24f3b147914290a2537d0a61f52009db0f82f5ccdc7eb8843923b44f61a78f72

Analysis

max time kernel
153s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hxjydazhuzai/火线精英大主宰自动开枪脚本多分辨率支持V1.2/火线精英大主宰自�.exe
Size

9.5MB
MD5

0daf49a958b5c4439f19f523cac7bdfd
SHA1

8b25d655d491765aad34f39f3fed9383111f3e5c
SHA256

73330c8974eb98a387b05e2176f76ae8f768436501a6c162fd6c09492c7df370
SHA512

ed060246dfaa16a8951a62e6afe5395ddfe03a81a6d8b36a7bee0fe4de8fb151051ed0703638a28a1d2932cd1f36b144fc869a07c3a24600b6f023ad456eb8c6
SSDEEP

196608:UJ4D0KPNxhpZ9dmB33Zfn4Rei56tqP5sdMEVgFqjcD/UKFR+:e4D0KVxhpLdmBHx4D6tndMWgFqQTUc

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 432 created 2256 432 svchost.exe zz.exe

description	pid	process	target process
PID 432 created 2256	432	svchost.exe	zz.exe

Executes dropped EXE 16 IoCs

Processes:

zz.exez1.exez1.exez1.exe2345Explorer.exe2345Explorer.exe2345Explorer.exe2345Explorer.exe2345Explorer.exe2345Explorer.exe2345Explorer.exe2345Explorer.exe2345Explorer.exe2345Explorer.exe2345Explorer.exe2345Explorer.exe

pid	process
2256	zz.exe
1924	z1.exe
2028	z1.exe
2500	z1.exe
2668	2345Explorer.exe
3904	2345Explorer.exe
4052	2345Explorer.exe
2324	2345Explorer.exe
3428	2345Explorer.exe
3964	2345Explorer.exe
3012	2345Explorer.exe
2208	2345Explorer.exe
5500	2345Explorer.exe
3060	2345Explorer.exe
3380	2345Explorer.exe
1004	2345Explorer.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

2345Explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32	2345Explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32	2345Explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32\ = "\"C:\\Program Files (x86)\\2345Explorer\\2345Explorer.exe\""	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32	2345Explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32\ = "\"C:\\Program Files (x86)\\2345Explorer\\2345Explorer.exe\""	2345Explorer.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral6/memory/3008-132-0x0000000000400000-0x0000000001410000-memory.dmp	upx
behavioral6/memory/3008-136-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral6/memory/3008-142-0x0000000000400000-0x0000000001410000-memory.dmp	upx
behavioral6/memory/3008-169-0x0000000000400000-0x0000000001410000-memory.dmp	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

z1.exez1.exez1.exe2345Explorer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	z1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	z1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	z1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	2345Explorer.exe

Loads dropped DLL 64 IoCs

Processes:

zz.exe2345Explorer.exe2345Explorer.exe2345Explorer.exe2345Explorer.exe2345Explorer.exe2345Explorer.exe2345Explorer.exe2345Explorer.exe2345Explorer.exe

pid	process
2256	zz.exe
2256	zz.exe
2256	zz.exe
2668	2345Explorer.exe
2668	2345Explorer.exe
2668	2345Explorer.exe
2668	2345Explorer.exe
2668	2345Explorer.exe
3904	2345Explorer.exe
3904	2345Explorer.exe
3904	2345Explorer.exe
4052	2345Explorer.exe
2256	zz.exe
2256	zz.exe
4052	2345Explorer.exe
4052	2345Explorer.exe
4052	2345Explorer.exe
4052	2345Explorer.exe
2324	2345Explorer.exe
2324	2345Explorer.exe
2324	2345Explorer.exe
4052	2345Explorer.exe
4052	2345Explorer.exe
2324	2345Explorer.exe
2324	2345Explorer.exe
4052	2345Explorer.exe
4052	2345Explorer.exe
3428	2345Explorer.exe
3428	2345Explorer.exe
3428	2345Explorer.exe
3428	2345Explorer.exe
3428	2345Explorer.exe
3964	2345Explorer.exe
3964	2345Explorer.exe
3964	2345Explorer.exe
3964	2345Explorer.exe
3964	2345Explorer.exe
3428	2345Explorer.exe
3428	2345Explorer.exe
3012	2345Explorer.exe
3012	2345Explorer.exe
3012	2345Explorer.exe
4052	2345Explorer.exe
4052	2345Explorer.exe
2208	2345Explorer.exe
2208	2345Explorer.exe
2208	2345Explorer.exe
2208	2345Explorer.exe
2208	2345Explorer.exe
2208	2345Explorer.exe
2208	2345Explorer.exe
2208	2345Explorer.exe
2208	2345Explorer.exe
4052	2345Explorer.exe
4052	2345Explorer.exe
2208	2345Explorer.exe
2208	2345Explorer.exe
4052	2345Explorer.exe
4052	2345Explorer.exe
5500	2345Explorer.exe
5500	2345Explorer.exe
5500	2345Explorer.exe
5500	2345Explorer.exe
5500	2345Explorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

Processes:

2345Explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	2345Explorer.exe

Drops file in Program Files directory 64 IoCs

Processes:

zz.exe

description	ioc	process
File created	C:\Program Files (x86)\2345Explorer\StartPage\js\index.js	zz.exe
File created	C:\Program Files (x86)\2345Explorer\UserCenter\images\retry_banner.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\main_grid_item22.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\popup_dialog_close2.gif	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\home\qq_big.jpg	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\popup_dialog_list_icon1.gif	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_icon_baidu.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_logo_bing.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\CoralApp.dll	zz.exe
File created	C:\Program Files (x86)\2345Explorer\Lang\CoralLang_chs.dll	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\bg_404.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\main_bottombar_report.gif	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\Wallpaper_04_1366.jpg	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\close_tab2.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\popup_dialog_background.gif	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\sprite_0718.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\msvcr80.dll	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_icon_google.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\Config\FavIcon\recovery.ico	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\Wallpaper_02.jpg	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\Wallpaper_02_1366.jpg	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\wico_sohu.gif	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\home\ai_taobao_big.jpg	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\main_grid_item_hover1.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\Config\Users\Default\SystemUrl.data	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\popup_dialog_list_icon.gif	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_icon_bing.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_logo_google.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_icon_vsoso.png	zz.exe
File opened for modification	C:\Program Files (x86)\2345Explorer\2345Explorer.exe	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\Wallpaper_pre_02.bmp	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\popup_dialog_preview_but.gif	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\incognito\main_search_bigicon_baidu.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\home\sohu_big.jpg	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_icon_isoso.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_icon_xduote.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\2345Explorer.exe	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\add_hover.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\popup_dialog_edit_bg1.gif	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\wico_google.gif	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\fancybox\jquery.fancybox-1.3.4.js	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_logo_baidu.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_logo_gjingdong.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\quan.gif	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\wico_fenghuang.gif	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_logo_wwiki.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\Addon\Capture.addon	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\icon_movie.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\main_grid_bar_blank_hover.gif	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\popup_dialog_list_button2.gif	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\home\game_big.jpg	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\js\coral_commom.js	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\close_tab.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\main_grid_bar_bj.gif	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\main_grid_item_add.jpg	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\error\404_1.jpg	zz.exe
File created	C:\Program Files (x86)\2345Explorer\CoralTrident.dll	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\main_search_bg2.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\popup_dialog_list_icon3.gif	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\informantCenter\closeA.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\incognito\main_search_button_bg1.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_logo_vbaidu.png	zz.exe
File created	C:\Program Files (x86)\2345Explorer\Config\FavIcon\default_page.ico	zz.exe
File created	C:\Program Files (x86)\2345Explorer\StartPage\images\search\main_search_icon_dgoogle.png	zz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

