Overview
overview
10Static
static
9hxjydazhuz...dm.dll
windows7-x64
1hxjydazhuz...dm.dll
windows10-2004-x64
1hxjydazhuz...ta.dll
windows7-x64
8hxjydazhuz...ta.dll
windows10-2004-x64
8hxjydazhuz...��.exe
windows7-x64
8hxjydazhuz...��.exe
windows10-2004-x64
10新云软件.url
windows7-x64
1新云软件.url
windows10-2004-x64
1Analysis
-
max time kernel
179s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 22:41
Behavioral task
behavioral1
Sample
hxjydazhuzai/火线精英大主宰自动开枪脚本多分辨率支持V1.2/dm.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
hxjydazhuzai/火线精英大主宰自动开枪脚本多分辨率支持V1.2/dm.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
hxjydazhuzai/火线精英大主宰自动开枪脚本多分辨率支持V1.2/jedata.dll
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
hxjydazhuzai/火线精英大主宰自动开枪脚本多分辨率支持V1.2/jedata.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
hxjydazhuzai/火线精英大主宰自动开枪脚本多分辨率支持V1.2/火线精英大主宰自�.exe
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
hxjydazhuzai/火线精英大主宰自动开枪脚本多分辨率支持V1.2/火线精英大主宰自�.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
新云软件.url
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
新云软件.url
Resource
win10v2004-20220812-en
General
-
Target
hxjydazhuzai/火线精英大主宰自动开枪脚本多分辨率支持V1.2/火线精英大主宰自�.exe
-
Size
9.5MB
-
MD5
0daf49a958b5c4439f19f523cac7bdfd
-
SHA1
8b25d655d491765aad34f39f3fed9383111f3e5c
-
SHA256
73330c8974eb98a387b05e2176f76ae8f768436501a6c162fd6c09492c7df370
-
SHA512
ed060246dfaa16a8951a62e6afe5395ddfe03a81a6d8b36a7bee0fe4de8fb151051ed0703638a28a1d2932cd1f36b144fc869a07c3a24600b6f023ad456eb8c6
-
SSDEEP
196608:UJ4D0KPNxhpZ9dmB33Zfn4Rei56tqP5sdMEVgFqjcD/UKFR+:e4D0KVxhpLdmBHx4D6tndMWgFqQTUc
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
zz.exez1.exez1.exe2345Explorer.exepid process 972 zz.exe 1056 z1.exe 1400 z1.exe 1856 2345Explorer.exe -
Processes:
resource yara_rule behavioral5/memory/2024-55-0x0000000000400000-0x0000000001410000-memory.dmp upx behavioral5/memory/2024-61-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral5/memory/2024-87-0x0000000000400000-0x0000000001410000-memory.dmp upx behavioral5/memory/2024-88-0x0000000000400000-0x0000000001410000-memory.dmp upx -
Loads dropped DLL 7 IoCs
Processes:
zz.exe2345Explorer.exepid process 972 zz.exe 972 zz.exe 972 zz.exe 972 zz.exe 1856 2345Explorer.exe 1856 2345Explorer.exe 1856 2345Explorer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
zz.exedescription ioc process File created C:\Program Files (x86)\2345Explorer\StartPage\search.htm zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\guide_ie.gif zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\incognito\main_search_bigicon_sogou.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_logo_mgoogle.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_logo_xshooter.png zz.exe File created C:\Program Files (x86)\2345Explorer\CoralUpdate.dll zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\icon_movie.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\blank.htm zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\home\qq_big.jpg zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_icon_sogou.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\popup_dialog_list_button2.gif zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\Wallpaper_pre_01.bmp zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\all_search_icon_baidu.gif zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\main_grid_item2_hover1.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\popup_dialog_edit_bg2.gif zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_icon_dgoogle.png zz.exe File created C:\Program Files (x86)\2345Explorer\Config\FavIcon\A4C4A052651124668E8F829A3AA6D63C.ico.jpg zz.exe File created C:\Program Files (x86)\2345Explorer\CoralUI2.dll zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\ico_ie.gif zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\incognito\main_search_bg2.