Malware Analysis Report

2025-01-22 12:32

Sample ID 240518-ns7kdshf77
Target 54851c7751b2499f6411b81dfe237525_JaffaCakes118
SHA256 8a71424387a2745cccb816cda276f90fe1b3331ddfd29e5a6e8316c88107d349
Tags
bootkit persistence aspackv2
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8a71424387a2745cccb816cda276f90fe1b3331ddfd29e5a6e8316c88107d349

Threat Level: Shows suspicious behavior

The file 54851c7751b2499f6411b81dfe237525_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence aspackv2

ASPack v2.12-2.42

Writes to the Master Boot Record (MBR)

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 11:40

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win7-20240508-en

Max time kernel

148s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\SelGate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\SelGate.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\SelGate.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp

Files

memory/2460-0-0x0000000001F50000-0x0000000002090000-memory.dmp

memory/2460-1-0x0000000001F50000-0x0000000002090000-memory.dmp

memory/2460-7-0x0000000001F50000-0x0000000002090000-memory.dmp

memory/2460-10-0x0000000001F50000-0x0000000002090000-memory.dmp

memory/2460-11-0x0000000000404000-0x0000000000405000-memory.dmp

memory/2460-8-0x0000000001F50000-0x0000000002090000-memory.dmp

memory/2460-6-0x0000000001F50000-0x0000000002090000-memory.dmp

memory/2460-5-0x0000000001F50000-0x0000000002090000-memory.dmp

memory/2460-4-0x0000000001F50000-0x0000000002090000-memory.dmp

memory/2460-3-0x0000000001F50000-0x0000000002090000-memory.dmp

memory/2460-2-0x0000000001F50000-0x0000000002090000-memory.dmp

memory/2460-13-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/2460-12-0x0000000000400000-0x00000000005AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Config.ini

MD5 fc5c30fce94e4508b8cf6c4af72c1a82
SHA1 4693e9c58bfcf30120444e0f6c6f7ca9c4042777
SHA256 cf0375e3b2a8c884b2ee6c5cc7d9de65d942bd42dd095334bf0253c4e3727358
SHA512 1c129962aad67045c2fafdba8995642f33fac8565b2e650888bca9f537aa27af2710daf6fdf26702c8b0790ea3c91e25f9b761818546a0e74f6f9eb2d7c7af44

memory/2460-30-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/2460-31-0x0000000000400000-0x00000000005AA000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\日志查询\日志查询.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\日志查询\日志查询.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\日志查询\日志查询.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.129:443 www.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 129.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/5088-0-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/5088-1-0x0000000000400000-0x0000000000493000-memory.dmp

memory/5088-3-0x00000000005D0000-0x00000000005D1000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

128s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\点我一次自动更新.bat"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\点我一次自动更新.bat"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
BE 88.221.83.192:443 www.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 192.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win10v2004-20240508-en

Max time kernel

138s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LogDataServer.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LogDataServer.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LogDataServer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
BE 88.221.83.186:443 www.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 186.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4300-0-0x0000000000740000-0x0000000000741000-memory.dmp

memory/4300-1-0x0000000000740000-0x0000000000741000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\SelGate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\SelGate.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\SelGate.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:5100 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.186:443 www.bing.com tcp
N/A 127.0.0.1:5100 tcp
US 8.8.8.8:53 186.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
US 52.111.227.11:443 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:5100 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp
N/A 127.0.0.1:5100 tcp

Files

memory/2672-0-0x00000000022D0000-0x0000000002410000-memory.dmp

memory/2672-7-0x00000000022D0000-0x0000000002410000-memory.dmp

memory/2672-11-0x0000000000404000-0x0000000000405000-memory.dmp

memory/2672-10-0x00000000022D0000-0x0000000002410000-memory.dmp

memory/2672-6-0x00000000022D0000-0x0000000002410000-memory.dmp

memory/2672-5-0x00000000022D0000-0x0000000002410000-memory.dmp

memory/2672-4-0x00000000022D0000-0x0000000002410000-memory.dmp

memory/2672-3-0x00000000022D0000-0x0000000002410000-memory.dmp

memory/2672-2-0x00000000022D0000-0x0000000002410000-memory.dmp

memory/2672-13-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/2672-12-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/2672-1-0x00000000022D0000-0x0000000002410000-memory.dmp

memory/2672-8-0x00000000022D0000-0x0000000002410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Config.ini

MD5 fc5c30fce94e4508b8cf6c4af72c1a82
SHA1 4693e9c58bfcf30120444e0f6c6f7ca9c4042777
SHA256 cf0375e3b2a8c884b2ee6c5cc7d9de65d942bd42dd095334bf0253c4e3727358
SHA512 1c129962aad67045c2fafdba8995642f33fac8565b2e650888bca9f537aa27af2710daf6fdf26702c8b0790ea3c91e25f9b761818546a0e74f6f9eb2d7c7af44

memory/2672-30-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/2672-31-0x0000000000400000-0x00000000005AA000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win7-20240215-en