5424 2208 WerFault.exe 2345Explorer.exe
644 5500 WerFault.exe 2345Explorer.exe
3560 3060 WerFault.exe 2345Explorer.exe

pid	pid_target	process	target process
5424	2208	WerFault.exe	2345Explorer.exe
644	5500	WerFault.exe	2345Explorer.exe
3560	3060	WerFault.exe	2345Explorer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXE2345Explorer.exeiexplore.exe2345Explorer.exe2345Explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "38"	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER\2345Explorer.exe = "10"	2345Explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1231012570"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "185"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	2345Explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\2345Explorer.exe = "0"	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	2345Explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999171"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "38"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "110"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "110"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WEBOC_OMNAVIGATOR_IMPLEMENTATION\2345Explorer.exe = "0"	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\	2345Explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30999171"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1231022147"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1233162432"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999171"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "137"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_SCRIPT_PASTE_URLACTION_IF_PROMPT\2345Explorer.exe = "0"	2345Explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS\2345Explorer.exe = "0"	2345Explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "229"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER	2345Explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	2345Explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "185"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "56"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER	2345Explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "56"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "110"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	2345Explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "229"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\2345Explorer.exe = "11000"	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	2345Explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "229"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\	2345Explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\2345Explorer.exe = "1"	2345Explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\2345.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30999171"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "137"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER\2345Explorer.exe = "10"	2345Explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_SCRIPT_PASTE_URLACTION_IF_PROMPT	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "56"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\International\CpMRU	2345Explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	2345Explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	2345Explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "185"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "38"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "137"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

火线精英大主宰自�.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?k99712611"	火线精英大主宰自�.exe

Modifies registry class 45 IoCs

Processes:

2345Explorer.exemsedge.exez1.exe2345Explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Applications	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\2345ExplorerHTML\shell	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\2345ExplorerHTML\shell\open	2345Explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID	2345Explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\2345ExplorerHTML\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe,1"	2345Explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\2345ExplorerHTML\shell\ = "open"	2345Explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	2345Explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32\ = "\"C:\\Program Files (x86)\\2345Explorer\\2345Explorer.exe\""	2345Explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID	2345Explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	2345Explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32	2345Explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	2345Explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Applications\2345Explorer.exe\shell\open\DontReturnProcessHandle	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Applications\2345Explorer.exe\shell\open\command	2345Explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\2345ExplorerHTML\shell\open\command\ = "\"C:\\Program Files (x86)\\2345Explorer\\2345Explorer.exe\" \"%1\""	2345Explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\2345ExplorerHTML\DefaultIcon	2345Explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}	2345Explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\2345ExplorerHTML\ = "2345ExplorerHTML"	2345Explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\2345ExplorerHTML\URL Protocol	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\2345ExplorerHTML\shell\open\command	2345Explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	z1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Applications\2345Explorer.exe\shell\open\CommandId = "IE.Protocol"	2345Explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Applications\2345Explorer.exe\shell\open\command\ = "\"C:\\Program Files (x86)\\2345Explorer\\2345Explorer.exe\" \"%1\""	2345Explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Applications\2345Explorer.exe\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Applications\2345Explorer.exe\shell\2345Explorer	2345Explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files (x86)\\2345Explorer\\2345Explorer.exe\" \"%1\""	2345Explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Applications\2345Explorer.exe\shell\open	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Applications\2345Explorer.exe\shell\2345Explorer\command	2345Explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Applications\2345Explorer.exe\shell\2345Explorer\command\ = "\"C:\\Program Files (x86)\\2345Explorer\\2345Explorer.exe\" \"%1\""	2345Explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32\ = "\"C:\\Program Files (x86)\\2345Explorer\\2345Explorer.exe\""	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Applications\2345Explorer.exe	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Applications\2345Explorer.exe\shell	2345Explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Applications\2345Explorer.exe\shell\ = "2345Explorer"	2345Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\2345ExplorerHTML	2345Explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32	2345Explorer.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

2345Explorer.exe2345Explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2345Explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2345Explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	2345Explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	2345Explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	2345Explorer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exezz.exemsedge.exe

pid process

2708 msedge.exe
2708 msedge.exe
2216 msedge.exe
2216 msedge.exe
2256 zz.exe
2256 zz.exe
4836 msedge.exe
4836 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

4836 msedge.exe
4836 msedge.exe
4836 msedge.exe
4836 msedge.exe
4836 msedge.exe

pid	process
2708	msedge.exe
2708	msedge.exe
2216	msedge.exe
2216	msedge.exe
2256	zz.exe
2256	zz.exe
4836	msedge.exe
4836	msedge.exe

pid	process
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

火线精英大主宰自�.exesvchost.exe

description	pid	process
Token: 33	3008	火线精英大主宰自�.exe
Token: SeIncBasePriorityPrivilege	3008	火线精英大主宰自�.exe
Token: SeTcbPrivilege	432	svchost.exe
Token: SeTcbPrivilege	432	svchost.exe
Token: SeBackupPrivilege	432	svchost.exe
Token: SeRestorePrivilege	432	svchost.exe
Token: SeBackupPrivilege	432	svchost.exe
Token: SeRestorePrivilege	432	svchost.exe

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

iexplore.exemsedge.exe2345Explorer.exe2345Explorer.exe

pid	process
3416	iexplore.exe
4836	msedge.exe
3428	2345Explorer.exe
3428	2345Explorer.exe
3428	2345Explorer.exe
4836	msedge.exe
4052	2345Explorer.exe
4052	2345Explorer.exe
4052	2345Explorer.exe
4052	2345Explorer.exe
4052	2345Explorer.exe
4052	2345Explorer.exe
4052	2345Explorer.exe
4052	2345Explorer.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

2345Explorer.exe2345Explorer.exe

pid	process
3428	2345Explorer.exe
3428	2345Explorer.exe
4052	2345Explorer.exe
4052	2345Explorer.exe
4052	2345Explorer.exe
4052	2345Explorer.exe
4052	2345Explorer.exe

Suspicious use of SetWindowsHookEx 40 IoCs

Processes:

火线精英大主宰自�.exeiexplore.exeIEXPLORE.EXE2345Explorer.exe2345Explorer.exe2345Explorer.exe2345Explorer.exe

pid	process
3008	火线精英大主宰自�.exe
3008	火线精英大主宰自�.exe
3008	火线精英大主宰自�.exe
3416	iexplore.exe
3416	iexplore.exe
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
2208	2345Explorer.exe
2208	2345Explorer.exe
2208	2345Explorer.exe
2208	2345Explorer.exe
2208	2345Explorer.exe
2208	2345Explorer.exe
2208	2345Explorer.exe
2208	2345Explorer.exe
5500	2345Explorer.exe
5500	2345Explorer.exe
5500	2345Explorer.exe
5500	2345Explorer.exe
5500	2345Explorer.exe
5500	2345Explorer.exe
5500	2345Explorer.exe
5500	2345Explorer.exe
5500	2345Explorer.exe
5500	2345Explorer.exe
5500	2345Explorer.exe
5500	2345Explorer.exe
3060	2345Explorer.exe
3060	2345Explorer.exe
3060	2345Explorer.exe
3060	2345Explorer.exe
3060	2345Explorer.exe
3060	2345Explorer.exe
3060	2345Explorer.exe
3060	2345Explorer.exe
3060	2345Explorer.exe
3060	2345Explorer.exe
3060	2345Explorer.exe
3060	2345Explorer.exe
4052	2345Explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

