D2-DA79-09F9-035AEFB20428.Addr" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\5CA09512-29D2-DA79-09F9-035AEFB20428.Addr\CLSID\ = "{5CA09512-29D2-DA79-09F9-035AEFB20428}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol\ = "SnavHttpProtocol Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.JsObject.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASBarBroker.BDBroker\CurVer C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\TypeLib C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\TypeLib\ = "{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CA09512-29D2-DA79-09F9-035AEFB20428}\ = "5CA09512-29D2-DA79-09F9-035AEFB20428 Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\5CA09512-29D2-DA79-09F9-035AEFB20428.Addr.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAM_FILES\\Baidu\\{5CA09512-29D2-DA79-09F9-035AEFB20428}\\AddressBar.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\TypeLib\ = "{D02E3AB9-7796-40cb-BDFC-20D834FE1F75}" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\TypeLib\ = "{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\TypeLib C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.JsObject C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\ = "ISnavHttpProtocol" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ASBarBroker.EXE C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ASBarBroker.BDBroker\ = "BDBroker Class" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ASBarBroker.BDBroker.1\ = "BDBroker Class" C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027} C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\5CA09512-29D2-DA79-09F9-035AEFB20428.Addr\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\5CA09512-29D2-DA79-09F9-035AEFB20428.Addr.1\CLSID\ = "{5CA09512-29D2-DA79-09F9-035AEFB20428}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.JsObject\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\ = "SnavHttpProtocol Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\TypeLib\ = "{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\5CA09512-29D2-DA79-09F9-035AEFB20428.Addr\ = "5CA09512-29D2-DA79-09F9-035AEFB20428 Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAM_FILES\\Baidu\\{5CA09512-29D2-DA79-09F9-035AEFB20428}\\AddressBar.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\AddressBar.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\AddressBar.dll

C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe

"C:\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe" -RegServer

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\{5CA09512-29D2-DA79-09F9-035AEFB20428}\AddressBar.dll

MD5 57d9f8b6e595ef4a02d8630c53fddcc3
SHA1 523dedd35613dc3221657876a3f5248e38e2a842
SHA256 c9a2b8ff0be921e2ac2ff6993f7fecc486b02969254884f89af3a19babfcf7e6
SHA512 e95f144caa3bb636fd4a085a24a41d95ac6dae1c47d729400bb65a37527863b02b15e98cb62121f2155956f8a2b177f3b1a11d9ba08881858924d9bd75be985e

memory/2348-4-0x0000000003300000-0x0000000003426000-memory.dmp

\Users\Admin\AppData\Local\Temp\$PROGR~1\Baidu\{5CA09~1\ASBarBroker.exe

MD5 0ebf8f583abb1ffb40c07b87eae4edb3
SHA1 ef91b3245f426b86c2b69fd9678176d3be05c009
SHA256 00a481ef9985281177c1f6cc6d055c2bdb719db224637e7eb474a3eaab6305cf
SHA512 0bca7bc46019628149afb00cd69d26fd59195c4cbecbb472f9afabf73e8b3eb1da20fdaa4ef03c0776d11b5c8532d16b40a927e4b8b68640067c145cb7e463b4

Analysis: behavioral32

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

150s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\id = "bdbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Baidu\Toolbar\rc.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{B580CF65-E151-49C3-B73F-70B13FCA8E86} = "12" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2} C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\AppName = "BarBroker.exe" C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\AppPath = "%ProgramFiles(x86)%\\Baidu\\Toolbar" C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\Policy = "3" C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03} C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand.1\CLSID\ = "{B580CF65-E151-49C3-B73F-70B13FCA8E86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ProgID\ = "BaiduBarX.ToolBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE\CurVer\ = "BaiduBarX.BandIE.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}\1.0\0 C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\ProgID\ = "BaiduBarX.BandIE.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0\0\win32\ = "C:\\Program Files (x86)\\Baidu\\Toolbar\\BaiduBarX.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker.1 C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}\1.0\HELPDIR C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\ = "IBandIE" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\LocalServer32 C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.5\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.4\ = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\VersionIndependentProgID\ = "BaiduBarX.ToolBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.4 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\ProgID\ = "BaiduBarEx.BDHomePage.5" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\Toolbar\\BaiduBarX.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\AppID = "{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}" C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\TypeLib C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\VersionIndependentProgID\ = "BaiduBar.Tool" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage\ = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\LocalServer32\ = "\"C:\\Program Files (x86)\\Baidu\\Toolbar\\BarBroker.exe\"" C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.3\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\ = "IBandIE" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\ProxyStubClsid32 C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\CurVer\ = "BaiduBar.Tool.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\InprocServer32\ThreadingModel = "both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.2\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker\CurVer\ = "BarBroker.BDBroker.1" C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172} C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\Toolbar\\BaiduBarX.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}\1.0\HELPDIR\ C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\TypeLib\ = "{3A8C9D89-3271-45F4-98C0-56B0F5A16172}" C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\TypeLib\Version = "1.0" C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll

C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe

"C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe" -RegServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll

MD5 73e815b7dc46cee5be197dc4f81dd3f1
SHA1 610013942da6c1d9db80e9bb2624baf290d7d7bb
SHA256 92be55ea5d5eacfc9120467c4fbc2090c824cd8a232fab11e1a83433faf0285d
SHA512 b893d52579d99b5a44f69f5dc91d7f3df860409000915df2124bff353fdeb87b7e023fa7572e698b71b271c3e66d2ba65155fd97bc0abd43cf952673d889f246

memory/1288-14-0x0000000002D50000-0x0000000002DAC000-memory.dmp

C:\Program Files (x86)\Baidu\Toolbar\rc.dll

MD5 989404e09f568db722a978f0cddc2d91
SHA1 b4144e15cb05c125cf06d63203e8ad4b889b9b12
SHA256 f97d8a7717605f48441b01bbbaf54952553787a9cdd394c0efbde870897c5f12
SHA512 c05eba31bfb2cd201043defa809399252a185d76c7815abf58146bee18b265e8113966dd6cc1b5fff714d45d293b8424c0ba2459e7e6a893a3575c7c4813a638

memory/1288-4-0x0000000003110000-0x0000000003369000-memory.dmp

C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe

MD5 f87f4f7c0278667dc2d88ec6d7b6022d
SHA1 5650e64099f23359dfcc7c8c9380d7157e236c61
SHA256 06d7a9d5379d303aa0498757fea75fdfe7c8bdb922a2c5672b0fbe8726460bdd
SHA512 777c0c9d000495be084bb0127840c5b175d556d2da8ddbe30b04a99c8e271796cb1ce0ee2eac4c7b6d938fc17abdcba85fd1e4320620ca45b5a1fd31fa9cc8ae

Analysis: behavioral9

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win7-20241010-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KuWoNsis_new.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KuWoNsis_new.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KuWoNsis_new.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 224

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsbAEB1.tmp\KuWoNsis_new.dll

MD5 5b7d3fc9651089f373df83a9bdc922a7
SHA1 e0ee059b261e89bef6bdc9392ea4a579686a410f
SHA256 cb1e6695c6d55c3bd4b8d12cbe6a2e48687e72c84223256a3431560b2d4d7e59
SHA512 5feaf4de80e9057c9b3fc2d5ef2a5b7ef857fa7de67e5e5aa56915d06cd42b8544a8e707140bf182ad4907fc51a022fa597316f27e481abe170ba2548d64f911

C:\Users\Admin\AppData\Local\Temp\nsbAEB1.tmp\inetc.dll

MD5 94a8ace2be90a687c1b1729c32c66e50
SHA1 94cff89cc170c00b1f849460f78cb12ab8730538
SHA256 1a6c160fd844dea35195371476119f91eab302d701b0f6f1c3fe87ad92cc93df
SHA512 ba23dfa7a29450451ac3f6ef6bf9e89352e1d17f7a2b7c7e5a87839becd6676542d2189d443322b3cad08b1bcac8851eebf9964fa37190e551f0bd717dcc5deb

memory/4852-13148-0x0000000010000000-0x0000000010009000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\sobar\Baidu-TB-ASBar-Silent_kuwo.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$TEMP\sobar\Baidu-TB-ASBar-Silent_kuwo.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\sobar\Baidu-TB-ASBar-Silent_kuwo.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\sobar\Baidu-TB-ASBar-Silent_kuwo.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 628 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 628 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 628 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1712 -ip 1712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win7-20241023-en

Max time kernel

118s

Max time network

118s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\id = "bdbar" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Baidu\Toolbar\rc.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2} C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\AppName = "BarBroker.exe" C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\AppPath = "%ProgramFiles(x86)%\\Baidu\\Toolbar" C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\Policy = "3" C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{B580CF65-E151-49C3-B73F-70B13FCA8E86} = "12" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172} C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand\CurVer\ = "BaiduBarX.ToolBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\Toolbar\\BaiduBarX.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\TypeLib\Version = "1.0" C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.5\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\VersionIndependentProgID\ = "BaiduBarEx.BDHomePage" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\ = "ITool" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker\ = "BDBroker Class" C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand.1\ = "Baidu Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE\CLSID\ = "{77FEF28E-EB96-44FF-B511-3185DEA48697}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.4\CLSID\ = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0\0\win32\ = "C:\\Program Files (x86)\\Baidu\\Toolbar\\BaiduBarX.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\AppID = "{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}" C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\ProxyStubClsid32 C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand\ = "Baidu Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\Toolbar\\BaiduBarX.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\ = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\CurVer\ = "BaiduBar.Tool.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\ = "IBandIE" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\Toolbar\\BaiduBarX.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\ProgID\ = "BaiduBarEx.BDHomePage.5" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE.1\CLSID\ = "{77FEF28E-EB96-44FF-B511-3185DEA48697}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.5 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker.1\CLSID C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\VersionIndependentProgID\ = "BarBroker.BDBroker" C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\LocalServer32\ = "\"C:\\Program Files (x86)\\Baidu\\Toolbar\\BarBroker.exe\"" C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE.1\ = "Baidu Toolbar BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.2\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\TypeLib\ = "{3A8C9D89-3271-45F4-98C0-56B0F5A16172}" C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\InprocServer32\ThreadingModel = "both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker.1\ = "BDBroker Class" C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker.1\CLSID\ = "{5BECD27B-DCF5-4DEF-B066-486A47245C03}" C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\ = "IBDHomePage" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\ = "IBDHomePage" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\ = "BDBroker Class" C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll

C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe

"C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe" -RegServer

Network

N/A

Files

\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll

MD5 73e815b7dc46cee5be197dc4f81dd3f1
SHA1 610013942da6c1d9db80e9bb2624baf290d7d7bb
SHA256 92be55ea5d5eacfc9120467c4fbc2090c824cd8a232fab11e1a83433faf0285d
SHA512 b893d52579d99b5a44f69f5dc91d7f3df860409000915df2124bff353fdeb87b7e023fa7572e698b71b271c3e66d2ba65155fd97bc0abd43cf952673d889f246

memory/2820-2-0x0000000002950000-0x0000000002BA9000-memory.dmp

\Program Files (x86)\Baidu\Toolbar\rc.dll

MD5 989404e09f568db722a978f0cddc2d91
SHA1 b4144e15cb05c125cf06d63203e8ad4b889b9b12
SHA256 f97d8a7717605f48441b01bbbaf54952553787a9cdd394c0efbde870897c5f12
SHA512 c05eba31bfb2cd201043defa809399252a185d76c7815abf58146bee18b265e8113966dd6cc1b5fff714d45d293b8424c0ba2459e7e6a893a3575c7c4813a638

memory/2820-9-0x0000000000820000-0x000000000087C000-memory.dmp

\Program Files (x86)\Baidu\Toolbar\BarBroker.exe

MD5 f87f4f7c0278667dc2d88ec6d7b6022d
SHA1 5650e64099f23359dfcc7c8c9380d7157e236c61
SHA256 06d7a9d5379d303aa0498757fea75fdfe7c8bdb922a2c5672b0fbe8726460bdd
SHA512 777c0c9d000495be084bb0127840c5b175d556d2da8ddbe30b04a99c8e271796cb1ce0ee2eac4c7b6d938fc17abdcba85fd1e4320620ca45b5a1fd31fa9cc8ae

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bfd9050b9ea3dc1d6e79c909cfc5c8a.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bfd9050b9ea3dc1d6e79c909cfc5c8a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bfd9050b9ea3dc1d6e79c909cfc5c8a.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bfd9050b9ea3dc1d6e79c909cfc5c8a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KuWoNsis_new.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1000 wrote to memory of 4812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1000 wrote to memory of 4812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1000 wrote to memory of 4812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KuWoNsis_new.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KuWoNsis_new.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4812 -ip 4812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win7-20240729-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 224

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 3948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2536 wrote to memory of 3948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2536 wrote to memory of 3948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3948 -ip 3948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win7-20241010-en

Max time kernel

118s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 240

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win7-20240903-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\ASBarBroker.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\ASBarBroker.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\ASBarBroker.exe

"C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\ASBarBroker.exe"

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win7-20241010-en

Max time kernel

121s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 228

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4824 wrote to memory of 4500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4824 wrote to memory of 4500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4824 wrote to memory of 4500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4500 -ip 4500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\KWMUSIC\DownloadUpdate.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsy4F0C.tmp\KuWoNsis_new.dll

MD5 5b7d3fc9651089f373df83a9bdc922a7
SHA1 e0ee059b261e89bef6bdc9392ea4a579686a410f
SHA256 cb1e6695c6d55c3bd4b8d12cbe6a2e48687e72c84223256a3431560b2d4d7e59
SHA512 5feaf4de80e9057c9b3fc2d5ef2a5b7ef857fa7de67e5e5aa56915d06cd42b8544a8e707140bf182ad4907fc51a022fa597316f27e481abe170ba2548d64f911

\Users\Admin\AppData\Local\Temp\nsy4F0C.tmp\inetc.dll

MD5 94a8ace2be90a687c1b1729c32c66e50
SHA1 94cff89cc170c00b1f849460f78cb12ab8730538
SHA256 1a6c160fd844dea35195371476119f91eab302d701b0f6f1c3fe87ad92cc93df
SHA512 ba23dfa7a29450451ac3f6ef6bf9e89352e1d17f7a2b7c7e5a87839becd6676542d2189d443322b3cad08b1bcac8851eebf9964fa37190e551f0bd717dcc5deb

memory/2240-61509-0x0000000010000000-0x0000000010009000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2888 wrote to memory of 3032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2888 wrote to memory of 3032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2888 wrote to memory of 3032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3032 -ip 3032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3932 wrote to memory of 3448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3932 wrote to memory of 3448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3932 wrote to memory of 3448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3448 -ip 3448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win7-20240903-en

Max time kernel

122s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 224

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2025-01-15 16:18

Reported

2025-01-15 16:21

Platform

win7-20240903-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KuWoNsis_new.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KuWoNsis_new.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KuWoNsis_new.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 224

Network

N/A

Files

N/A