Max time kernel

148s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\DBServer.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\DBServer.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\DBServer.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:5600 tcp
N/A 127.0.0.1:5600 tcp
N/A 127.0.0.1:5600 tcp
N/A 127.0.0.1:5600 tcp
N/A 127.0.0.1:5600 tcp

Files

memory/1636-0-0x0000000000400000-0x000000000051A000-memory.dmp

memory/1636-1-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Dbsrc.ini

MD5 c9c61f0d4ddb10b4af2cf27f650d7192
SHA1 46cd07232d527d04a1b92fbbc29807b8450ad2bb
SHA256 a0495ea6e095400dc4e5c6386a856199db78c0df9f4dfab7ddf166156f690f96
SHA512 1ba14435db46b189b13bca141d11597c162dcd8471634ac6610d69b6ca3c92752b52f11697f2f541bf1962ebb401350bef2c8ae2d420425c32006d94c4abc120

memory/1636-18-0x0000000000400000-0x000000000051A000-memory.dmp

memory/1636-20-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1636-25-0x0000000000400000-0x000000000051A000-memory.dmp

memory/1636-31-0x0000000000400000-0x000000000051A000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LoginSrv.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LoginSrv.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LoginSrv.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.42:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

memory/4024-0-0x0000000002240000-0x0000000002241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Logsrv.ini

MD5 742233074090725515e4a2a185e78540
SHA1 0d1c7424fb6c120ac1afbda525e0bd0a77a0cd5e
SHA256 dacdbbaf39cb5f2dcd0ca604b7309a0f1f862a89d82b9f46752b3f023f0c4523
SHA512 ee0f6febff2a7f02937e1bae5eb8b4f9be2759a4a533b7a9388287f2a6397b56490fe3426227782f56b9e7935f7c8db80087b99e0368211acc21cab23b69d491

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Logsrv.ini

MD5 998aae8d3a647eba2a495ab6a17b84d0
SHA1 c09985efb006217a9bcb76a70e220069b47aca93
SHA256 1f3db65afbf9af455d06f9d0c6fedca70de814caea6d4c258892caba93f23388
SHA512 9a58a826ccd5e6aab4438563145d43c6aaccd886ac2a1c217e3c26f23f01556a4a6677a6a39a6b58809f569123459fc45a6d54e00546e234852174232e83ebee

memory/4024-57-0x0000000002240000-0x0000000002241000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\M2Server.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\M2Server.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\M2Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\M2Server.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\M2Server.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\M2Server.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3920,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=3848 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3524-0-0x0000000000400000-0x000000000079E000-memory.dmp

memory/3524-1-0x0000000000A70000-0x0000000000A71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\String.ini

MD5 eecd59ac9e624ef8a5d0a9ee97a54034
SHA1 c3d38993525352c6192f000333725e1664f00b7d
SHA256 f7103696711f9eea7f1ad2e8d686af07e031bef20e2af0b3148606f3e2b35e25
SHA512 5aec3cc615b5a2b1a39da15ed85063338c0d3367150a7d3b82e4f83bebe90ac875dcec3bc403776ef1e5ab0ddde2375214ebfa637397a2f6a56dd19c08779ea6

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\String.ini

MD5 f85aeacb1f904d37569acd820d5a0688
SHA1 3c4c470b88c36f9e1c9c8f0bea3f16ee5a311787
SHA256 6d50e9ae6ed906b521cc09bf30b30e92e5259ad14e85497df42aa95de9a07a5a
SHA512 c820287b991c0d130980b6089e19a5fb43be6cb8818c16f101ce599d1fc95a0004888d67ca241ed898600a20510d22aff6c644e6294d072e92cc88e7e92aaf5f

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Command.ini

MD5 995b8a5fd46f50a5a9ac3151e4104aab
SHA1 beb7338e55e6caa5ab3c03b540d12544e176e0be
SHA256 f99900aa9bfb56964da7bc6b40c26eeff7a300e233b302ef1d05c724714b0ab2
SHA512 f523c61ad4b4597c66838a5c53334e8223a997687f86b0e8b8253854dfe06bffb0a0feb0662f76690692613971b609b41fb3d1915cecec8f115b8e642137e651

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 c7e8567958ec12dd2dc30942ffe63080
SHA1 8f6e251d583a19c6cc7804fab77b56bd81c61b8b
SHA256 7471f2b9787cef127d037aa58db05096306eb57c1be585306e4a2f8621074e4a
SHA512 81bef1fee6d5b1f18b1b70c9961b2a8d35c27ae412f7c1b227634a91c3d429ddffc29ace850b501cd7886b0112d658ffc8427b1147e0a1717dc2a41d3386b5d5