火线精英大主宰自�.exez1.exez1.exezz.exez1.exemsedge.exemsedge.exe2345Explorer.exeiexplore.exe

description	pid	process	target process
PID 3008 wrote to memory of 2256	3008	火线精英大主宰自�.exe	zz.exe
PID 3008 wrote to memory of 2256	3008	火线精英大主宰自�.exe	zz.exe
PID 3008 wrote to memory of 2256	3008	火线精英大主宰自�.exe	zz.exe
PID 3008 wrote to memory of 1924	3008	火线精英大主宰自�.exe	z1.exe
PID 3008 wrote to memory of 1924	3008	火线精英大主宰自�.exe	z1.exe
PID 3008 wrote to memory of 1924	3008	火线精英大主宰自�.exe	z1.exe
PID 1924 wrote to memory of 2028	1924	z1.exe	z1.exe
PID 1924 wrote to memory of 2028	1924	z1.exe	z1.exe
PID 1924 wrote to memory of 2028	1924	z1.exe	z1.exe
PID 2028 wrote to memory of 2500	2028	z1.exe	z1.exe
PID 2028 wrote to memory of 2500	2028	z1.exe	z1.exe
PID 2028 wrote to memory of 2500	2028	z1.exe	z1.exe
PID 2256 wrote to memory of 2668	2256	zz.exe	2345Explorer.exe
PID 2256 wrote to memory of 2668	2256	zz.exe	2345Explorer.exe
PID 2256 wrote to memory of 2668	2256	zz.exe	2345Explorer.exe
PID 3008 wrote to memory of 4836	3008	火线精英大主宰自�.exe	msedge.exe
PID 3008 wrote to memory of 4836	3008	火线精英大主宰自�.exe	msedge.exe
PID 3008 wrote to memory of 3988	3008	火线精英大主宰自�.exe	msedge.exe
PID 3008 wrote to memory of 3988	3008	火线精英大主宰自�.exe	msedge.exe
PID 2500 wrote to memory of 3416	2500	z1.exe	iexplore.exe
PID 2500 wrote to memory of 3416	2500	z1.exe	iexplore.exe
PID 4836 wrote to memory of 1620	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 1620	4836	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4176	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4176	3988	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3904	2668	2345Explorer.exe	2345Explorer.exe
PID 2668 wrote to memory of 3904	2668	2345Explorer.exe	2345Explorer.exe
PID 2668 wrote to memory of 3904	2668	2345Explorer.exe	2345Explorer.exe
PID 3416 wrote to memory of 1760	3416	iexplore.exe	IEXPLORE.EXE
PID 3416 wrote to memory of 1760	3416	iexplore.exe	IEXPLORE.EXE
PID 3416 wrote to memory of 1760	3416	iexplore.exe	IEXPLORE.EXE
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3068	4836	msedge.exe	msedge.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\hxjydazhuzai\火线精英大主宰自动开枪脚本多分辨率支持V1.2\火线精英大主宰自�.exe
"C:\Users\Admin\AppData\Local\Temp\hxjydazhuzai\火线精英大主宰自动开枪脚本多分辨率支持V1.2\火线精英大主宰自�.exe"
2⤵
- Modifies Internet Explorer start page
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008

C:\zz.exe
C:\zz.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256

C:\Program Files (x86)\2345Explorer\2345Explorer.exe
"C:\Program Files (x86)\2345Explorer\2345Explorer.exe" --update=install
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2668

C:\Program Files (x86)\2345Explorer\2345Explorer.exe
"C:\Program Files (x86)\2345Explorer\2345Explorer.exe" --helper=cleanup --shm=Coral.Cleanup.{B9719417-5FA9-49F1-947F-F4504B732085}
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3904

C:\Program Files (x86)\2345Explorer\2345Explorer.exe
"C:\Program Files (x86)\2345Explorer\2345Explorer.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4052

C:\Program Files (x86)\2345Explorer\2345Explorer.exe
--type=RenderIEAdvanced --channel=Coral.ChannelID.{D96A26B7-7415-4299-A347-46588782E7A5} --parent_channel=4052
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 1788
7⤵
- Program crash
PID:5424

C:\Program Files (x86)\2345Explorer\2345Explorer.exe
--type=RenderIEAdvanced --channel=Coral.ChannelID.{F362B2A9-BDC4-4687-957E-880B11B2ACD7} --parent_channel=4052
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 1796
7⤵
- Program crash
PID:644

C:\Program Files (x86)\2345Explorer\2345Explorer.exe
--type=RenderIEAdvanced --channel=Coral.ChannelID.{FCCEDDDF-9437-4627-9607-23A1D67CDB0C} --parent_channel=4052
6⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 2944
7⤵
- Program crash
PID:3560

C:\Program Files (x86)\2345Explorer\2345Explorer.exe
"C:\Program Files (x86)\2345Explorer\2345Explorer.exe" --update=update
6⤵
- Executes dropped EXE
PID:3380

C:\Program Files (x86)\2345Explorer\2345Explorer.exe
--type=RenderIEAdvanced --channel=Coral.ChannelID.{C0C8DB1E-320B-48E9-A401-D692B894F328} --parent_channel=4052
6⤵
- Executes dropped EXE
PID:1004

C:\Program Files (x86)\2345Explorer\2345Explorer.exe
"C:\Program Files (x86)\2345Explorer\2345Explorer.exe" --update=send_install
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324

C:\Program Files (x86)\2345Explorer\2345Explorer.exe
"C:\Program Files (x86)\2345Explorer\2345Explorer.exe" --helper=cleanup --shm=Coral.Cleanup.{E11852E1-2370-4A7A-986C-EAE3A58309D4}
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012

C:\Program Files (x86)\2345Explorer\2345Explorer.exe
"C:\Program Files (x86)\2345Explorer\2345Explorer.exe" --config=set_default_browser
4⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:3964

C:\Program Files (x86)\2345Explorer\2345Explorer.exe
"C:\Program Files (x86)\2345Explorer\2345Explorer.exe" --config=desktop_bubble
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3428

C:\z1.exe
C:\z1.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1924

C:\z1.exe
"C:\z1.exe" install_admin
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Roaming\2345.com\z1.exe
"C:\Users\Admin\AppData\Roaming\2345.com\z1.exe" run
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2500

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.2345.com/?desk
6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3416

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3416 CREDAT:17410 /prefetch:2
7⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.qingqingwg.com/
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc187946f8,0x7ffc18794708,0x7ffc18794718
4⤵
PID:1620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,4592881293650269593,7420578658800007368,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
4⤵
PID:3068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,4592881293650269593,7420578658800007368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,4592881293650269593,7420578658800007368,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
4⤵
PID:1504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4592881293650269593,7420578658800007368,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
4⤵
PID:1352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4592881293650269593,7420578658800007368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
4⤵
PID:3340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4592881293650269593,7420578658800007368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
4⤵
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,4592881293650269593,7420578658800007368,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 /prefetch:8
4⤵
PID:2816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,4592881293650269593,7420578658800007368,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4856 /prefetch:8
4⤵
PID:5732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4592881293650269593,7420578658800007368,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
4⤵
PID:5788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4592881293650269593,7420578658800007368,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
4⤵
PID:5804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.qingqingwg.com/
3⤵
- Suspicious use of WriteProcessMemory
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc187946f8,0x7ffc18794708,0x7ffc18794718
4⤵
PID:4176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,18177503521651533954,12525256549090618558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,18177503521651533954,12525256549090618558,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
4⤵
PID:3972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2208 -ip 2208
1⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5500 -ip 5500
1⤵
PID:5688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3060 -ip 3060
1⤵
PID:2672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\2345Explorer\2345Explorer.exe
Filesize
185KB

MD5
c3e3249c7e5cb23603c0ae7c4554ea6c

SHA1
178e724b24bd2010c6c59ab562166d06bda9bcf4

SHA256
77b3a1a599580eca47fc8d5a150c9a21776602e61dece956423db5de09ab9748

SHA512
bdfe495b32d1ab44ef8630b578a70f55516fffe6de3a2432ea5b736f30b41ca730fa03a2a83cbab89654d8483d6b3fc2b38854475b90a9c6e49123fb68546d64

Download Submit
C:\Program Files (x86)\2345Explorer\2345Explorer.exe
Filesize
185KB