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_icon_gjingdong.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_logo_gdangdang.png zz.exe File created C:\Program Files (x86)\2345Explorer\Config\FavIcon\6E086A7049DD129DF69051413AC6AB3A.ico zz.exe File created C:\Program Files (x86)\2345Explorer\Config\Users\Default\SystemUrl.data zz.exe File created C:\Program Files (x86)\2345Explorer\Skins\Growth.skn zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\popup_dialog_list_icon.gif zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\js\coral_search.js zz.exe File created C:\Program Files (x86)\2345Explorer\Skins\Pink.skn zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\grid_load.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\main_bottombar_report2.gif zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_logo_gjingdong.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_logo_wsoso.png zz.exe File created C:\Program Files (x86)\2345Explorer\Lang\CoralLang_chs.dll zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\icon_game.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\main_grid_item_hover1.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\incognito\main_search_bg1.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\iconBg.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\main_search_button_bg1.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_icon_gjyjo.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_logo_xduote.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_logo_yahoo.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\icon_goods.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\main_search_xl_background1.gif zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\popup_dialog_close2.gif zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_icon_gdangdang.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_icon_gpaipai.png zz.exe File created C:\Program Files (x86)\2345Explorer\Config\FavIcon\81C6AF03AC3E2B181DD99A3C1AFD1AA3.ico zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\css\search.css zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_icon_wwiki.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\js\index.js zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\wico_sina.gif zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\main_search_bigicon_baidu.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\main_grid_bar_blank.gif zz.exe File created C:\Program Files (x86)\2345Explorer\2345智能浏览器免责声明.txt zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\close_tab2.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\icon_music.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\main_bottombar_report3.gif zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_icon_isoso.png zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_logo_gpaipai.png zz.exe File created C:\Program Files (x86)\2345Explorer\Config\FavIcon\1860F34853BBC50F66BF81B679989830.ico zz.exe File opened for modification C:\Program Files (x86)\2345Explorer\2345Explorer.exe zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\main_grid_item_loading.gif zz.exe File created C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_logo_none.png zz.exe File created C:\Program Files (x86)\2345Explorer\Config\FavIcon\85131C29C8F7B398A345BD7F1A51DAB1.ico.jpg zz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9A41C030-6E76-11ED-8553-72598884447E} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9A419920-6E76-11ED-8553-72598884447E} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