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 4d7e37ff2935446918d79ed4184c4395
SHA1 64e5dbeca2d471601b726946215bb5c28cf3aa56
SHA256 f9aa0f647d696cd2eb89ce694ca5c1c687c591bf6062b5ff88b0023a41f37c47
SHA512 798260a190582e3abbdf404510abbb84dc27551050bbdd8bbaca1dcc4656ce3b04596a93dea667b18a38f9fbc5f78fb554ddb4072267fd01bc68ebd1fa840add

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 d3cc46aa49edca0a6a33a1fb305f212c
SHA1 dd09bf4edd7da141a104a70f8bec2a191a9c5fc0
SHA256 9cd1e310742ac8a263fdfda226aab5a5dbc9e0bf44f39b899d3c13b760b4636b
SHA512 7d71996737f8f9c1757b547e905df88ab7f4f5c87e564886cd1815d87a4e9ae3952197dcd364b0bd7aa3bb2e5a480c671d9f13dd26e575a98efa282d281e7e1c

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 0c4b1cfb4fefb6c0e19ffe49c4da2e8f
SHA1 df172420ce4b54c9d1a119a55fb4e6abdec1ec63
SHA256 4d6849d36a705457c85b105280674978544aff7a19a5ed189ec5aa90f355ef91
SHA512 81073fc04151669d835f67175db9ed7d4b1c722e848e49396bdac27c7b4dcb2cb72867e64545f5a520550fd51fcedbbb6cacf07111230675f997383c617b422f

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 36fd990606be8314b2916df11675b315
SHA1 a476ca9d1e1bd3cf6465300ddcca833dd0fed7a7
SHA256 a84fcb63ec202487a9de490c95e55f1b2ae92aac0c9742ac3c7e1ffb932bd72a
SHA512 accffe9faed171dddfae5594e7cc1f1106c80bcb75100f0be29a91dcfc506e68f840b696b3e0bf69f7a9d8acfbe7f411225bba223304bf906e6923407fc09c68

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 29e0e08e2c49a24d8c6d8fb12be112bf
SHA1 efb7bb876cf8c99487b865c48b875dc5fd4abb36
SHA256 83a76b6b67cd1c6f1f8aa8fe456fa5589eedbcc57adc640e2b65c068bbba72cc
SHA512 4bc2af8f08a44c8a0888f62c94eef3781d61005c9a01fd9b77cd7ccbe8650a03c0dc03494e273be4ed07984ccc4c80f467efaf6809b1d81f4fbd0f938db125e5

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 5c828774697948be8292ebb029bca1e9
SHA1 bdf6a0b31a248042309df664065d698ee6f15841
SHA256 7ce6959b13313e8e0bde00bd49c9339b9b7a7a1e5b46cd47b748f341406c93a1
SHA512 17a162a1a52fa18682453a108b544e04ad92e0ed9a59aab5d434620c6025b82ebd4c6a76987891f47fef36568874906c7a91288d2133f590efe3bc27b5467b46

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 70b5a27dff349dccc0e348e216c726f2
SHA1 93de6e670ab30dfd9b5e657cf894b9352918287a
SHA256 cfa80cc70a0c48fa35a7e3ae3935da99636a4aad80d5ff199562ab9361b70038
SHA512 244ac6eea5d86c82bc1ab43b06b0b4669d937cc3a02175a7ce664df74003204a2170f81be54b04e118e362447203203ccb2b28531b35f1213780658b21642a57

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Envir\Nations\Nations.ini

MD5 b12d000dcd03d9c507966a82fd5355b9
SHA1 55140a96ee4bc588f3f9600776c1bbb544dae4cd
SHA256 73c84ab1ba6ebe06fadcabbf6037be967237d58c956c1a67ca59db012ec47df4
SHA512 93c557e428c481ae6c9844b166a71a97d73e42f4ea8ca9c6dc07a0f9b58c5e9877a3c6af186d7c7e19faf7a3cff84cbc628c1afeca43a8793a503394de0eba4f

memory/3524-9005-0x0000000002DC0000-0x0000000002E24000-memory.dmp

memory/3524-9004-0x0000000000400000-0x000000000079E000-memory.dmp

memory/3524-9017-0x0000000000400000-0x000000000079E000-memory.dmp

memory/3524-9019-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/3524-9032-0x0000000002DC0000-0x0000000002E24000-memory.dmp

memory/3524-9031-0x0000000000400000-0x000000000079E000-memory.dmp

memory/3524-9044-0x0000000000400000-0x000000000079E000-memory.dmp

memory/3524-9057-0x0000000000400000-0x000000000079E000-memory.dmp

memory/3524-9070-0x0000000000400000-0x000000000079E000-memory.dmp

memory/3524-9083-0x0000000000400000-0x000000000079E000-memory.dmp

memory/3524-9096-0x0000000000400000-0x000000000079E000-memory.dmp

memory/3524-9109-0x0000000000400000-0x000000000079E000-memory.dmp

memory/3524-9111-0x0000000000400000-0x000000000079E000-memory.dmp

memory/3524-9135-0x0000000000400000-0x000000000079E000-memory.dmp

memory/3524-9148-0x0000000000400000-0x000000000079E000-memory.dmp

memory/3524-9161-0x0000000000400000-0x000000000079E000-memory.dmp

memory/3524-9163-0x0000000000400000-0x000000000079E000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win7-20240221-en

