Analysis Overview
SHA256
8a71424387a2745cccb816cda276f90fe1b3331ddfd29e5a6e8316c88107d349
Threat Level: Shows suspicious behavior
The file 54851c7751b2499f6411b81dfe237525_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
ASPack v2.12-2.42
Writes to the Master Boot Record (MBR)
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-18 11:40
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win7-20240508-en
Max time kernel
148s
Max time network
123s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\SelGate.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\SelGate.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp |
Files
memory/2460-0-0x0000000001F50000-0x0000000002090000-memory.dmp
memory/2460-1-0x0000000001F50000-0x0000000002090000-memory.dmp
memory/2460-7-0x0000000001F50000-0x0000000002090000-memory.dmp
memory/2460-10-0x0000000001F50000-0x0000000002090000-memory.dmp
memory/2460-11-0x0000000000404000-0x0000000000405000-memory.dmp
memory/2460-8-0x0000000001F50000-0x0000000002090000-memory.dmp
memory/2460-6-0x0000000001F50000-0x0000000002090000-memory.dmp
memory/2460-5-0x0000000001F50000-0x0000000002090000-memory.dmp
memory/2460-4-0x0000000001F50000-0x0000000002090000-memory.dmp
memory/2460-3-0x0000000001F50000-0x0000000002090000-memory.dmp
memory/2460-2-0x0000000001F50000-0x0000000002090000-memory.dmp
memory/2460-13-0x0000000000400000-0x00000000005AA000-memory.dmp
memory/2460-12-0x0000000000400000-0x00000000005AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Config.ini
| MD5 | fc5c30fce94e4508b8cf6c4af72c1a82 |
| SHA1 | 4693e9c58bfcf30120444e0f6c6f7ca9c4042777 |
| SHA256 | cf0375e3b2a8c884b2ee6c5cc7d9de65d942bd42dd095334bf0253c4e3727358 |
| SHA512 | 1c129962aad67045c2fafdba8995642f33fac8565b2e650888bca9f537aa27af2710daf6fdf26702c8b0790ea3c91e25f9b761818546a0e74f6f9eb2d7c7af44 |
memory/2460-30-0x0000000000400000-0x00000000005AA000-memory.dmp
memory/2460-31-0x0000000000400000-0x00000000005AA000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
107s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\日志查询\日志查询.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\日志查询\日志查询.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.107.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/5088-0-0x00000000005D0000-0x00000000005D1000-memory.dmp
memory/5088-1-0x0000000000400000-0x0000000000493000-memory.dmp
memory/5088-3-0x00000000005D0000-0x00000000005D1000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
128s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\点我一次自动更新.bat"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win10v2004-20240508-en
Max time kernel
138s
Max time network
128s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LogDataServer.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LogDataServer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| BE | 88.221.83.186:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/4300-0-0x0000000000740000-0x0000000000741000-memory.dmp
memory/4300-1-0x0000000000740000-0x0000000000741000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
136s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\SelGate.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\SelGate.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:5100 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 88.221.83.186:443 | www.bing.com | tcp |
| N/A | 127.0.0.1:5100 | tcp | |
| US | 8.8.8.8:53 | 186.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| US | 52.111.227.11:443 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| N/A | 127.0.0.1:5100 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp | |
| N/A | 127.0.0.1:5100 | tcp |
Files
memory/2672-0-0x00000000022D0000-0x0000000002410000-memory.dmp
memory/2672-7-0x00000000022D0000-0x0000000002410000-memory.dmp
memory/2672-11-0x0000000000404000-0x0000000000405000-memory.dmp
memory/2672-10-0x00000000022D0000-0x0000000002410000-memory.dmp
memory/2672-6-0x00000000022D0000-0x0000000002410000-memory.dmp
memory/2672-5-0x00000000022D0000-0x0000000002410000-memory.dmp
memory/2672-4-0x00000000022D0000-0x0000000002410000-memory.dmp
memory/2672-3-0x00000000022D0000-0x0000000002410000-memory.dmp
memory/2672-2-0x00000000022D0000-0x0000000002410000-memory.dmp
memory/2672-13-0x0000000000400000-0x00000000005AA000-memory.dmp
memory/2672-12-0x0000000000400000-0x00000000005AA000-memory.dmp
memory/2672-1-0x00000000022D0000-0x0000000002410000-memory.dmp
memory/2672-8-0x00000000022D0000-0x0000000002410000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Config.ini
| MD5 | fc5c30fce94e4508b8cf6c4af72c1a82 |
| SHA1 | 4693e9c58bfcf30120444e0f6c6f7ca9c4042777 |