MD5
c3e3249c7e5cb23603c0ae7c4554ea6c

SHA1
178e724b24bd2010c6c59ab562166d06bda9bcf4

SHA256
77b3a1a599580eca47fc8d5a150c9a21776602e61dece956423db5de09ab9748

SHA512
bdfe495b32d1ab44ef8630b578a70f55516fffe6de3a2432ea5b736f30b41ca730fa03a2a83cbab89654d8483d6b3fc2b38854475b90a9c6e49123fb68546d64

Download Submit
C:\Program Files (x86)\2345Explorer\2345Explorer.exe
Filesize
185KB

MD5
c3e3249c7e5cb23603c0ae7c4554ea6c

SHA1
178e724b24bd2010c6c59ab562166d06bda9bcf4

SHA256
77b3a1a599580eca47fc8d5a150c9a21776602e61dece956423db5de09ab9748

SHA512
bdfe495b32d1ab44ef8630b578a70f55516fffe6de3a2432ea5b736f30b41ca730fa03a2a83cbab89654d8483d6b3fc2b38854475b90a9c6e49123fb68546d64

Download Submit
C:\Program Files (x86)\2345Explorer\2345Explorer.exe
Filesize
185KB

MD5
c3e3249c7e5cb23603c0ae7c4554ea6c

SHA1
178e724b24bd2010c6c59ab562166d06bda9bcf4

SHA256
77b3a1a599580eca47fc8d5a150c9a21776602e61dece956423db5de09ab9748

SHA512
bdfe495b32d1ab44ef8630b578a70f55516fffe6de3a2432ea5b736f30b41ca730fa03a2a83cbab89654d8483d6b3fc2b38854475b90a9c6e49123fb68546d64

Download Submit
C:\Program Files (x86)\2345Explorer\2345Explorer.exe
Filesize
185KB

MD5
c3e3249c7e5cb23603c0ae7c4554ea6c

SHA1
178e724b24bd2010c6c59ab562166d06bda9bcf4

SHA256
77b3a1a599580eca47fc8d5a150c9a21776602e61dece956423db5de09ab9748

SHA512
bdfe495b32d1ab44ef8630b578a70f55516fffe6de3a2432ea5b736f30b41ca730fa03a2a83cbab89654d8483d6b3fc2b38854475b90a9c6e49123fb68546d64

Download Submit
C:\Program Files (x86)\2345Explorer\Coral.dll
Filesize
1.9MB

MD5
24e578a4bd7bddd1bf33c213086b3a0b

SHA1
82d07b73cc1841045c70576d2cf9165d46951bc9

SHA256
19a3887439637f78181cb963c96897d5dad2b34fd4c2d49cbfa09650a80f97a2

SHA512
84786a1818e501ceea39d405ee1c857df2f6156fa0bb708020326f566820adcf9ab5e7cc66d1ca7aa96d00c18814e8cecdc769b4b3ed990ff5008cfcb7601beb

Download Submit
C:\Program Files (x86)\2345Explorer\Coral.dll
Filesize
1.9MB

MD5
24e578a4bd7bddd1bf33c213086b3a0b

SHA1
82d07b73cc1841045c70576d2cf9165d46951bc9

SHA256
19a3887439637f78181cb963c96897d5dad2b34fd4c2d49cbfa09650a80f97a2

SHA512
84786a1818e501ceea39d405ee1c857df2f6156fa0bb708020326f566820adcf9ab5e7cc66d1ca7aa96d00c18814e8cecdc769b4b3ed990ff5008cfcb7601beb

Download Submit
C:\Program Files (x86)\2345Explorer\Coral.dll
Filesize
1.9MB

MD5
24e578a4bd7bddd1bf33c213086b3a0b

SHA1
82d07b73cc1841045c70576d2cf9165d46951bc9

SHA256
19a3887439637f78181cb963c96897d5dad2b34fd4c2d49cbfa09650a80f97a2

SHA512
84786a1818e501ceea39d405ee1c857df2f6156fa0bb708020326f566820adcf9ab5e7cc66d1ca7aa96d00c18814e8cecdc769b4b3ed990ff5008cfcb7601beb

Download Submit
C:\Program Files (x86)\2345Explorer\Coral.dll
Filesize
1.9MB

MD5
24e578a4bd7bddd1bf33c213086b3a0b

SHA1
82d07b73cc1841045c70576d2cf9165d46951bc9

SHA256
19a3887439637f78181cb963c96897d5dad2b34fd4c2d49cbfa09650a80f97a2

SHA512
84786a1818e501ceea39d405ee1c857df2f6156fa0bb708020326f566820adcf9ab5e7cc66d1ca7aa96d00c18814e8cecdc769b4b3ed990ff5008cfcb7601beb

Download Submit
C:\Program Files (x86)\2345Explorer\Coral.dll
Filesize
1.9MB

MD5
24e578a4bd7bddd1bf33c213086b3a0b

SHA1
82d07b73cc1841045c70576d2cf9165d46951bc9

SHA256
19a3887439637f78181cb963c96897d5dad2b34fd4c2d49cbfa09650a80f97a2

SHA512
84786a1818e501ceea39d405ee1c857df2f6156fa0bb708020326f566820adcf9ab5e7cc66d1ca7aa96d00c18814e8cecdc769b4b3ed990ff5008cfcb7601beb

Download Submit
C:\Program Files (x86)\2345Explorer\CoralApp.dll
Filesize
223KB

MD5
5b21753f92218a3d7cb78003185aa589

SHA1
f6883b985ca7a5ab635afac2dc38625deae850aa

SHA256
fd72f69e7cd8c5224342d339e45006a9dd1c96e7ea8718ce5480580b93bd4316

SHA512
822c6f0a422e6e701e4e32249c7a47296e4f62ecd8bb4b3c8f0642894a435e736528b143b6b47a6b110e9f816738581938a984090418d3bef5a02453a19aa584

Download Submit
C:\Program Files (x86)\2345Explorer\CoralApp.dll
Filesize
223KB

MD5
5b21753f92218a3d7cb78003185aa589

SHA1
f6883b985ca7a5ab635afac2dc38625deae850aa

SHA256
fd72f69e7cd8c5224342d339e45006a9dd1c96e7ea8718ce5480580b93bd4316

SHA512
822c6f0a422e6e701e4e32249c7a47296e4f62ecd8bb4b3c8f0642894a435e736528b143b6b47a6b110e9f816738581938a984090418d3bef5a02453a19aa584

Download Submit
C:\Program Files (x86)\2345Explorer\CoralApp.dll
Filesize
223KB

MD5
5b21753f92218a3d7cb78003185aa589

SHA1
f6883b985ca7a5ab635afac2dc38625deae850aa

SHA256
fd72f69e7cd8c5224342d339e45006a9dd1c96e7ea8718ce5480580b93bd4316

SHA512
822c6f0a422e6e701e4e32249c7a47296e4f62ecd8bb4b3c8f0642894a435e736528b143b6b47a6b110e9f816738581938a984090418d3bef5a02453a19aa584

Download Submit
C:\Program Files (x86)\2345Explorer\CoralApp.dll
Filesize
223KB

MD5
5b21753f92218a3d7cb78003185aa589

SHA1
f6883b985ca7a5ab635afac2dc38625deae850aa

SHA256
fd72f69e7cd8c5224342d339e45006a9dd1c96e7ea8718ce5480580b93bd4316

SHA512
822c6f0a422e6e701e4e32249c7a47296e4f62ecd8bb4b3c8f0642894a435e736528b143b6b47a6b110e9f816738581938a984090418d3bef5a02453a19aa584

Download Submit
C:\Program Files (x86)\2345Explorer\CoralApp.dll
Filesize
223KB

MD5
5b21753f92218a3d7cb78003185aa589

SHA1
f6883b985ca7a5ab635afac2dc38625deae850aa

SHA256
fd72f69e7cd8c5224342d339e45006a9dd1c96e7ea8718ce5480580b93bd4316

SHA512
822c6f0a422e6e701e4e32249c7a47296e4f62ecd8bb4b3c8f0642894a435e736528b143b6b47a6b110e9f816738581938a984090418d3bef5a02453a19aa584