Max time kernel

140s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\日志查询\日志查询.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\日志查询\日志查询.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\日志查询\日志查询.exe"

Network

N/A

Files

memory/2492-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2492-1-0x0000000000400000-0x0000000000493000-memory.dmp

memory/2492-3-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\自动解压补丁\自动解压.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\自动解压补丁\自动解压.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\自动解压补丁\自动解压.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
BE 88.221.83.186:443 www.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 186.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

memory/2236-0-0x0000000000520000-0x0000000000521000-memory.dmp

memory/2236-1-0x0000000000520000-0x0000000000521000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win7-20240508-en

Max time kernel

148s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LoginGate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LoginGate.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LoginGate.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp

Files

memory/2196-0-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Config.ini

MD5 6bfb003c5160e37c339236e8a3d12331
SHA1 6258603296cb7e1d3784d2e5c24c4fadbfe63b2e
SHA256 86c43f03cdef1c127300bfdac1df7abd9717093dcecaacb398686cd7208a8b5a
SHA512 1b4cc5275bad98b4c31fa3359a84401f10481cb39c103139bba59fee6832d866e3bc628b181a12edca53787a3c2ad23984ce0e1ad7bf9b58f6e102ca3708806a

memory/2196-20-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win7-20240221-en

Max time kernel

124s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LoginSrv.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LoginSrv.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LoginSrv.exe"

Network

N/A

Files

memory/2772-0-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Logsrv.ini

MD5 998aae8d3a647eba2a495ab6a17b84d0
SHA1 c09985efb006217a9bcb76a70e220069b47aca93
SHA256 1f3db65afbf9af455d06f9d0c6fedca70de814caea6d4c258892caba93f23388
SHA512 9a58a826ccd5e6aab4438563145d43c6aaccd886ac2a1c217e3c26f23f01556a4a6677a6a39a6b58809f569123459fc45a6d54e00546e234852174232e83ebee

memory/2772-57-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\RunGate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\RunGate.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\RunGate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
N/A 127.0.0.1:5000 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.186:443 www.bing.com tcp
US 8.8.8.8:53 186.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BE 88.221.83.186:443 www.bing.com tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
N/A 127.0.0.1:5000 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp

Files

memory/1812-0-0x0000000002140000-0x0000000002141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Config.ini

MD5 76147d246b9de61bd64d2fbd4cf6cedf
SHA1 bb7d48713ea29621b9d30d4b3012de521bac3e9c
SHA256 7dbb226279a04ba42220f10d036fb27bf58fe8cdc0d10a02dea04900becad43b
SHA512 577f86c9139c2979adfc6576992c3cabae9747b5b91366f09eac5eb233228b81caafdcebe4e2cce7885115b679b75f27621ed41737f76f1a6e7cd9d94b40d2ad

memory/1812-30-0x0000000002140000-0x0000000002141000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win7-20231129-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\普及版合区工具\HeroM2普通版合区程序.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\普及版合区工具\HeroM2普通版合区程序.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\普及版合区工具\HeroM2普通版合区程序.exe"

Network

N/A

Files

memory/2364-0-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2364-1-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2364-3-0x00000000003B0000-0x00000000003B1000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win7-20240215-en

Max time kernel

118s

Max time network

125s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\点我一次自动更新.bat"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\点我一次自动更新.bat"

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win7-20240221-en

Max time kernel

121s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\自动修改Boot.ini文件.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\自动修改Boot.ini文件.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\自动修改Boot.ini文件.exe"

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win7-20240419-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\自动解压补丁\自动解压.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\自动解压补丁\自动解压.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\自动解压补丁\自动解压.exe"

Network

N/A

Files

memory/1760-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/1760-1-0x00000000003A0000-0x00000000003A1000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win7-20240220-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\远程脚本发送.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\远程脚本发送.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\远程脚本发送.exe"

Network

N/A

Files

memory/3064-0-0x0000000000230000-0x0000000000231000-memory.dmp

memory/3064-15-0x0000000000400000-0x00000000004E6000-memory.dmp

memory/3064-17-0x0000000000230000-0x0000000000231000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\IPLocal.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2896 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\IPLocal.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\IPLocal.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win7-20240215-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\GameCenter.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\GameCenter.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\GameCenter.exe"

Network

N/A

Files

memory/2316-0-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2316-1-0x00000000003B0000-0x00000000003B1000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win7-20240221-en