| SHA256 | cf0375e3b2a8c884b2ee6c5cc7d9de65d942bd42dd095334bf0253c4e3727358 |
| SHA512 | 1c129962aad67045c2fafdba8995642f33fac8565b2e650888bca9f537aa27af2710daf6fdf26702c8b0790ea3c91e25f9b761818546a0e74f6f9eb2d7c7af44 |
memory/2672-30-0x0000000000400000-0x00000000005AA000-memory.dmp
memory/2672-31-0x0000000000400000-0x00000000005AA000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win7-20240215-en
Max time kernel
148s
Max time network
125s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\DBServer.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\DBServer.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:5600 | tcp | |
| N/A | 127.0.0.1:5600 | tcp | |
| N/A | 127.0.0.1:5600 | tcp | |
| N/A | 127.0.0.1:5600 | tcp | |
| N/A | 127.0.0.1:5600 | tcp |
Files
memory/1636-0-0x0000000000400000-0x000000000051A000-memory.dmp
memory/1636-1-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Dbsrc.ini
| MD5 | c9c61f0d4ddb10b4af2cf27f650d7192 |
| SHA1 | 46cd07232d527d04a1b92fbbc29807b8450ad2bb |
| SHA256 | a0495ea6e095400dc4e5c6386a856199db78c0df9f4dfab7ddf166156f690f96 |
| SHA512 | 1ba14435db46b189b13bca141d11597c162dcd8471634ac6610d69b6ca3c92752b52f11697f2f541bf1962ebb401350bef2c8ae2d420425c32006d94c4abc120 |
memory/1636-18-0x0000000000400000-0x000000000051A000-memory.dmp
memory/1636-20-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1636-25-0x0000000000400000-0x000000000051A000-memory.dmp
memory/1636-31-0x0000000000400000-0x000000000051A000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LoginSrv.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LoginSrv.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.200.42:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 42.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
memory/4024-0-0x0000000002240000-0x0000000002241000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Logsrv.ini
| MD5 | 742233074090725515e4a2a185e78540 |
| SHA1 | 0d1c7424fb6c120ac1afbda525e0bd0a77a0cd5e |
| SHA256 | dacdbbaf39cb5f2dcd0ca604b7309a0f1f862a89d82b9f46752b3f023f0c4523 |
| SHA512 | ee0f6febff2a7f02937e1bae5eb8b4f9be2759a4a533b7a9388287f2a6397b56490fe3426227782f56b9e7935f7c8db80087b99e0368211acc21cab23b69d491 |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Logsrv.ini
| MD5 | 998aae8d3a647eba2a495ab6a17b84d0 |
| SHA1 | c09985efb006217a9bcb76a70e220069b47aca93 |
| SHA256 | 1f3db65afbf9af455d06f9d0c6fedca70de814caea6d4c258892caba93f23388 |
| SHA512 | 9a58a826ccd5e6aab4438563145d43c6aaccd886ac2a1c217e3c26f23f01556a4a6677a6a39a6b58809f569123459fc45a6d54e00546e234852174232e83ebee |
memory/4024-57-0x0000000002240000-0x0000000002241000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
133s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\M2Server.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\M2Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\M2Server.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\M2Server.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\M2Server.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3920,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=3848 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/3524-0-0x0000000000400000-0x000000000079E000-memory.dmp
memory/3524-1-0x0000000000A70000-0x0000000000A71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\String.ini
| MD5 | eecd59ac9e624ef8a5d0a9ee97a54034 |
| SHA1 | c3d38993525352c6192f000333725e1664f00b7d |
| SHA256 | f7103696711f9eea7f1ad2e8d686af07e031bef20e2af0b3148606f3e2b35e25 |
| SHA512 | 5aec3cc615b5a2b1a39da15ed85063338c0d3367150a7d3b82e4f83bebe90ac875dcec3bc403776ef1e5ab0ddde2375214ebfa637397a2f6a56dd19c08779ea6 |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\String.ini
| MD5 | f85aeacb1f904d37569acd820d5a0688 |
| SHA1 | 3c4c470b88c36f9e1c9c8f0bea3f16ee5a311787 |
| SHA256 | 6d50e9ae6ed906b521cc09bf30b30e92e5259ad14e85497df42aa95de9a07a5a |
| SHA512 | c820287b991c0d130980b6089e19a5fb43be6cb8818c16f101ce599d1fc95a0004888d67ca241ed898600a20510d22aff6c644e6294d072e92cc88e7e92aaf5f |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Command.ini
| MD5 | 995b8a5fd46f50a5a9ac3151e4104aab |
| SHA1 | beb7338e55e6caa5ab3c03b540d12544e176e0be |
| SHA256 | f99900aa9bfb56964da7bc6b40c26eeff7a300e233b302ef1d05c724714b0ab2 |
| SHA512 | f523c61ad4b4597c66838a5c53334e8223a997687f86b0e8b8253854dfe06bffb0a0feb0662f76690692613971b609b41fb3d1915cecec8f115b8e642137e651 |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | c7e8567958ec12dd2dc30942ffe63080 |
| SHA1 | 8f6e251d583a19c6cc7804fab77b56bd81c61b8b |
| SHA256 | 7471f2b9787cef127d037aa58db05096306eb57c1be585306e4a2f8621074e4a |