Download Submit
C:\Program Files (x86)\2345Explorer\CoralDb.dll
Filesize
1.6MB

MD5
dd5adc0ac08ffc46207882c34fe2feec

SHA1
0a8fd57c7440100f55c348a532f6327ba38259bc

SHA256
efd2497ad59b0ad4b1ead6ec8a1b952ba16e89fded884f3c590a8eba92e5cfba

SHA512
749fb99c0150d662de4c159ea54d792e68e5c1914544650deb432ee0b4324031077e15c9c1ba04bff642c83a9b8a4ff045e62f0489e4c8d8b8789161c8348a3d

Download Submit
C:\Program Files (x86)\2345Explorer\CoralDb.dll
Filesize
1.6MB

MD5
dd5adc0ac08ffc46207882c34fe2feec

SHA1
0a8fd57c7440100f55c348a532f6327ba38259bc

SHA256
efd2497ad59b0ad4b1ead6ec8a1b952ba16e89fded884f3c590a8eba92e5cfba

SHA512
749fb99c0150d662de4c159ea54d792e68e5c1914544650deb432ee0b4324031077e15c9c1ba04bff642c83a9b8a4ff045e62f0489e4c8d8b8789161c8348a3d

Download Submit
C:\Program Files (x86)\2345Explorer\CoralDb.dll
Filesize
1.6MB

MD5
dd5adc0ac08ffc46207882c34fe2feec

SHA1
0a8fd57c7440100f55c348a532f6327ba38259bc

SHA256
efd2497ad59b0ad4b1ead6ec8a1b952ba16e89fded884f3c590a8eba92e5cfba

SHA512
749fb99c0150d662de4c159ea54d792e68e5c1914544650deb432ee0b4324031077e15c9c1ba04bff642c83a9b8a4ff045e62f0489e4c8d8b8789161c8348a3d

Download Submit
C:\Program Files (x86)\2345Explorer\CoralDb.dll
Filesize
1.6MB

MD5
dd5adc0ac08ffc46207882c34fe2feec

SHA1
0a8fd57c7440100f55c348a532f6327ba38259bc

SHA256
efd2497ad59b0ad4b1ead6ec8a1b952ba16e89fded884f3c590a8eba92e5cfba

SHA512
749fb99c0150d662de4c159ea54d792e68e5c1914544650deb432ee0b4324031077e15c9c1ba04bff642c83a9b8a4ff045e62f0489e4c8d8b8789161c8348a3d

Download Submit
C:\Program Files (x86)\2345Explorer\CoralDb.dll
Filesize
1.6MB

MD5
dd5adc0ac08ffc46207882c34fe2feec

SHA1
0a8fd57c7440100f55c348a532f6327ba38259bc

SHA256
efd2497ad59b0ad4b1ead6ec8a1b952ba16e89fded884f3c590a8eba92e5cfba

SHA512
749fb99c0150d662de4c159ea54d792e68e5c1914544650deb432ee0b4324031077e15c9c1ba04bff642c83a9b8a4ff045e62f0489e4c8d8b8789161c8348a3d

Download Submit
C:\Program Files (x86)\2345Explorer\CoralDb.dll
Filesize
1.6MB

MD5
dd5adc0ac08ffc46207882c34fe2feec

SHA1
0a8fd57c7440100f55c348a532f6327ba38259bc

SHA256
efd2497ad59b0ad4b1ead6ec8a1b952ba16e89fded884f3c590a8eba92e5cfba

SHA512
749fb99c0150d662de4c159ea54d792e68e5c1914544650deb432ee0b4324031077e15c9c1ba04bff642c83a9b8a4ff045e62f0489e4c8d8b8789161c8348a3d

Download Submit
C:\Program Files (x86)\2345Explorer\CoralDb.dll
Filesize
1.6MB

MD5
dd5adc0ac08ffc46207882c34fe2feec

SHA1
0a8fd57c7440100f55c348a532f6327ba38259bc

SHA256
efd2497ad59b0ad4b1ead6ec8a1b952ba16e89fded884f3c590a8eba92e5cfba

SHA512
749fb99c0150d662de4c159ea54d792e68e5c1914544650deb432ee0b4324031077e15c9c1ba04bff642c83a9b8a4ff045e62f0489e4c8d8b8789161c8348a3d

Download Submit
C:\Program Files (x86)\2345Explorer\CoralDownload.dll
Filesize
879KB

MD5
461f202f85504c4e3c6697ebf629063b

SHA1
f4e4843793e29a7db124d9a587c6d4b28b2b1128

SHA256
6188217306534233706d1a301d6f662a17db95e576e3979b388a1e6160427dbe

SHA512
e9ecbf50bb723ac962d2c5141d2b47bd2894e4781f6df39ea86d1348f359c8ecc471ec2a9f8bf0c724413b2fa96e50b6aa5642cdb6d59c5651e7f55f52468107

Download Submit
C:\Program Files (x86)\2345Explorer\CoralDownload.dll
Filesize
879KB

MD5
461f202f85504c4e3c6697ebf629063b

SHA1
f4e4843793e29a7db124d9a587c6d4b28b2b1128

SHA256
6188217306534233706d1a301d6f662a17db95e576e3979b388a1e6160427dbe

SHA512
e9ecbf50bb723ac962d2c5141d2b47bd2894e4781f6df39ea86d1348f359c8ecc471ec2a9f8bf0c724413b2fa96e50b6aa5642cdb6d59c5651e7f55f52468107

Download Submit
C:\Program Files (x86)\2345Explorer\CoralDownload.dll
Filesize
879KB

MD5
461f202f85504c4e3c6697ebf629063b

SHA1
f4e4843793e29a7db124d9a587c6d4b28b2b1128

SHA256
6188217306534233706d1a301d6f662a17db95e576e3979b388a1e6160427dbe

SHA512
e9ecbf50bb723ac962d2c5141d2b47bd2894e4781f6df39ea86d1348f359c8ecc471ec2a9f8bf0c724413b2fa96e50b6aa5642cdb6d59c5651e7f55f52468107

Download Submit
C:\Program Files (x86)\2345Explorer\CoralRender.dll
Filesize
372KB

MD5
75c7910320870e5bfc14f08a2b47079f

SHA1
1150b02685a78f7a53a17524b4283eda58fe5121

SHA256
18c94b5bef85c4d7e8a0761c90a6064630b4f2c512d783fd8dedec54632020b1

SHA512
17916cec6c969e64482ba1f0138fa919d7d82d812387285d735f3830830782b50e88ea6f7e4818bf40dfad88814b383c82f9f49cbd6e4f5deac45e791c72fd2d

Download Submit
C:\Program Files (x86)\2345Explorer\CoralTrident.dll
Filesize
1.5MB

MD5
2713902e8980032b287c6bc86c8fdccf

SHA1
e8dcee6fee37efb132c9fcfed33ca38471d339ff

SHA256
f532413969ee7c95749d93b0b9a9d1ee5b1a1cf9763f6537b21984b817d12661

SHA512
a9efdabc96ea59949a56b30c2c1af9c67d188b48c932816bb5427451dfc110274915c7e6cb101397daa85da7babc4a624e78890df56af5fe0cc32a83a4887394

Download Submit
C:\Program Files (x86)\2345Explorer\CoralUpdate.dll
Filesize
417KB

MD5
44f919b683088036aacf6ba474d46665

SHA1
b6aaa8a3a47b1b7ddf70391009f6c601104dff54

SHA256
314b3c91ecc8e1a697612d315a921a7d9e750bd2b7c88c2d6cdb0d0d1e871ab6

SHA512
164da63adeb7d7e08ad5502acefd89ddf77b792549f6caed29084bd3d32b895c4afd09fb830020aa353c7ee4c4fec72e9e4e2ebbc069a7b4fda842d63bb076da