Max time kernel

140s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\M2Server.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\M2Server.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\M2Server.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\M2Server.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\M2Server.exe"

Network

N/A

Files

memory/1968-0-0x0000000000400000-0x000000000079E000-memory.dmp

memory/1968-1-0x0000000000310000-0x0000000000311000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\String.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\String.ini

MD5 219fd6c38c175c45aa64854688240468
SHA1 9a19f36e7c669307300e32bcc7661d569ded2f96
SHA256 17735ba7f1b88d2dd1f63d6c6fa6e29cdfdacd34d13b6c143d238ca80d94862d
SHA512 702e9c3a0b19aba722a177ba46269a73d8f7a2149e8791a2a3f6ba3bb8c5bffc87ee9cd8fa26e6713c0aca98ec8295a72e29cd254081923a3b21ec189421cf0a

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Command.ini

MD5 b3d38bfe3e8ea19237f4025b72cc4324
SHA1 ea2ccfe6cbde06be748ccd0d206dd3a6c75bcbde
SHA256 ba8ec32a5471a982ebcba58f452bce591b9d9db4c80bb728aad044396b80e323
SHA512 c8325d67e5673af36502fea5a3dc2b2e2a343a5c4a54f1ee643f446c650e9875a295b4efd5315866ab61f7b8bc0c475c7dd371c379632d2aef96e5fb182c2a7c

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Command.ini

MD5 9bf34382a46fe66560a4e656c5d8f619
SHA1 fb30f7ec4502257d31498e1b1d09ac843748eb82
SHA256 e6aafd087d1c36c8700bb977ebd1dd0254caaa16a4e4a7e8bb323b9848fe48da
SHA512 4fef2d91bb8fe8adb3700723ad540131a774180daf538b434aece602ee7d8fbde8a69711ec290229b7eb570fcbe02288815def60d4f181b4fce25a7539f4f00f

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Command.ini

MD5 2e1897e9440eaee565a8729e6600daea
SHA1 79a01e5c1b4c4446bb76f11316d55c45fbd07aca
SHA256 2c4be61872472cee5795ec68b6a88b2d9ee2d1256f44869fff2ca43ca05f1d6e
SHA512 8fce5488ae586dd58e419889a3e4030666f85518a6347c412592ea722f60596ce93f6160a6b631706050399789e351e59a384effba4b72cdfcd6578cd85529ae

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Command.ini

MD5 ff208b5fb31723413735a45f13f503bf
SHA1 80c72681c0d3a8dd5da9d9e5392d9e6f617f6107
SHA256 076d8854435b7e5ed826ed2ce00e6ae37b2f99c912581237cd7cbae2e8a1f1df
SHA512 2246004bcf70088d7fdecf49b4e93626fddef6fe5480df5a30cde70415275aa8bf7deeabe2c16c837497f8ccfd1d8d8755ee786df61d6bfbb17e0de1b8fb8f5d

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Command.ini

MD5 04005796301ef5dea93296c1768b26f2
SHA1 c04706f8493b34a004ad05c04d83a3cb08281fd2
SHA256 993cf5cb0ca54adaaf7a707d213905b7f08ecc52cb919a30cb6d8cd9236b113e
SHA512 7659b4178f3f6035cf0f4eb53a88db5f84f6dc22349eaf4fc66ac1dda29f5b9e729a94d471427293653304f0e84da5b21ddc6d3da0ab7e9154488d39ebcf03b3

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 106dcbe66198a599a7c7f61a7da42ca2
SHA1 f83bae0c34f81f9bc906f9eea0071abeda742feb
SHA256 c0e058c1ed7dc7827fbba5b6eb82c1d51438d7e353fc6c9a0bc6adefd0482825
SHA512 3234abd03bc18d3ffe55e72844e71e34bf746150b01468f94d5f71fa1251d342282949af56b852bbbe61eed95331e2c6253f30f98a4e5a13507c6c3cc4e2c4f9

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 c1438a5d3ca13f554996b3f50cc54c8b
SHA1 1d02bda640fddef1ca20ebbf4382eaec7cf7b94e
SHA256 6d705937dfc13f5d1489de967028a99f0fa52ffee6b5651172a85babb5566ba4
SHA512 921be81c187945b7f49721560d7135587c4e87a54da7c7b5d890432dfcee080aa56b47326604b0f9f633fdb81dceca3b6eb4ee7dfc90d8d87b5cce43d67781a0

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 8c2174d17c65e7b010eedb6eaf839a90
SHA1 35464bd476837254a640988dca276ccb738a1806
SHA256 11c920a079ea5a46cc7eb54ff2c58d11f1d61269211ecc243d2afa91ba12a9db
SHA512 3b1808e3560de82416852c6acc6ea7daba8bcb1adfb6adb5b7426df82cf589cd827df0aae16eb51967070500fd70fbd17517777081b6caf829245db004243bc5