| SHA512 | 81bef1fee6d5b1f18b1b70c9961b2a8d35c27ae412f7c1b227634a91c3d429ddffc29ace850b501cd7886b0112d658ffc8427b1147e0a1717dc2a41d3386b5d5 |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | 4d7e37ff2935446918d79ed4184c4395 |
| SHA1 | 64e5dbeca2d471601b726946215bb5c28cf3aa56 |
| SHA256 | f9aa0f647d696cd2eb89ce694ca5c1c687c591bf6062b5ff88b0023a41f37c47 |
| SHA512 | 798260a190582e3abbdf404510abbb84dc27551050bbdd8bbaca1dcc4656ce3b04596a93dea667b18a38f9fbc5f78fb554ddb4072267fd01bc68ebd1fa840add |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | d3cc46aa49edca0a6a33a1fb305f212c |
| SHA1 | dd09bf4edd7da141a104a70f8bec2a191a9c5fc0 |
| SHA256 | 9cd1e310742ac8a263fdfda226aab5a5dbc9e0bf44f39b899d3c13b760b4636b |
| SHA512 | 7d71996737f8f9c1757b547e905df88ab7f4f5c87e564886cd1815d87a4e9ae3952197dcd364b0bd7aa3bb2e5a480c671d9f13dd26e575a98efa282d281e7e1c |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | 0c4b1cfb4fefb6c0e19ffe49c4da2e8f |
| SHA1 | df172420ce4b54c9d1a119a55fb4e6abdec1ec63 |
| SHA256 | 4d6849d36a705457c85b105280674978544aff7a19a5ed189ec5aa90f355ef91 |
| SHA512 | 81073fc04151669d835f67175db9ed7d4b1c722e848e49396bdac27c7b4dcb2cb72867e64545f5a520550fd51fcedbbb6cacf07111230675f997383c617b422f |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | 36fd990606be8314b2916df11675b315 |
| SHA1 | a476ca9d1e1bd3cf6465300ddcca833dd0fed7a7 |
| SHA256 | a84fcb63ec202487a9de490c95e55f1b2ae92aac0c9742ac3c7e1ffb932bd72a |
| SHA512 | accffe9faed171dddfae5594e7cc1f1106c80bcb75100f0be29a91dcfc506e68f840b696b3e0bf69f7a9d8acfbe7f411225bba223304bf906e6923407fc09c68 |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | 29e0e08e2c49a24d8c6d8fb12be112bf |
| SHA1 | efb7bb876cf8c99487b865c48b875dc5fd4abb36 |
| SHA256 | 83a76b6b67cd1c6f1f8aa8fe456fa5589eedbcc57adc640e2b65c068bbba72cc |
| SHA512 | 4bc2af8f08a44c8a0888f62c94eef3781d61005c9a01fd9b77cd7ccbe8650a03c0dc03494e273be4ed07984ccc4c80f467efaf6809b1d81f4fbd0f938db125e5 |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | 5c828774697948be8292ebb029bca1e9 |
| SHA1 | bdf6a0b31a248042309df664065d698ee6f15841 |
| SHA256 | 7ce6959b13313e8e0bde00bd49c9339b9b7a7a1e5b46cd47b748f341406c93a1 |
| SHA512 | 17a162a1a52fa18682453a108b544e04ad92e0ed9a59aab5d434620c6025b82ebd4c6a76987891f47fef36568874906c7a91288d2133f590efe3bc27b5467b46 |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | 70b5a27dff349dccc0e348e216c726f2 |
| SHA1 | 93de6e670ab30dfd9b5e657cf894b9352918287a |
| SHA256 | cfa80cc70a0c48fa35a7e3ae3935da99636a4aad80d5ff199562ab9361b70038 |
| SHA512 | 244ac6eea5d86c82bc1ab43b06b0b4669d937cc3a02175a7ce664df74003204a2170f81be54b04e118e362447203203ccb2b28531b35f1213780658b21642a57 |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Envir\Nations\Nations.ini
| MD5 | b12d000dcd03d9c507966a82fd5355b9 |
| SHA1 | 55140a96ee4bc588f3f9600776c1bbb544dae4cd |
| SHA256 | 73c84ab1ba6ebe06fadcabbf6037be967237d58c956c1a67ca59db012ec47df4 |
| SHA512 | 93c557e428c481ae6c9844b166a71a97d73e42f4ea8ca9c6dc07a0f9b58c5e9877a3c6af186d7c7e19faf7a3cff84cbc628c1afeca43a8793a503394de0eba4f |
memory/3524-9005-0x0000000002DC0000-0x0000000002E24000-memory.dmp
memory/3524-9004-0x0000000000400000-0x000000000079E000-memory.dmp
memory/3524-9017-0x0000000000400000-0x000000000079E000-memory.dmp
memory/3524-9019-0x0000000000A70000-0x0000000000A71000-memory.dmp
memory/3524-9032-0x0000000002DC0000-0x0000000002E24000-memory.dmp
memory/3524-9031-0x0000000000400000-0x000000000079E000-memory.dmp
memory/3524-9044-0x0000000000400000-0x000000000079E000-memory.dmp
memory/3524-9057-0x0000000000400000-0x000000000079E000-memory.dmp
memory/3524-9070-0x0000000000400000-0x000000000079E000-memory.dmp
memory/3524-9083-0x0000000000400000-0x000000000079E000-memory.dmp
memory/3524-9096-0x0000000000400000-0x000000000079E000-memory.dmp
memory/3524-9109-0x0000000000400000-0x000000000079E000-memory.dmp
memory/3524-9111-0x0000000000400000-0x000000000079E000-memory.dmp
memory/3524-9135-0x0000000000400000-0x000000000079E000-memory.dmp
memory/3524-9148-0x0000000000400000-0x000000000079E000-memory.dmp
memory/3524-9161-0x0000000000400000-0x000000000079E000-memory.dmp
memory/3524-9163-0x0000000000400000-0x000000000079E000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win7-20240221-en
Max time kernel
140s
Max time network
121s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\日志查询\日志查询.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\日志查询\日志查询.exe"
Network
Files
memory/2492-0-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2492-1-0x0000000000400000-0x0000000000493000-memory.dmp
memory/2492-3-0x0000000000220000-0x0000000000221000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