Processes:
火线精英大主宰自�.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?k99712611" 火线精英大主宰自�.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
火线精英大主宰自�.exedescription pid process Token: 33 2024 火线精英大主宰自�.exe Token: SeIncBasePriorityPrivilege 2024 火线精英大主宰自�.exe Token: 33 2024 火线精英大主宰自�.exe Token: SeIncBasePriorityPrivilege 2024 火线精英大主宰自�.exe Token: 33 2024 火线精英大主宰自�.exe Token: SeIncBasePriorityPrivilege 2024 火线精英大主宰自�.exe Token: 33 2024 火线精英大主宰自�.exe Token: SeIncBasePriorityPrivilege 2024 火线精英大主宰自�.exe Token: 33 2024 火线精英大主宰自�.exe Token: SeIncBasePriorityPrivilege 2024 火线精英大主宰自�.exe Token: 33 2024 火线精英大主宰自�.exe Token: SeIncBasePriorityPrivilege 2024 火线精英大主宰自�.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
火线精英大主宰自�.exeiexplore.exeiexplore.exepid process 2024 火线精英大主宰自�.exe 2024 火线精英大主宰自�.exe 2024 火线精英大主宰自�.exe 948 iexplore.exe 1728 iexplore.exe 948 iexplore.exe 1728 iexplore.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
火线精英大主宰自�.exez1.exezz.exeiexplore.exeiexplore.exedescription pid process target process PID 2024 wrote to memory of 972 2024 火线精英大主宰自�.exe zz.exe PID 2024 wrote to memory of 972 2024 火线精英大主宰自�.exe zz.exe PID 2024 wrote to memory of 972 2024 火线精英大主宰自�.exe zz.exe PID 2024 wrote to memory of 972 2024 火线精英大主宰自�.exe zz.exe PID 2024 wrote to memory of 1056 2024 火线精英大主宰自�.exe z1.exe PID 2024 wrote to memory of 1056 2024 火线精英大主宰自�.exe z1.exe PID 2024 wrote to memory of 1056 2024 火线精英大主宰自�.exe z1.exe PID 2024 wrote to memory of 1056 2024 火线精英大主宰自�.exe z1.exe PID 1056 wrote to memory of 1400 1056 z1.exe z1.exe PID 1056 wrote to memory of 1400 1056 z1.exe z1.exe PID 1056 wrote to memory of 1400 1056 z1.exe z1.exe PID 1056 wrote to memory of 1400 1056 z1.exe z1.exe PID 972 wrote to memory of 1856 972 zz.exe 2345Explorer.exe PID 972 wrote to memory of 1856 972 zz.exe 2345Explorer.exe PID 972 wrote to memory of 1856 972 zz.exe 2345Explorer.exe PID 972 wrote to memory of 1856 972 zz.exe 2345Explorer.exe PID 2024 wrote to memory of 948 2024 火线精英大主宰自�.exe iexplore.exe PID 2024 wrote to memory of 948 2024 火线精英大主宰自�.exe iexplore.exe PID 2024 wrote to memory of 948 2024 火线精英大主宰自�.exe iexplore.exe PID 2024 wrote to memory of 948 2024 火线精英大主宰自�.exe iexplore.exe PID 2024 wrote to memory of 1728 2024 火线精英大主宰自�.exe iexplore.exe PID 2024 wrote to memory of 1728 2024 火线精英大主宰自�.exe iexplore.exe PID 2024 wrote to memory of 1728 2024 火线精英大主宰自�.exe iexplore.exe PID 2024 wrote to memory of 1728 2024 火线精英大主宰自�.exe iexplore.exe PID 948 wrote to memory of 292 948 iexplore.exe IEXPLORE.EXE PID 1728 wrote to memory of 928 1728 iexplore.exe IEXPLORE.EXE PID 948 wrote to memory of 292 948 iexplore.exe IEXPLORE.EXE PID 948 wrote to memory of 292 948 iexplore.exe IEXPLORE.EXE PID 948 wrote to memory of 292 948 iexplore.exe IEXPLORE.EXE PID 1728 wrote to memory of 928 1728 iexplore.exe IEXPLORE.EXE PID 1728 wrote to memory of 928 1728 iexplore.exe IEXPLORE.EXE PID 1728 wrote to memory of 928 1728 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\hxjydazhuzai\火线精英大主宰自动开枪脚本多分辨率支持V1.2\火线精英大主宰自�.exe"C:\Users\Admin\AppData\Local\Temp\hxjydazhuzai\火线精英大主宰自动开枪脚本多分辨率支持V1.2\火线精英大主宰自�.exe"1⤵
- Modifies Internet Explorer start page
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\zz.exeC:\zz.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Explorer\2345Explorer.exe" --update=install3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\z1.exeC:\z1.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\z1.exe"C:\z1.exe" install_admin3⤵