Download Submit
C:\Program Files (x86)\2345Explorer\CoralUpdate.dll
Filesize
417KB

MD5
44f919b683088036aacf6ba474d46665

SHA1
b6aaa8a3a47b1b7ddf70391009f6c601104dff54

SHA256
314b3c91ecc8e1a697612d315a921a7d9e750bd2b7c88c2d6cdb0d0d1e871ab6

SHA512
164da63adeb7d7e08ad5502acefd89ddf77b792549f6caed29084bd3d32b895c4afd09fb830020aa353c7ee4c4fec72e9e4e2ebbc069a7b4fda842d63bb076da

Download Submit
C:\Program Files (x86)\2345Explorer\CoralUpdate.dll
Filesize
417KB

MD5
44f919b683088036aacf6ba474d46665

SHA1
b6aaa8a3a47b1b7ddf70391009f6c601104dff54

SHA256
314b3c91ecc8e1a697612d315a921a7d9e750bd2b7c88c2d6cdb0d0d1e871ab6

SHA512
164da63adeb7d7e08ad5502acefd89ddf77b792549f6caed29084bd3d32b895c4afd09fb830020aa353c7ee4c4fec72e9e4e2ebbc069a7b4fda842d63bb076da

Download Submit
C:\Program Files (x86)\2345Explorer\CoralUpdate.dll
Filesize
417KB

MD5
44f919b683088036aacf6ba474d46665

SHA1
b6aaa8a3a47b1b7ddf70391009f6c601104dff54

SHA256
314b3c91ecc8e1a697612d315a921a7d9e750bd2b7c88c2d6cdb0d0d1e871ab6

SHA512
164da63adeb7d7e08ad5502acefd89ddf77b792549f6caed29084bd3d32b895c4afd09fb830020aa353c7ee4c4fec72e9e4e2ebbc069a7b4fda842d63bb076da

Download Submit
C:\Program Files (x86)\2345Explorer\CoralUpdate.dll
Filesize
417KB

MD5
44f919b683088036aacf6ba474d46665

SHA1
b6aaa8a3a47b1b7ddf70391009f6c601104dff54

SHA256
314b3c91ecc8e1a697612d315a921a7d9e750bd2b7c88c2d6cdb0d0d1e871ab6

SHA512
164da63adeb7d7e08ad5502acefd89ddf77b792549f6caed29084bd3d32b895c4afd09fb830020aa353c7ee4c4fec72e9e4e2ebbc069a7b4fda842d63bb076da

Download Submit
C:\Program Files (x86)\2345Explorer\Lang\CoralLang_chs.dll
Filesize
1.3MB

MD5
24206b7fee174113e8a78cb7517f3e25

SHA1
c4a54687a8259d99f01ca6f600ed421cba5f355c

SHA256
97905c02c73683bded2caba3b37fb6836743468c09879e61109c7870beffabb4

SHA512
412194cdad4e67a936ad1392b791d03739e0c0dccb7ec43413f1c2bf7dc914a1f95e776bcf5454e272e8420340d9f329c7af2332d170eee06560cac8a7d58909

Download Submit
C:\Program Files (x86)\2345Explorer\Uninstall.exe
Filesize
614KB

MD5
13413d71564a5ec7ca05a4d3ff874ccb

SHA1
6e39adfae01fcb43a00e59d8d7e7cd622cea0166

SHA256
f4789e645695d93d1ef8f763005731699f350c9b72084ff1bcd0e08a2f4e47e7

SHA512
6779b5220f3bce943fbe60ba65f46e0c4aee27aae653c2ea990ae631d5f2e83d0d6974c0e5ac1a047b5a552c6dae3817abc82113f3218ed21b65c5273b6a17af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
727230d7b0f8df1633bc043529f5c15d

SHA1
5b24d959d4c5dcf8125125dbee37225d6160af18

SHA256
54961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998

SHA512
35735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
727230d7b0f8df1633bc043529f5c15d

SHA1
5b24d959d4c5dcf8125125dbee37225d6160af18

SHA256
54961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998

SHA512
35735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
727230d7b0f8df1633bc043529f5c15d

SHA1
5b24d959d4c5dcf8125125dbee37225d6160af18

SHA256
54961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998

SHA512
35735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswFEF8.tmp\FileInfo.dll
Filesize
98KB

MD5
d062c6eab9f32074e09a7ffdc614a545

SHA1
d76f8d98dd0cf968cabc852e98aaaaf930f38ac2

SHA256
bd57ae6c723b3df90b388c830b6bc6c3eb69fc32825593e98fcbbdad1fa98394

SHA512
60e807e31c84cb827185a270251de33dc329585b889bdd8a9aa88aac3d1561e834c3011114052877fbc35d32c39859bcaff2dabe395cc2f8439552146467b6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswFEF8.tmp\FileInfo.dll
Filesize
98KB

MD5
d062c6eab9f32074e09a7ffdc614a545

SHA1
d76f8d98dd0cf968cabc852e98aaaaf930f38ac2

SHA256
bd57ae6c723b3df90b388c830b6bc6c3eb69fc32825593e98fcbbdad1fa98394

SHA512
60e807e31c84cb827185a270251de33dc329585b889bdd8a9aa88aac3d1561e834c3011114052877fbc35d32c39859bcaff2dabe395cc2f8439552146467b6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswFEF8.tmp\FileInfo.dll
Filesize
98KB

MD5
d062c6eab9f32074e09a7ffdc614a545

SHA1
d76f8d98dd0cf968cabc852e98aaaaf930f38ac2

SHA256
bd57ae6c723b3df90b388c830b6bc6c3eb69fc32825593e98fcbbdad1fa98394

SHA512
60e807e31c84cb827185a270251de33dc329585b889bdd8a9aa88aac3d1561e834c3011114052877fbc35d32c39859bcaff2dabe395cc2f8439552146467b6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswFEF8.tmp\RCPicPlugin.dll
Filesize
964KB

MD5
6c300d543082a57bf2c3b2288020ab6d

SHA1
4cba3f4f8065f5fb57fc8cdf0a6425eb544b6051

SHA256
aa3e4c13fac3f06def7c54e3b8c886bcda50205c501cbc6a4e33fa0c8072b929

SHA512
cf8b600712c735a5110560840a655a83629aec16f316b82401a52428e7575e733817ca54737fa771add0699254022af66599c8179cef18c1df5fc0364015a960

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswFEF8.tmp\System.dll
Filesize
11KB

MD5
4cf3a81ab4579b30117c8a39a489d51d

SHA1
61af475e11e4e79e6a11e761fcb540d9c5eec0e9

SHA256
29f4a1c87161643e0ed5c46b46786d9a48437ec5dc6b99f4ff14037429e6e20a

SHA512
885d131304afbe92b9b0a16830b6b34c6b78e44f972c20aad63cf3695a400f2d82cf217753da2a2e5e399fdd5dd3306a257e9501a86884cad853e01ee125a664

Download Submit
C:\Users\Admin\AppData\Roaming\2345.com\url.ini
Filesize
223B

MD5
e186592d9dd90a043f6fc0a662d79408

SHA1
902e83a61435f731a106b17c28cfa89522670a85

SHA256
a59c67a479cf73a5da159111d8288f91586c69038abfb3789a387467a664d740

SHA512
6a3950d9de42d6d501d3b6599d688c8bee8cbfb521e50b566e14ab9621f64130c1e9430e10ed9e07bae270ecbcbba8dddf2ae2bd87717ed044a6ff15f775978c