129s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\自动解压补丁\自动解压.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\自动解压补丁\自动解压.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| BE | 88.221.83.186:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
memory/2236-0-0x0000000000520000-0x0000000000521000-memory.dmp
memory/2236-1-0x0000000000520000-0x0000000000521000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win7-20240508-en
Max time kernel
148s
Max time network
126s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LoginGate.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LoginGate.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp |
Files
memory/2196-0-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Config.ini
| MD5 | 6bfb003c5160e37c339236e8a3d12331 |
| SHA1 | 6258603296cb7e1d3784d2e5c24c4fadbfe63b2e |
| SHA256 | 86c43f03cdef1c127300bfdac1df7abd9717093dcecaacb398686cd7208a8b5a |
| SHA512 | 1b4cc5275bad98b4c31fa3359a84401f10481cb39c103139bba59fee6832d866e3bc628b181a12edca53787a3c2ad23984ce0e1ad7bf9b58f6e102ca3708806a |
memory/2196-20-0x0000000000220000-0x0000000000221000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win7-20240221-en
Max time kernel
124s
Max time network
129s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LoginSrv.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LoginSrv.exe"
Network
Files
memory/2772-0-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Logsrv.ini
| MD5 | 998aae8d3a647eba2a495ab6a17b84d0 |
| SHA1 | c09985efb006217a9bcb76a70e220069b47aca93 |
| SHA256 | 1f3db65afbf9af455d06f9d0c6fedca70de814caea6d4c258892caba93f23388 |
| SHA512 | 9a58a826ccd5e6aab4438563145d43c6aaccd886ac2a1c217e3c26f23f01556a4a6677a6a39a6b58809f569123459fc45a6d54e00546e234852174232e83ebee |
memory/2772-57-0x0000000000220000-0x0000000000221000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\RunGate.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\RunGate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:5000 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 88.221.83.186:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 186.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| BE | 88.221.83.186:443 | www.bing.com | tcp |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:5000 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp |
Files
memory/1812-0-0x0000000002140000-0x0000000002141000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Config.ini
| MD5 | 76147d246b9de61bd64d2fbd4cf6cedf |
| SHA1 | bb7d48713ea29621b9d30d4b3012de521bac3e9c |
| SHA256 | 7dbb226279a04ba42220f10d036fb27bf58fe8cdc0d10a02dea04900becad43b |
| SHA512 | 577f86c9139c2979adfc6576992c3cabae9747b5b91366f09eac5eb233228b81caafdcebe4e2cce7885115b679b75f27621ed41737f76f1a6e7cd9d94b40d2ad |
memory/1812-30-0x0000000002140000-0x0000000002141000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win7-20231129-en
Max time kernel
140s
Max time network
123s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\普及版合区工具\HeroM2普通版合区程序.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\普及版合区工具\HeroM2普通版合区程序.exe"
Network
Files
memory/2364-0-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2364-1-0x0000000000400000-0x000000000048E000-memory.dmp
memory/2364-3-0x00000000003B0000-0x00000000003B1000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win7-20240215-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\点我一次自动更新.bat"
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win7-20240221-en
Max time kernel
121s
Max time network
130s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\自动修改Boot.ini文件.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\自动修改Boot.ini文件.exe"
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win7-20240419-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\自动解压补丁\自动解压.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\自动解压补丁\自动解压.exe"
Network
Files
memory/1760-0-0x00000000003A0000-0x00000000003A1000-memory.dmp
memory/1760-1-0x00000000003A0000-0x00000000003A1000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win7-20240220-en
Max time kernel
140s
Max time network
123s
Command Line
Signatures
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\远程脚本发送.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\远程脚本发送.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\远程脚本发送.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\远程脚本发送.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\远程脚本发送.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\远程脚本发送.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\远程脚本发送.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\远程脚本发送.exe"
Network
Files
memory/3064-0-0x0000000000230000-0x0000000000231000-memory.dmp