- Executes dropped EXE
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.qingqingwg.com/2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:948 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.qingqingwg.com/2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1728 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\2345Explorer\2345Explorer.exeFilesize
185KB
MD5c3e3249c7e5cb23603c0ae7c4554ea6c
SHA1178e724b24bd2010c6c59ab562166d06bda9bcf4
SHA25677b3a1a599580eca47fc8d5a150c9a21776602e61dece956423db5de09ab9748
SHA512bdfe495b32d1ab44ef8630b578a70f55516fffe6de3a2432ea5b736f30b41ca730fa03a2a83cbab89654d8483d6b3fc2b38854475b90a9c6e49123fb68546d64
-
C:\Program Files (x86)\2345Explorer\2345Explorer.exeFilesize
185KB
MD5c3e3249c7e5cb23603c0ae7c4554ea6c
SHA1178e724b24bd2010c6c59ab562166d06bda9bcf4
SHA25677b3a1a599580eca47fc8d5a150c9a21776602e61dece956423db5de09ab9748
SHA512bdfe495b32d1ab44ef8630b578a70f55516fffe6de3a2432ea5b736f30b41ca730fa03a2a83cbab89654d8483d6b3fc2b38854475b90a9c6e49123fb68546d64
-
C:\Program Files (x86)\2345Explorer\CoralApp.dllFilesize
223KB
MD55b21753f92218a3d7cb78003185aa589
SHA1f6883b985ca7a5ab635afac2dc38625deae850aa
SHA256fd72f69e7cd8c5224342d339e45006a9dd1c96e7ea8718ce5480580b93bd4316
SHA512822c6f0a422e6e701e4e32249c7a47296e4f62ecd8bb4b3c8f0642894a435e736528b143b6b47a6b110e9f816738581938a984090418d3bef5a02453a19aa584
-
C:\Program Files (x86)\2345Explorer\CoralDb.dllFilesize
1.6MB
MD5dd5adc0ac08ffc46207882c34fe2feec
SHA10a8fd57c7440100f55c348a532f6327ba38259bc
SHA256efd2497ad59b0ad4b1ead6ec8a1b952ba16e89fded884f3c590a8eba92e5cfba
SHA512749fb99c0150d662de4c159ea54d792e68e5c1914544650deb432ee0b4324031077e15c9c1ba04bff642c83a9b8a4ff045e62f0489e4c8d8b8789161c8348a3d
-
C:\Program Files (x86)\2345Explorer\CoralUpdate.dllFilesize
417KB
MD544f919b683088036aacf6ba474d46665
SHA1b6aaa8a3a47b1b7ddf70391009f6c601104dff54
SHA256314b3c91ecc8e1a697612d315a921a7d9e750bd2b7c88c2d6cdb0d0d1e871ab6
SHA512164da63adeb7d7e08ad5502acefd89ddf77b792549f6caed29084bd3d32b895c4afd09fb830020aa353c7ee4c4fec72e9e4e2ebbc069a7b4fda842d63bb076da
-
C:\Users\Admin\AppData\Roaming\2345.com\z1.exeFilesize
7.2MB
MD503b4983dda409e2148e6f4488bf2a880
SHA1c45f3caaf42b72ed35b0b4cbaff82162fdbed8e8
SHA256dd306934ef41394b9eee7892e014a47a5bbfae9a554799ccda00ede4945aa40f
SHA51269ec946e94c1e2960eab9a817251e96ecc6bcf89a00c632bffe9cd3d36817fb357e0781a6cc3489c7efc927776a3e615a46c99c575d5747704b3c9779802108a
-
C:\z1.exeFilesize
7.2MB
MD503b4983dda409e2148e6f4488bf2a880
SHA1c45f3caaf42b72ed35b0b4cbaff82162fdbed8e8
SHA256dd306934ef41394b9eee7892e014a47a5bbfae9a554799ccda00ede4945aa40f
SHA51269ec946e94c1e2960eab9a817251e96ecc6bcf89a00c632bffe9cd3d36817fb357e0781a6cc3489c7efc927776a3e615a46c99c575d5747704b3c9779802108a
-
C:\z1.exeFilesize
7.2MB
MD503b4983dda409e2148e6f4488bf2a880
SHA1c45f3caaf42b72ed35b0b4cbaff82162fdbed8e8
SHA256dd306934ef41394b9eee7892e014a47a5bbfae9a554799ccda00ede4945aa40f
SHA51269ec946e94c1e2960eab9a817251e96ecc6bcf89a00c632bffe9cd3d36817fb357e0781a6cc3489c7efc927776a3e615a46c99c575d5747704b3c9779802108a
-
C:\z1.exeFilesize
7.2MB
MD503b4983dda409e2148e6f4488bf2a880
SHA1c45f3caaf42b72ed35b0b4cbaff82162fdbed8e8
SHA256dd306934ef41394b9eee7892e014a47a5bbfae9a554799ccda00ede4945aa40f
SHA51269ec946e94c1e2960eab9a817251e96ecc6bcf89a00c632bffe9cd3d36817fb357e0781a6cc3489c7efc927776a3e615a46c99c575d5747704b3c9779802108a
-
C:\zz.exeFilesize
7.5MB
MD5dff8feaeb72beb9dc2ba899a8d6d06ed
SHA198bef8147c8cf2ef4936183d2155e3a808a443c3
SHA2561fe5f239b412085a6453657269f94ed3b9061ecc302ce49d4215235674ee20f8