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 20b7fc4e037840fe00dd40e2e23a212e
SHA1 9ea0b67963ed8b3c0bb8ed9e68b47c2dfd25a688
SHA256 21900b424d9eaa9c65f946f0f66b4f0428e5192e6a0b4fcd81b9ac02b9cb5524
SHA512 3b2c8258b687b99dacb114c816b776367de640e1889b8a54fe0209427184188eca1003cb5aa04c8adedfda0497bad1167bb73e55f2951934e04ae322240cb054

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 4c4a66c0cb82cfa9c8e9b975ad10a781
SHA1 7035fa49e3518ee60f421aefbb498aade780b5bb
SHA256 76c0f1cb7288fcb38b04511abbecc0aeb571cbacc59244771f4d7c30a5523657
SHA512 0f3e74072e8bdfb0553f16dbf1dbc315b3d14bcb575bfad605d101a2868001ac882af7e70191c5e85eecdd4e4f7fe620e379015a7c0a34c4b30c8de8e3a085e0

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 d3cc46aa49edca0a6a33a1fb305f212c
SHA1 dd09bf4edd7da141a104a70f8bec2a191a9c5fc0
SHA256 9cd1e310742ac8a263fdfda226aab5a5dbc9e0bf44f39b899d3c13b760b4636b
SHA512 7d71996737f8f9c1757b547e905df88ab7f4f5c87e564886cd1815d87a4e9ae3952197dcd364b0bd7aa3bb2e5a480c671d9f13dd26e575a98efa282d281e7e1c

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 e0397ad331debfda339a67cf73dcf087
SHA1 2d8b04d1958a4c93b8af2ad1839b9792e239a3ad
SHA256 b1c88353b0fccbaabea411be29808faf8d5c98949db0190d13424e06d20fed25
SHA512 56ae4c1061dfca03e2b26b9dc92f8c6b1434f5479f7bfd2265d466af634df07bb812e5d7f3260b52189216e0eb83db5894c83d9a9842b040d8d7694f101d08d3

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 0c4b1cfb4fefb6c0e19ffe49c4da2e8f
SHA1 df172420ce4b54c9d1a119a55fb4e6abdec1ec63
SHA256 4d6849d36a705457c85b105280674978544aff7a19a5ed189ec5aa90f355ef91
SHA512 81073fc04151669d835f67175db9ed7d4b1c722e848e49396bdac27c7b4dcb2cb72867e64545f5a520550fd51fcedbbb6cacf07111230675f997383c617b422f

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 e4823c2b376dfe8238983ed3ff1d68ec
SHA1 d82df8312d555667e88f68dc825390d804749e9c
SHA256 632335b446b968bc4449288c2358d420bd52bc66826b7fd37daf0a8372269a42
SHA512 94429d4d3aa425f156d189512b62722a96dcd7dc55f7b78f8b813efd8ca1706205b1242539d8f2f440ced4122ae989ffd059564206483b304b87a3379ae4ad88

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 babf69d9fbba1717b5965ad6d3ab3466
SHA1 aa345cac7d3a5e4b6c5562b49f5f862fd6cc9d7a
SHA256 742fcad03f72812cd58338e395da8338234c15825672e09880b41e26a87ad2ff
SHA512 cd915d1c788673d92e394a4784f83f04ce472f7e4e93819973c8929ebe3dec24962a1f8bfa15731944f6fdbc5e16b074fcc2e9d5770a34f0732201e246dc7336

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 c079a2a86a6d115b4f12210dbe74ee52
SHA1 14144b8479f976504d5d14776417ef259479c7af
SHA256 2a61c71d46c650b3faac574285c519e1a0edf0054b7aab2b4392df9469a4f2fb
SHA512 0917d487a4f5bb5460f9c070351ceb9807e421a3308ad838273e638ea7f87768f192d6d332ae3f25e7ae62ee7aaa5037a09f7d32c5e664d31bd382e0ac362b03

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 23d18a2dd7db1f975541db7854be4b61
SHA1 7c5096f856d8bc291a091890dbf6ec23bda3ef0c
SHA256 0dab0d17da36a4b6131edce3c552052c5191295215af0b3b1e3b34b95c4a5b65
SHA512 1bbd5d2d40c1cb5eaafe0132972cd8f66ebe03a3533dc4d5c6c6512af9f1ecd4009c34cb22b1cd6b952a41ef34e2f0d89d0bfc294398687c7466f8e79f4762e5

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 5badebc1203933dda614c1afac074780
SHA1 3f4f67224ddf89ade3f31ff1b8849d79d347815a
SHA256 0e3cc408bdac7adbd79d49180c37f654684393c09f43788c590947ecebdb466c
SHA512 be6dfb6a3c575278f73134030afbb961669bb6b9c8803c6c6d33276f358028c356aaa48fea9fa026213fa81419acc97bd6b6edd284c74b0d28be332ac546987b