memory/3064-15-0x0000000000400000-0x00000000004E6000-memory.dmp
memory/3064-17-0x0000000000230000-0x0000000000231000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win7-20240508-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2896 wrote to memory of 2436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2896 wrote to memory of 2436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2896 wrote to memory of 2436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2896 wrote to memory of 2436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2896 wrote to memory of 2436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2896 wrote to memory of 2436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2896 wrote to memory of 2436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\IPLocal.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\IPLocal.dll,#1
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win7-20240215-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\GameCenter.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\GameCenter.exe"
Network
Files
memory/2316-0-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2316-1-0x00000000003B0000-0x00000000003B1000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win7-20240221-en
Max time kernel
140s
Max time network
118s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\M2Server.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\M2Server.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\M2Server.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\M2Server.exe"
Network
Files
memory/1968-0-0x0000000000400000-0x000000000079E000-memory.dmp
memory/1968-1-0x0000000000310000-0x0000000000311000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\String.ini
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\String.ini
| MD5 | 219fd6c38c175c45aa64854688240468 |
| SHA1 | 9a19f36e7c669307300e32bcc7661d569ded2f96 |
| SHA256 | 17735ba7f1b88d2dd1f63d6c6fa6e29cdfdacd34d13b6c143d238ca80d94862d |
| SHA512 | 702e9c3a0b19aba722a177ba46269a73d8f7a2149e8791a2a3f6ba3bb8c5bffc87ee9cd8fa26e6713c0aca98ec8295a72e29cd254081923a3b21ec189421cf0a |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Command.ini
| MD5 | b3d38bfe3e8ea19237f4025b72cc4324 |
| SHA1 | ea2ccfe6cbde06be748ccd0d206dd3a6c75bcbde |
| SHA256 | ba8ec32a5471a982ebcba58f452bce591b9d9db4c80bb728aad044396b80e323 |
| SHA512 | c8325d67e5673af36502fea5a3dc2b2e2a343a5c4a54f1ee643f446c650e9875a295b4efd5315866ab61f7b8bc0c475c7dd371c379632d2aef96e5fb182c2a7c |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Command.ini
| MD5 | 9bf34382a46fe66560a4e656c5d8f619 |
| SHA1 | fb30f7ec4502257d31498e1b1d09ac843748eb82 |
| SHA256 | e6aafd087d1c36c8700bb977ebd1dd0254caaa16a4e4a7e8bb323b9848fe48da |
| SHA512 | 4fef2d91bb8fe8adb3700723ad540131a774180daf538b434aece602ee7d8fbde8a69711ec290229b7eb570fcbe02288815def60d4f181b4fce25a7539f4f00f |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Command.ini
| MD5 | 2e1897e9440eaee565a8729e6600daea |
| SHA1 | 79a01e5c1b4c4446bb76f11316d55c45fbd07aca |
| SHA256 | 2c4be61872472cee5795ec68b6a88b2d9ee2d1256f44869fff2ca43ca05f1d6e |
| SHA512 | 8fce5488ae586dd58e419889a3e4030666f85518a6347c412592ea722f60596ce93f6160a6b631706050399789e351e59a384effba4b72cdfcd6578cd85529ae |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Command.ini
| MD5 | ff208b5fb31723413735a45f13f503bf |
| SHA1 | 80c72681c0d3a8dd5da9d9e5392d9e6f617f6107 |
| SHA256 | 076d8854435b7e5ed826ed2ce00e6ae37b2f99c912581237cd7cbae2e8a1f1df |
| SHA512 | 2246004bcf70088d7fdecf49b4e93626fddef6fe5480df5a30cde70415275aa8bf7deeabe2c16c837497f8ccfd1d8d8755ee786df61d6bfbb17e0de1b8fb8f5d |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Command.ini
| MD5 | 04005796301ef5dea93296c1768b26f2 |
| SHA1 | c04706f8493b34a004ad05c04d83a3cb08281fd2 |
| SHA256 | 993cf5cb0ca54adaaf7a707d213905b7f08ecc52cb919a30cb6d8cd9236b113e |
| SHA512 | 7659b4178f3f6035cf0f4eb53a88db5f84f6dc22349eaf4fc66ac1dda29f5b9e729a94d471427293653304f0e84da5b21ddc6d3da0ab7e9154488d39ebcf03b3 |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | 106dcbe66198a599a7c7f61a7da42ca2 |
| SHA1 | f83bae0c34f81f9bc906f9eea0071abeda742feb |
| SHA256 | c0e058c1ed7dc7827fbba5b6eb82c1d51438d7e353fc6c9a0bc6adefd0482825 |
| SHA512 | 3234abd03bc18d3ffe55e72844e71e34bf746150b01468f94d5f71fa1251d342282949af56b852bbbe61eed95331e2c6253f30f98a4e5a13507c6c3cc4e2c4f9 |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | c1438a5d3ca13f554996b3f50cc54c8b |
| SHA1 | 1d02bda640fddef1ca20ebbf4382eaec7cf7b94e |
| SHA256 | 6d705937dfc13f5d1489de967028a99f0fa52ffee6b5651172a85babb5566ba4 |