Download Submit
C:\Users\Admin\AppData\Roaming\2345.com\z1.exe
Filesize
7.2MB

MD5
03b4983dda409e2148e6f4488bf2a880

SHA1
c45f3caaf42b72ed35b0b4cbaff82162fdbed8e8

SHA256
dd306934ef41394b9eee7892e014a47a5bbfae9a554799ccda00ede4945aa40f

SHA512
69ec946e94c1e2960eab9a817251e96ecc6bcf89a00c632bffe9cd3d36817fb357e0781a6cc3489c7efc927776a3e615a46c99c575d5747704b3c9779802108a

Download Submit
C:\Users\Admin\AppData\Roaming\2345.com\z1.exe
Filesize
7.2MB

MD5
03b4983dda409e2148e6f4488bf2a880

SHA1
c45f3caaf42b72ed35b0b4cbaff82162fdbed8e8

SHA256
dd306934ef41394b9eee7892e014a47a5bbfae9a554799ccda00ede4945aa40f

SHA512
69ec946e94c1e2960eab9a817251e96ecc6bcf89a00c632bffe9cd3d36817fb357e0781a6cc3489c7efc927776a3e615a46c99c575d5747704b3c9779802108a

Download Submit
C:\Users\Admin\AppData\Roaming\2345.com\z1.exe
Filesize
7.2MB

MD5
03b4983dda409e2148e6f4488bf2a880

SHA1
c45f3caaf42b72ed35b0b4cbaff82162fdbed8e8

SHA256
dd306934ef41394b9eee7892e014a47a5bbfae9a554799ccda00ede4945aa40f

SHA512
69ec946e94c1e2960eab9a817251e96ecc6bcf89a00c632bffe9cd3d36817fb357e0781a6cc3489c7efc927776a3e615a46c99c575d5747704b3c9779802108a

Download Submit
C:\Users\Admin\AppData\Roaming\2345Explorer\2345Explorer.hzv
Filesize
6KB

MD5
fbd7ee42d2af36c2b5799532f31ead93

SHA1
c32e357d1f10544ca4c82c1ba686788532ac5a84

SHA256
3fe4258c3e59c39d0fd1381227bbd7c745db521f4af2f5c02dcd1ef2bdecb44d

SHA512
5887d270703a2327ada4b08aa738e29e97a918bced8d27b6a1ee0a9277424548082414235d6b97c1060da3171fb7adc1c3c99fd78fb905317b64aaee468fd883

Download Submit
C:\Users\Admin\AppData\Roaming\2345Explorer\2345Explorer.hzv
Filesize
9KB

MD5
c9c74ccd14ae48b98dc4a52cd0ca3f33

SHA1
5476fa4832cedad8c2ce93e386c9c9c291ae992a

SHA256
b5ad4b6a0af48d8ada68c90c4ea3e5e8dea4217b563439ba3479cc767e073d1b

SHA512
eeee528af67e71d09ce88039c308fcc295c18dd5e25ea65ba93d4f19e286b897d6c1e32681f0017dff53d1b9e5d6f6e6c845bebc7bf693ffdf1bb8c87eeed575

Download Submit
C:\Users\Admin\AppData\Roaming\2345Explorer\Users\Default\Default.cfg
Filesize
2KB

MD5
b3d753ae58b4c124f02177fa928aae48

SHA1
77cc2e73267e1b3460b5bee53cd0aaee818f09f4

SHA256
5036642e94cbe00b718fb53344625a9a7a536eb5d3f48fad9d94461e93cb0817

SHA512
b5db964f6bbf595c353a18af8ebbf07d3354bcb4d07054fdee3d74651e94eaf979172c5fcfa666b95821386703bda52eda5f04d5fb2b3e3ef4c8084e98ba93e4

Download Submit
C:\Users\Admin\AppData\Roaming\2345Explorer\Users\Default\FavoritesUpdate.data
Filesize
1KB

MD5
b91f7cc22b0638bb8fb603dc25627e5c

SHA1
22fecdd3f2fbcd57eb45c025d4340bf81381bf36

SHA256
77c11414255ae92c777546a9cad97efdd29c7ae8cd43963e660a893792e4d681

SHA512
4df60ae1aa7f8f8e2fe406abde7aea602646fd8a8d702b2e8b8adaf294e7a8de0532f0e8d4154317daa9ed1d5cae521c9c2eb543f74f63fb46d4911c42141e2f

Download Submit
C:\Users\Admin\AppData\Roaming\2345Explorer\Users\Default\FormData.data
Filesize
241B

MD5
e61f989a475d27c9fcaf817abe26deec

SHA1
77ff0012588529d617327f0b7f2593ef567c69cb

SHA256
c5f21ac8a7c61b6f1ac34734571ccae6c2d8c5985e4a2abb9c4bba67815b7e60

SHA512
5d3d5a3ea64bd40cb8f79fe64cc2294f148b926f3ed80d1e887a2ed19087fad87cb599d451271c5972c1a63e7e2ffdf72f9da94deec38ddb959b2b26d1d14dad

Download Submit
C:\Users\Admin\AppData\Roaming\2345Explorer\Users\Default\OnlineFav.data
Filesize
29B

MD5
99fb8e84b8aa92889349054a60e1f359

SHA1
1b3dd1afb4fe4533ca16db4dd3e7845c13b0e1c5

SHA256
5313e624a817ebcb34675027d12b87465de4fc4fdddfdd74d244490c4911b8e4

SHA512
2a99095109445c3ca1b9fad5c87fdfed331641401ca8d19d3ab4d109e18b9dc5feb739485f14f390bd3bcfa3a4325e3b1278fe1bb8690dd8df16edb9af52faac

Download Submit
C:\Users\Admin\AppData\Roaming\2345Explorer\Users\Default\SystemUrl.data
Filesize
155KB

MD5
486e6646296b3228766091e8b9e5742e

SHA1
a2f6b5da3ecbd9eb5f5b3bad9cb0ae6c4c9a8f26

SHA256
3e0d78f6f81d62f78a87f6e021fead714cbd43c37ad636f5559fd4fefc49a1d2

SHA512
e8a4b4e958b35d8de2860e7aebed2c45433b2fabbde34f7e6a9e4bd3a5fdd31ba5bf8c77f105441bb66b0fb60b7a52c3d97df5b2809eae67ee07bfd8aab92676

Download Submit
C:\z1.exe
Filesize
7.2MB

MD5
03b4983dda409e2148e6f4488bf2a880

SHA1
c45f3caaf42b72ed35b0b4cbaff82162fdbed8e8

SHA256
dd306934ef41394b9eee7892e014a47a5bbfae9a554799ccda00ede4945aa40f

SHA512
69ec946e94c1e2960eab9a817251e96ecc6bcf89a00c632bffe9cd3d36817fb357e0781a6cc3489c7efc927776a3e615a46c99c575d5747704b3c9779802108a

Download Submit
C:\z1.exe
Filesize
7.2MB

MD5
03b4983dda409e2148e6f4488bf2a880

SHA1
c45f3caaf42b72ed35b0b4cbaff82162fdbed8e8

SHA256
dd306934ef41394b9eee7892e014a47a5bbfae9a554799ccda00ede4945aa40f

SHA512
69ec946e94c1e2960eab9a817251e96ecc6bcf89a00c632bffe9cd3d36817fb357e0781a6cc3489c7efc927776a3e615a46c99c575d5747704b3c9779802108a

Download Submit
C:\z1.exe
Filesize
7.2MB

MD5
03b4983dda409e2148e6f4488bf2a880

SHA1
c45f3caaf42b72ed35b0b4cbaff82162fdbed8e8

SHA256
dd306934ef41394b9eee7892e014a47a5bbfae9a554799ccda00ede4945aa40f

SHA512
69ec946e94c1e2960eab9a817251e96ecc6bcf89a00c632bffe9cd3d36817fb357e0781a6cc3489c7efc927776a3e615a46c99c575d5747704b3c9779802108a