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 f87b4c9bd83dfaee040eb92c14aeac06
SHA1 ed831488e2fee41b9fd9fee1ef7279ca9b6030eb
SHA256 17690cdb1ea67d2c98e9dd46b97947403c900a168de0f212d89f3f4db0f3cae0
SHA512 7b69ae65ae20b0282fb60c14befe04bd740e38842ec253c504a1200171e113f727083dde385bea96f51f38d3c04119f2631b4622b13f6e7b94030c70f89894ef

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt

MD5 32e74e3904b7cd5c646c76f676280759
SHA1 b4afa50a6b5f4f0698e941dbc57bdb59ad39fde5
SHA256 dee585a06bee8dfcaf459cc2e97e4d78e51ce03a4e951538c9b9177b75586442
SHA512 62eff8dcade7e9b4102f051b56d58c6c77a4ded6f81891e4823d27f4640de045fd13ddf5f3c6a5b323ba43937f8ca21dccd3698ab3b6c12ede08e19611680e35

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Exps.ini

MD5 d9570074d3d39b4bd800e543e85cbb6d
SHA1 731bc85d362a297825303da8222faab9120e5eb9
SHA256 aed098650f908346f2d46aa34c82eedabff8531c075874edfda19b08b31b958e
SHA512 609a4b42d51f325d80b6c5e90d1a8961e0863f7be9b89a3e51b6de191907a95ac9c4924708fbc57bfb01d640c1ba89cf261a527353983ff28ed9e6406d1fe681

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Exps.ini

MD5 4734c534d2c7ad4a0be0273887b0e03a
SHA1 8537c8018793181325f89a8082ef37254db34b07
SHA256 895a1cafa23da6c1cb58b6c3fbacf236014cf14d89ebc2391376fa8f6204ad8c
SHA512 fa515e41f3f78bf444061b7e88f2f7c230a00b918885184aef82c8983327bd0a32928c443435b920e22969899653f767b340f3168f93d4fb0e3c28da4aa61e25

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Envir\Nations\Nations.ini

MD5 07d1dcee816c05507f2211405cf24ea4
SHA1 63f3b149ac00284b14c189348d0374440937b1d1
SHA256 7c28f1932a159ef5c79abf714bd771df16b54500e1cbef033aef85d958e6246f
SHA512 9be583e64976a51d174c50eb334a52f831988b99d25f6487e1c169015dfa79a0bf90baf9a7df58cc458a28594daf6cb1768dd9a0de14b6415ef6ea3c8fb8d08d

memory/1968-9005-0x00000000024B0000-0x0000000002514000-memory.dmp

memory/1968-9004-0x0000000000400000-0x000000000079E000-memory.dmp

memory/1968-9019-0x0000000000400000-0x000000000079E000-memory.dmp

memory/1968-9017-0x0000000000400000-0x000000000079E000-memory.dmp

memory/1968-9020-0x0000000000310000-0x0000000000311000-memory.dmp

memory/1968-9033-0x00000000024B0000-0x0000000002514000-memory.dmp

memory/1968-9032-0x0000000000400000-0x000000000079E000-memory.dmp

memory/1968-9045-0x0000000000400000-0x000000000079E000-memory.dmp

memory/1968-9058-0x0000000000400000-0x000000000079E000-memory.dmp

memory/1968-9071-0x0000000000400000-0x000000000079E000-memory.dmp

memory/1968-9084-0x0000000000400000-0x000000000079E000-memory.dmp

memory/1968-9097-0x0000000000400000-0x000000000079E000-memory.dmp

memory/1968-9110-0x0000000000400000-0x000000000079E000-memory.dmp

memory/1968-9123-0x0000000000400000-0x000000000079E000-memory.dmp

memory/1968-9125-0x0000000000400000-0x000000000079E000-memory.dmp

memory/1968-9149-0x0000000000400000-0x000000000079E000-memory.dmp

memory/1968-9162-0x0000000000400000-0x000000000079E000-memory.dmp

memory/1968-9175-0x0000000000400000-0x000000000079E000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win7-20240508-en

Max time kernel

145s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\RunGate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\RunGate.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\RunGate.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp
N/A 127.0.0.1:5000 tcp