| SHA512 | 921be81c187945b7f49721560d7135587c4e87a54da7c7b5d890432dfcee080aa56b47326604b0f9f633fdb81dceca3b6eb4ee7dfc90d8d87b5cce43d67781a0 |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | 8c2174d17c65e7b010eedb6eaf839a90 |
| SHA1 | 35464bd476837254a640988dca276ccb738a1806 |
| SHA256 | 11c920a079ea5a46cc7eb54ff2c58d11f1d61269211ecc243d2afa91ba12a9db |
| SHA512 | 3b1808e3560de82416852c6acc6ea7daba8bcb1adfb6adb5b7426df82cf589cd827df0aae16eb51967070500fd70fbd17517777081b6caf829245db004243bc5 |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | 20b7fc4e037840fe00dd40e2e23a212e |
| SHA1 | 9ea0b67963ed8b3c0bb8ed9e68b47c2dfd25a688 |
| SHA256 | 21900b424d9eaa9c65f946f0f66b4f0428e5192e6a0b4fcd81b9ac02b9cb5524 |
| SHA512 | 3b2c8258b687b99dacb114c816b776367de640e1889b8a54fe0209427184188eca1003cb5aa04c8adedfda0497bad1167bb73e55f2951934e04ae322240cb054 |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | 4c4a66c0cb82cfa9c8e9b975ad10a781 |
| SHA1 | 7035fa49e3518ee60f421aefbb498aade780b5bb |
| SHA256 | 76c0f1cb7288fcb38b04511abbecc0aeb571cbacc59244771f4d7c30a5523657 |
| SHA512 | 0f3e74072e8bdfb0553f16dbf1dbc315b3d14bcb575bfad605d101a2868001ac882af7e70191c5e85eecdd4e4f7fe620e379015a7c0a34c4b30c8de8e3a085e0 |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | d3cc46aa49edca0a6a33a1fb305f212c |
| SHA1 | dd09bf4edd7da141a104a70f8bec2a191a9c5fc0 |
| SHA256 | 9cd1e310742ac8a263fdfda226aab5a5dbc9e0bf44f39b899d3c13b760b4636b |
| SHA512 | 7d71996737f8f9c1757b547e905df88ab7f4f5c87e564886cd1815d87a4e9ae3952197dcd364b0bd7aa3bb2e5a480c671d9f13dd26e575a98efa282d281e7e1c |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | e0397ad331debfda339a67cf73dcf087 |
| SHA1 | 2d8b04d1958a4c93b8af2ad1839b9792e239a3ad |
| SHA256 | b1c88353b0fccbaabea411be29808faf8d5c98949db0190d13424e06d20fed25 |
| SHA512 | 56ae4c1061dfca03e2b26b9dc92f8c6b1434f5479f7bfd2265d466af634df07bb812e5d7f3260b52189216e0eb83db5894c83d9a9842b040d8d7694f101d08d3 |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | 0c4b1cfb4fefb6c0e19ffe49c4da2e8f |
| SHA1 | df172420ce4b54c9d1a119a55fb4e6abdec1ec63 |
| SHA256 | 4d6849d36a705457c85b105280674978544aff7a19a5ed189ec5aa90f355ef91 |
| SHA512 | 81073fc04151669d835f67175db9ed7d4b1c722e848e49396bdac27c7b4dcb2cb72867e64545f5a520550fd51fcedbbb6cacf07111230675f997383c617b422f |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | e4823c2b376dfe8238983ed3ff1d68ec |
| SHA1 | d82df8312d555667e88f68dc825390d804749e9c |
| SHA256 | 632335b446b968bc4449288c2358d420bd52bc66826b7fd37daf0a8372269a42 |
| SHA512 | 94429d4d3aa425f156d189512b62722a96dcd7dc55f7b78f8b813efd8ca1706205b1242539d8f2f440ced4122ae989ffd059564206483b304b87a3379ae4ad88 |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | babf69d9fbba1717b5965ad6d3ab3466 |
| SHA1 | aa345cac7d3a5e4b6c5562b49f5f862fd6cc9d7a |
| SHA256 | 742fcad03f72812cd58338e395da8338234c15825672e09880b41e26a87ad2ff |
| SHA512 | cd915d1c788673d92e394a4784f83f04ce472f7e4e93819973c8929ebe3dec24962a1f8bfa15731944f6fdbc5e16b074fcc2e9d5770a34f0732201e246dc7336 |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | c079a2a86a6d115b4f12210dbe74ee52 |
| SHA1 | 14144b8479f976504d5d14776417ef259479c7af |
| SHA256 | 2a61c71d46c650b3faac574285c519e1a0edf0054b7aab2b4392df9469a4f2fb |
| SHA512 | 0917d487a4f5bb5460f9c070351ceb9807e421a3308ad838273e638ea7f87768f192d6d332ae3f25e7ae62ee7aaa5037a09f7d32c5e664d31bd382e0ac362b03 |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | 23d18a2dd7db1f975541db7854be4b61 |
| SHA1 | 7c5096f856d8bc291a091890dbf6ec23bda3ef0c |
| SHA256 | 0dab0d17da36a4b6131edce3c552052c5191295215af0b3b1e3b34b95c4a5b65 |
| SHA512 | 1bbd5d2d40c1cb5eaafe0132972cd8f66ebe03a3533dc4d5c6c6512af9f1ecd4009c34cb22b1cd6b952a41ef34e2f0d89d0bfc294398687c7466f8e79f4762e5 |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | 5badebc1203933dda614c1afac074780 |
| SHA1 | 3f4f67224ddf89ade3f31ff1b8849d79d347815a |
| SHA256 | 0e3cc408bdac7adbd79d49180c37f654684393c09f43788c590947ecebdb466c |
| SHA512 | be6dfb6a3c575278f73134030afbb961669bb6b9c8803c6c6d33276f358028c356aaa48fea9fa026213fa81419acc97bd6b6edd284c74b0d28be332ac546987b |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | f87b4c9bd83dfaee040eb92c14aeac06 |
| SHA1 | ed831488e2fee41b9fd9fee1ef7279ca9b6030eb |
| SHA256 | 17690cdb1ea67d2c98e9dd46b97947403c900a168de0f212d89f3f4db0f3cae0 |
| SHA512 | 7b69ae65ae20b0282fb60c14befe04bd740e38842ec253c504a1200171e113f727083dde385bea96f51f38d3c04119f2631b4622b13f6e7b94030c70f89894ef |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\!Setup.txt
| MD5 | 32e74e3904b7cd5c646c76f676280759 |
| SHA1 | b4afa50a6b5f4f0698e941dbc57bdb59ad39fde5 |
| SHA256 | dee585a06bee8dfcaf459cc2e97e4d78e51ce03a4e951538c9b9177b75586442 |