SHA5122ba451c355b853d6919ef47256919295e80310f36eabc4c4d8576da2d0b16ede3182aa4f5c451799db60aeada0de2760ece09fcf32aee97e3bc4aadd17a9056a
-
C:\zz.exeFilesize
7.5MB
MD5dff8feaeb72beb9dc2ba899a8d6d06ed
SHA198bef8147c8cf2ef4936183d2155e3a808a443c3
SHA2561fe5f239b412085a6453657269f94ed3b9061ecc302ce49d4215235674ee20f8
SHA5122ba451c355b853d6919ef47256919295e80310f36eabc4c4d8576da2d0b16ede3182aa4f5c451799db60aeada0de2760ece09fcf32aee97e3bc4aadd17a9056a
-
\Program Files (x86)\2345Explorer\2345Explorer.exeFilesize
185KB
MD5c3e3249c7e5cb23603c0ae7c4554ea6c
SHA1178e724b24bd2010c6c59ab562166d06bda9bcf4
SHA25677b3a1a599580eca47fc8d5a150c9a21776602e61dece956423db5de09ab9748
SHA512bdfe495b32d1ab44ef8630b578a70f55516fffe6de3a2432ea5b736f30b41ca730fa03a2a83cbab89654d8483d6b3fc2b38854475b90a9c6e49123fb68546d64
-
\Program Files (x86)\2345Explorer\CoralApp.dllFilesize
223KB
MD55b21753f92218a3d7cb78003185aa589
SHA1f6883b985ca7a5ab635afac2dc38625deae850aa
SHA256fd72f69e7cd8c5224342d339e45006a9dd1c96e7ea8718ce5480580b93bd4316
SHA512822c6f0a422e6e701e4e32249c7a47296e4f62ecd8bb4b3c8f0642894a435e736528b143b6b47a6b110e9f816738581938a984090418d3bef5a02453a19aa584
-
\Program Files (x86)\2345Explorer\CoralDb.dllFilesize
1.6MB
MD5dd5adc0ac08ffc46207882c34fe2feec
SHA10a8fd57c7440100f55c348a532f6327ba38259bc
SHA256efd2497ad59b0ad4b1ead6ec8a1b952ba16e89fded884f3c590a8eba92e5cfba
SHA512749fb99c0150d662de4c159ea54d792e68e5c1914544650deb432ee0b4324031077e15c9c1ba04bff642c83a9b8a4ff045e62f0489e4c8d8b8789161c8348a3d
-
\Program Files (x86)\2345Explorer\CoralUpdate.dllFilesize
417KB
MD544f919b683088036aacf6ba474d46665
SHA1b6aaa8a3a47b1b7ddf70391009f6c601104dff54
SHA256314b3c91ecc8e1a697612d315a921a7d9e750bd2b7c88c2d6cdb0d0d1e871ab6
SHA512164da63adeb7d7e08ad5502acefd89ddf77b792549f6caed29084bd3d32b895c4afd09fb830020aa353c7ee4c4fec72e9e4e2ebbc069a7b4fda842d63bb076da
-
\Users\Admin\AppData\Local\Temp\nsoB80C.tmp\FileInfo.dllFilesize
98KB
MD5d062c6eab9f32074e09a7ffdc614a545
SHA1d76f8d98dd0cf968cabc852e98aaaaf930f38ac2
SHA256bd57ae6c723b3df90b388c830b6bc6c3eb69fc32825593e98fcbbdad1fa98394
SHA51260e807e31c84cb827185a270251de33dc329585b889bdd8a9aa88aac3d1561e834c3011114052877fbc35d32c39859bcaff2dabe395cc2f8439552146467b6c7
-
\Users\Admin\AppData\Local\Temp\nsoB80C.tmp\RCPicPlugin.dllFilesize
964KB
MD56c300d543082a57bf2c3b2288020ab6d
SHA14cba3f4f8065f5fb57fc8cdf0a6425eb544b6051
SHA256aa3e4c13fac3f06def7c54e3b8c886bcda50205c501cbc6a4e33fa0c8072b929
SHA512cf8b600712c735a5110560840a655a83629aec16f316b82401a52428e7575e733817ca54737fa771add0699254022af66599c8179cef18c1df5fc0364015a960
-
\Users\Admin\AppData\Local\Temp\nsoB80C.tmp\System.dllFilesize
11KB
MD54cf3a81ab4579b30117c8a39a489d51d
SHA161af475e11e4e79e6a11e761fcb540d9c5eec0e9
SHA25629f4a1c87161643e0ed5c46b46786d9a48437ec5dc6b99f4ff14037429e6e20a
SHA512885d131304afbe92b9b0a16830b6b34c6b78e44f972c20aad63cf3695a400f2d82cf217753da2a2e5e399fdd5dd3306a257e9501a86884cad853e01ee125a664
-
memory/972-56-0x0000000000000000-mapping.dmp
-
memory/1056-64-0x0000000000000000-mapping.dmp
-
memory/1400-68-0x0000000000000000-mapping.dmp
-
memory/1856-73-0x0000000000000000-mapping.dmp
-
memory/1856-81-0x0000000002C00000-0x0000000002DA3000-memory.dmpFilesize
1.6MB
-
memory/1856-85-0x0000000002B70000-0x0000000002BDA000-memory.dmpFilesize
424KB
-
memory/2024-54-0x0000000075881000-0x0000000075883000-memory.dmpFilesize
8KB
-
memory/2024-61-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2024-55-0x0000000000400000-0x0000000001410000-memory.dmpFilesize
16.1MB
-
memory/2024-87-0x0000000000400000-0x0000000001410000-memory.dmpFilesize
16.1MB
-
memory/2024-88-0x0000000000400000-0x0000000001410000-memory.dmpFilesize
16.1MB