Download Submit
C:\zz.exe
Filesize
7.5MB

MD5
dff8feaeb72beb9dc2ba899a8d6d06ed

SHA1
98bef8147c8cf2ef4936183d2155e3a808a443c3

SHA256
1fe5f239b412085a6453657269f94ed3b9061ecc302ce49d4215235674ee20f8

SHA512
2ba451c355b853d6919ef47256919295e80310f36eabc4c4d8576da2d0b16ede3182aa4f5c451799db60aeada0de2760ece09fcf32aee97e3bc4aadd17a9056a

Download Submit
C:\zz.exe
Filesize
7.5MB

MD5
dff8feaeb72beb9dc2ba899a8d6d06ed

SHA1
98bef8147c8cf2ef4936183d2155e3a808a443c3

SHA256
1fe5f239b412085a6453657269f94ed3b9061ecc302ce49d4215235674ee20f8

SHA512
2ba451c355b853d6919ef47256919295e80310f36eabc4c4d8576da2d0b16ede3182aa4f5c451799db60aeada0de2760ece09fcf32aee97e3bc4aadd17a9056a

Download Submit
\??\pipe\LOCAL\crashpad_3988_NLFUXFESHSVLUNAU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4836_QNOHENIMZPZHXHAK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1004-326-0x0000000000000000-mapping.dmp

Download
memory/1352-246-0x0000000000000000-mapping.dmp

Download
memory/1504-201-0x0000000000000000-mapping.dmp

Download
memory/1620-170-0x0000000000000000-mapping.dmp

Download
memory/1924-138-0x0000000000000000-mapping.dmp

Download
memory/2028-144-0x0000000000000000-mapping.dmp

Download
memory/2208-276-0x0000000036110000-0x0000000036120000-memory.dmp

Filesize
64KB

Download
memory/2208-280-0x0000000036110000-0x0000000036120000-memory.dmp

Filesize
64KB

Download
memory/2208-279-0x0000000036110000-0x0000000036120000-memory.dmp

Filesize
64KB

Download
memory/2208-266-0x00000000023C0000-0x0000000002563000-memory.dmp

Filesize
1.6MB

Download
memory/2208-264-0x0000000001FF0000-0x0000000002050000-memory.dmp

Filesize
384KB

Download
memory/2208-277-0x0000000036110000-0x0000000036120000-memory.dmp

Filesize
64KB

Download
memory/2208-274-0x0000000003060000-0x00000000030D2000-memory.dmp

Filesize
456KB

Download
memory/2208-257-0x0000000000000000-mapping.dmp

Download
memory/2208-270-0x0000000002CD0000-0x0000000002E55000-memory.dmp

Filesize
1.5MB

Download
memory/2208-278-0x0000000036110000-0x0000000036120000-memory.dmp

Filesize
64KB

Download
memory/2208-268-0x0000000002570000-0x000000000264D000-memory.dmp

Filesize
884KB

Download
memory/2216-194-0x0000000000000000-mapping.dmp

Download
memory/2256-133-0x0000000000000000-mapping.dmp

Download
memory/2256-204-0x0000000000660000-0x000000000067E000-memory.dmp

Filesize
120KB

Download
memory/2324-219-0x00000000025E0000-0x0000000002783000-memory.dmp

Filesize
1.6MB

Download
memory/2324-200-0x0000000000000000-mapping.dmp

Download
memory/2324-229-0x00000000027A0000-0x000000000280A000-memory.dmp

Filesize
424KB

Download
memory/2500-147-0x0000000000000000-mapping.dmp

Download
memory/2668-159-0x0000000002AB0000-0x0000000002C53000-memory.dmp

Filesize
1.6MB

Download
memory/2668-151-0x0000000000000000-mapping.dmp

Download
memory/2668-164-0x0000000002C60000-0x0000000002CCA000-memory.dmp

Filesize
424KB

Download
memory/2708-187-0x0000000000000000-mapping.dmp

Download
memory/2816-262-0x0000000000000000-mapping.dmp

Download
memory/3008-169-0x0000000000400000-0x0000000001410000-memory.dmp

Filesize
16.1MB

Download
memory/3008-142-0x0000000000400000-0x0000000001410000-memory.dmp

Filesize
16.1MB

Download
memory/3008-136-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3008-132-0x0000000000400000-0x0000000001410000-memory.dmp

Filesize
16.1MB

Download
memory/3012-258-0x00000000027E0000-0x00000000029D1000-memory.dmp

Filesize
1.9MB

Download
memory/3012-252-0x0000000000000000-mapping.dmp

Download
memory/3060-305-0x0000000000000000-mapping.dmp

Download
memory/3068-186-0x0000000000000000-mapping.dmp

Download
memory/3340-239-0x0000000000000000-mapping.dmp

Download
memory/3380-321-0x0000000000000000-mapping.dmp

Download
memory/3428-254-0x0000000002EA0000-0x0000000002FEB000-memory.dmp

Filesize
1.3MB

Download
memory/3428-248-0x0000000002910000-0x0000000002AB3000-memory.dmp

Filesize
1.6MB

Download
memory/3428-237-0x0000000000000000-mapping.dmp

Download
memory/3428-243-0x0000000002710000-0x0000000002901000-memory.dmp

Filesize
1.9MB

Download
memory/3904-175-0x0000000000000000-mapping.dmp

Download
memory/3904-181-0x0000000002B00000-0x0000000002CF1000-memory.dmp

Filesize
1.9MB

Download
memory/3964-249-0x0000000002610000-0x0000000002801000-memory.dmp

Filesize
1.9MB

Download
memory/3964-241-0x0000000000000000-mapping.dmp

Download
memory/3964-253-0x0000000002810000-0x00000000029B3000-memory.dmp

Filesize
1.6MB

Download
memory/3972-192-0x0000000000000000-mapping.dmp

Download
memory/3988-168-0x0000000000000000-mapping.dmp

Download
memory/4052-213-0x0000000002F50000-0x00000000030F3000-memory.dmp

Filesize
1.6MB

Download
memory/4052-224-0x0000000002A60000-0x0000000002B3D000-memory.dmp

Filesize
884KB

Download
memory/4052-240-0x0000000003640000-0x0000000003902000-memory.dmp

Filesize
2.8MB

Download
memory/4052-260-0x0000000004370000-0x00000000043DA000-memory.dmp

Filesize
424KB

Download
memory/4052-208-0x0000000002C50000-0x0000000002E41000-memory.dmp

Filesize
1.9MB

Download
memory/4052-271-0x00000000053F0000-0x000000000553B000-memory.dmp

Filesize
1.3MB

Download
memory/4052-191-0x0000000000000000-mapping.dmp

Download
memory/4052-247-0x0000000036110000-0x0000000036120000-memory.dmp

Filesize
64KB

Download
memory/4052-287-0x000000000AD60000-0x000000000ADCA000-memory.dmp

Filesize
424KB

Download
memory/4176-171-0x0000000000000000-mapping.dmp

Download
memory/4512-231-0x0000000000000000-mapping.dmp

Download
memory/4836-167-0x0000000000000000-mapping.dmp

Download
memory/5500-292-0x0000000002400000-0x00000000025A3000-memory.dmp

Filesize
1.6MB

Download
memory/5500-290-0x0000000002100000-0x0000000002160000-memory.dmp

Filesize
384KB

Download
memory/5500-289-0x0000000000000000-mapping.dmp

Download
memory/5500-294-0x00000000025B0000-0x000000000268D000-memory.dmp

Filesize
884KB

Download
memory/5500-296-0x0000000002D10000-0x0000000002E95000-memory.dmp

Filesize
1.5MB

Download
memory/5500-298-0x00000000030A0000-0x0000000003112000-memory.dmp

Filesize
456KB

Download
memory/5500-300-0x0000000036110000-0x0000000036120000-memory.dmp

Filesize
64KB

Download
memory/5732-282-0x0000000000000000-mapping.dmp

Download
memory/5788-284-0x0000000000000000-mapping.dmp

Download
memory/5804-286-0x0000000000000000-mapping.dmp

Download