| SHA512 | 62eff8dcade7e9b4102f051b56d58c6c77a4ded6f81891e4823d27f4640de045fd13ddf5f3c6a5b323ba43937f8ca21dccd3698ab3b6c12ede08e19611680e35 |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Exps.ini
| MD5 | d9570074d3d39b4bd800e543e85cbb6d |
| SHA1 | 731bc85d362a297825303da8222faab9120e5eb9 |
| SHA256 | aed098650f908346f2d46aa34c82eedabff8531c075874edfda19b08b31b958e |
| SHA512 | 609a4b42d51f325d80b6c5e90d1a8961e0863f7be9b89a3e51b6de191907a95ac9c4924708fbc57bfb01d640c1ba89cf261a527353983ff28ed9e6406d1fe681 |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Exps.ini
| MD5 | 4734c534d2c7ad4a0be0273887b0e03a |
| SHA1 | 8537c8018793181325f89a8082ef37254db34b07 |
| SHA256 | 895a1cafa23da6c1cb58b6c3fbacf236014cf14d89ebc2391376fa8f6204ad8c |
| SHA512 | fa515e41f3f78bf444061b7e88f2f7c230a00b918885184aef82c8983327bd0a32928c443435b920e22969899653f767b340f3168f93d4fb0e3c28da4aa61e25 |
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Envir\Nations\Nations.ini
| MD5 | 07d1dcee816c05507f2211405cf24ea4 |
| SHA1 | 63f3b149ac00284b14c189348d0374440937b1d1 |
| SHA256 | 7c28f1932a159ef5c79abf714bd771df16b54500e1cbef033aef85d958e6246f |
| SHA512 | 9be583e64976a51d174c50eb334a52f831988b99d25f6487e1c169015dfa79a0bf90baf9a7df58cc458a28594daf6cb1768dd9a0de14b6415ef6ea3c8fb8d08d |
memory/1968-9005-0x00000000024B0000-0x0000000002514000-memory.dmp
memory/1968-9004-0x0000000000400000-0x000000000079E000-memory.dmp
memory/1968-9019-0x0000000000400000-0x000000000079E000-memory.dmp
memory/1968-9017-0x0000000000400000-0x000000000079E000-memory.dmp
memory/1968-9020-0x0000000000310000-0x0000000000311000-memory.dmp
memory/1968-9033-0x00000000024B0000-0x0000000002514000-memory.dmp
memory/1968-9032-0x0000000000400000-0x000000000079E000-memory.dmp
memory/1968-9045-0x0000000000400000-0x000000000079E000-memory.dmp
memory/1968-9058-0x0000000000400000-0x000000000079E000-memory.dmp
memory/1968-9071-0x0000000000400000-0x000000000079E000-memory.dmp
memory/1968-9084-0x0000000000400000-0x000000000079E000-memory.dmp
memory/1968-9097-0x0000000000400000-0x000000000079E000-memory.dmp
memory/1968-9110-0x0000000000400000-0x000000000079E000-memory.dmp
memory/1968-9123-0x0000000000400000-0x000000000079E000-memory.dmp
memory/1968-9125-0x0000000000400000-0x000000000079E000-memory.dmp
memory/1968-9149-0x0000000000400000-0x000000000079E000-memory.dmp
memory/1968-9162-0x0000000000400000-0x000000000079E000-memory.dmp
memory/1968-9175-0x0000000000400000-0x000000000079E000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win7-20240508-en
Max time kernel
145s
Max time network
120s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\RunGate.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\RunGate.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp | |
| N/A | 127.0.0.1:5000 | tcp |
Files
memory/2224-0-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Config.ini
| MD5 | 76147d246b9de61bd64d2fbd4cf6cedf |
| SHA1 | bb7d48713ea29621b9d30d4b3012de521bac3e9c |
| SHA256 | 7dbb226279a04ba42220f10d036fb27bf58fe8cdc0d10a02dea04900becad43b |
| SHA512 | 577f86c9139c2979adfc6576992c3cabae9747b5b91366f09eac5eb233228b81caafdcebe4e2cce7885115b679b75f27621ed41737f76f1a6e7cd9d94b40d2ad |
memory/2224-30-0x0000000000220000-0x0000000000221000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
125s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\普及版合区工具\HeroM2普通版合区程序.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\普及版合区工具\HeroM2普通版合区程序.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.178:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| BE | 88.221.83.202:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
memory/652-0-0x0000000002320000-0x0000000002321000-memory.dmp
memory/652-1-0x0000000000400000-0x000000000048E000-memory.dmp
memory/652-3-0x0000000002320000-0x0000000002321000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\远程脚本发送.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\远程脚本发送.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\远程脚本发送.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\远程脚本发送.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\远程脚本发送.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\远程脚本发送.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\远程脚本发送.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\远程脚本发送.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
memory/3080-0-0x0000000002470000-0x0000000002471000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Config.ini
| MD5 | 45deb81ed65657f5e87552b26d9b82d3 |
| SHA1 | 735eb5119b53583e8ee8131a18067f24260fb710 |
| SHA256 | e850b7112c3326fc9e05b8a1092b4f31948766a44fb06e86ef5a7fb6c315d585 |