Files

memory/2224-0-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Config.ini

MD5 76147d246b9de61bd64d2fbd4cf6cedf
SHA1 bb7d48713ea29621b9d30d4b3012de521bac3e9c
SHA256 7dbb226279a04ba42220f10d036fb27bf58fe8cdc0d10a02dea04900becad43b
SHA512 577f86c9139c2979adfc6576992c3cabae9747b5b91366f09eac5eb233228b81caafdcebe4e2cce7885115b679b75f27621ed41737f76f1a6e7cd9d94b40d2ad

memory/2224-30-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\普及版合区工具\HeroM2普通版合区程序.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\普及版合区工具\HeroM2普通版合区程序.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\普及版合区工具\HeroM2普通版合区程序.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.178:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 178.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
BE 88.221.83.202:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 202.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/652-0-0x0000000002320000-0x0000000002321000-memory.dmp

memory/652-1-0x0000000000400000-0x000000000048E000-memory.dmp

memory/652-3-0x0000000002320000-0x0000000002321000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\远程脚本发送.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\远程脚本发送.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\远程脚本发送.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

memory/3080-0-0x0000000002470000-0x0000000002471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Config.ini

MD5 45deb81ed65657f5e87552b26d9b82d3
SHA1 735eb5119b53583e8ee8131a18067f24260fb710
SHA256 e850b7112c3326fc9e05b8a1092b4f31948766a44fb06e86ef5a7fb6c315d585
SHA512 f47e6712115f4a46f1522e41d50bc782eb0588928f1f95bf758c09f44652b4456c3f42c3bf207af191507fabbcb2b4f4e28e4b86140fbbf2d2388c623a904cbe

memory/3080-15-0x0000000000400000-0x00000000004E6000-memory.dmp

memory/3080-17-0x0000000002470000-0x0000000002471000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\GameCenter.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\GameCenter.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\GameCenter.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
BE 2.17.107.129:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BE 2.17.107.129:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 129.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1960-0-0x0000000000690000-0x0000000000691000-memory.dmp

memory/1960-1-0x0000000000690000-0x0000000000691000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\HeroM2帮助文件.chm

Signatures

N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\HeroM2帮助文件.chm

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.186:443 www.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 186.83.221.88.in-addr.arpa udp
BE 88.221.83.186:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win10v2004-20240426-en

Max time kernel

140s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\IPLocal.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4484 wrote to memory of 4164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4484 wrote to memory of 4164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4484 wrote to memory of 4164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\IPLocal.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\IPLocal.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LoginGate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LoginGate.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LoginGate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
N/A 127.0.0.1:5500 tcp
BE 2.17.107.129:443 www.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 129.107.17.2.in-addr.arpa udp
BE 2.17.107.129:443 www.bing.com tcp
N/A 127.0.0.1:5500 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
N/A 127.0.0.1:5500 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
N/A 127.0.0.1:5500 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp
N/A 127.0.0.1:5500 tcp

Files

memory/1892-0-0x00000000021B0000-0x00000000021B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Config.ini

MD5 6bfb003c5160e37c339236e8a3d12331
SHA1 6258603296cb7e1d3784d2e5c24c4fadbfe63b2e
SHA256 86c43f03cdef1c127300bfdac1df7abd9717093dcecaacb398686cd7208a8b5a
SHA512 1b4cc5275bad98b4c31fa3359a84401f10481cb39c103139bba59fee6832d866e3bc628b181a12edca53787a3c2ad23984ce0e1ad7bf9b58f6e102ca3708806a

memory/1892-20-0x00000000021B0000-0x00000000021B1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\DBServer.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\DBServer.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\DBServer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
BE 88.221.83.186:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 186.83.221.88.in-addr.arpa udp
N/A 127.0.0.1:5600 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
N/A 127.0.0.1:5600 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 127.0.0.1:5600 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 52.111.229.48:443 tcp
N/A 127.0.0.1:5600 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
N/A 127.0.0.1:5600 tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/2124-0-0x0000000000400000-0x000000000051A000-memory.dmp

memory/2124-1-0x00000000006D0000-0x00000000006D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Dbsrc.ini

MD5 c9c61f0d4ddb10b4af2cf27f650d7192
SHA1 46cd07232d527d04a1b92fbbc29807b8450ad2bb
SHA256 a0495ea6e095400dc4e5c6386a856199db78c0df9f4dfab7ddf166156f690f96
SHA512 1ba14435db46b189b13bca141d11597c162dcd8471634ac6610d69b6ca3c92752b52f11697f2f541bf1962ebb401350bef2c8ae2d420425c32006d94c4abc120

memory/2124-18-0x0000000000400000-0x000000000051A000-memory.dmp

memory/2124-20-0x00000000006D0000-0x00000000006D1000-memory.dmp

memory/2124-25-0x0000000000400000-0x000000000051A000-memory.dmp

memory/2124-31-0x0000000000400000-0x000000000051A000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win7-20240221-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LogDataServer.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LogDataServer.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LogDataServer.exe"

Network

N/A

Files

memory/776-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/776-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\自动修改Boot.ini文件.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\自动修改Boot.ini文件.exe

"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\自动修改Boot.ini文件.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3728 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-18 11:40

Reported

2024-05-18 11:43

Platform

win7-20240221-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\HeroM2帮助文件.chm

Signatures

N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\HeroM2帮助文件.chm

Network

N/A

Files

N/A