| SHA512 | f47e6712115f4a46f1522e41d50bc782eb0588928f1f95bf758c09f44652b4456c3f42c3bf207af191507fabbcb2b4f4e28e4b86140fbbf2d2388c623a904cbe |
memory/3080-15-0x0000000000400000-0x00000000004E6000-memory.dmp
memory/3080-17-0x0000000002470000-0x0000000002471000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
110s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\GameCenter.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\GameCenter.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| BE | 2.17.107.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| BE | 2.17.107.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/1960-0-0x0000000000690000-0x0000000000691000-memory.dmp
memory/1960-1-0x0000000000690000-0x0000000000691000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\HeroM2帮助文件.chm
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.186:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.186:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win10v2004-20240426-en
Max time kernel
140s
Max time network
147s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4484 wrote to memory of 4164 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4484 wrote to memory of 4164 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4484 wrote to memory of 4164 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\IPLocal.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\IPLocal.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
104s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LoginGate.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LoginGate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| N/A | 127.0.0.1:5500 | tcp | |
| BE | 2.17.107.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.107.17.2.in-addr.arpa | udp |
| BE | 2.17.107.129:443 | www.bing.com | tcp |
| N/A | 127.0.0.1:5500 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| N/A | 127.0.0.1:5500 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| N/A | 127.0.0.1:5500 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp | |
| N/A | 127.0.0.1:5500 | tcp |
Files
memory/1892-0-0x00000000021B0000-0x00000000021B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Config.ini
| MD5 | 6bfb003c5160e37c339236e8a3d12331 |
| SHA1 | 6258603296cb7e1d3784d2e5c24c4fadbfe63b2e |
| SHA256 | 86c43f03cdef1c127300bfdac1df7abd9717093dcecaacb398686cd7208a8b5a |
| SHA512 | 1b4cc5275bad98b4c31fa3359a84401f10481cb39c103139bba59fee6832d866e3bc628b181a12edca53787a3c2ad23984ce0e1ad7bf9b58f6e102ca3708806a |
memory/1892-20-0x00000000021B0000-0x00000000021B1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\DBServer.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\DBServer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| BE | 88.221.83.186:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.83.221.88.in-addr.arpa | udp |
| N/A | 127.0.0.1:5600 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| N/A | 127.0.0.1:5600 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:5600 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| N/A | 127.0.0.1:5600 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:5600 | tcp | |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
memory/2124-0-0x0000000000400000-0x000000000051A000-memory.dmp
memory/2124-1-0x00000000006D0000-0x00000000006D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\Dbsrc.ini
| MD5 | c9c61f0d4ddb10b4af2cf27f650d7192 |
| SHA1 | 46cd07232d527d04a1b92fbbc29807b8450ad2bb |
| SHA256 | a0495ea6e095400dc4e5c6386a856199db78c0df9f4dfab7ddf166156f690f96 |
| SHA512 | 1ba14435db46b189b13bca141d11597c162dcd8471634ac6610d69b6ca3c92752b52f11697f2f541bf1962ebb401350bef2c8ae2d420425c32006d94c4abc120 |
memory/2124-18-0x0000000000400000-0x000000000051A000-memory.dmp
memory/2124-20-0x00000000006D0000-0x00000000006D1000-memory.dmp
memory/2124-25-0x0000000000400000-0x000000000051A000-memory.dmp
memory/2124-31-0x0000000000400000-0x000000000051A000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win7-20240221-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LogDataServer.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\LogDataServer.exe"
Network
Files
memory/776-0-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/776-1-0x00000000001B0000-0x00000000001B1000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\自动修改Boot.ini文件.exe
"C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\自动修改Boot.ini文件.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3728 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-18 11:40
Reported
2024-05-18 11:43
Platform
win7-20240221-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\HeroM2Popular0322\HeroM2帮助文件.chm