analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

nba@51_298479.exe.zip

Full analysis: https://app.any.run/tasks/da9582fc-2fbc-4bcc-8fcd-924a3881d4a8
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: September 11, 2019, 06:32:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
adware
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

AB4F2DAC6C7279BC4B3AEA0CDB97DD4F

SHA1:

0EB692A3DA47E7D98033CECBBA91AC6E819C3C28

SHA256:

213A631C5957C335B0AA1AF6DD5060874091FCDED971F4B8A4A6145ECADC2F68

SSDEEP:

24576:IGoodAGp2dx46VF7JNdfQGFqE80+VW6Zp6aLTYSUY7xe9ocsij7sDl6EIrDWjm9Z:GoyNIeZ9BoVVJr6aLTJUSxeycsy0AmOr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • nba@51_298479.exe (PID: 3140)
      • nba@51_298479.exe (PID: 3488)
      • LDSGameMasterInstRoad_212501.exe (PID: 2744)
      • ldsgamemaster.exe (PID: 2800)
      • SoftMgrInst.exe (PID: 3184)
      • nba@51_298479.exe (PID: 1632)
      • GameMasterHelper.exe (PID: 3224)
      • LDSGameHall.exe (PID: 1400)
      • GameDownload_hk_hj_syzs_500202007_jm.exe (PID: 2544)
      • update.exe (PID: 2556)
      • TenioDL.exe (PID: 2724)
      • QMEmulatorService.exe (PID: 2736)
      • Tinst.exe (PID: 3952)
      • nba@51_298479.exe (PID: 3756)
      • GameDownload.exe (PID: 796)
      • AppMarket.exe (PID: 3720)
      • TBSWebRenderer.exe (PID: 2244)
      • kuai8_c200032_s1_p1.exe (PID: 2696)
      • TenioDL.exe (PID: 2452)
      • K8GM.exe (PID: 2176)
      • K8Update.exe (PID: 3288)
      • K8Bubble.exe (PID: 2444)
      • nba@51_298479.exe (PID: 2104)
      • K8Update.exe (PID: 3852)
      • K8GM.exe (PID: 3428)
      • K8Update.exe (PID: 756)
      • K8Web.exe (PID: 3616)
      • BirdHelper.exe (PID: 2956)
      • LdsHelper.exe (PID: 2992)
      • HNInstall_Setup_3486648174_jk_001.exe (PID: 3344)
    • Loads dropped or rewritten executable

      • LDSGameMasterInstRoad_212501.exe (PID: 2744)
      • ldsgamemaster.exe (PID: 2800)
      • SoftMgrInst.exe (PID: 3184)
      • GameMasterHelper.exe (PID: 3224)
      • RegSvr32.exe (PID: 3328)
      • RegSvr32.exe (PID: 3080)
      • svchost.exe (PID: 852)
      • explorer.exe (PID: 276)
      • LDSGameHall.exe (PID: 1400)
      • TenioDL.exe (PID: 2724)
      • GameDownload_hk_hj_syzs_500202007_jm.exe (PID: 2544)
      • update.exe (PID: 2556)
      • Tinst.exe (PID: 3952)
      • QMEmulatorService.exe (PID: 2736)
      • AppMarket.exe (PID: 3720)
      • TBSWebRenderer.exe (PID: 2244)
      • GameDownload.exe (PID: 796)
      • TenioDL.exe (PID: 2452)
      • K8GM.exe (PID: 2176)
      • kuai8_c200032_s1_p1.exe (PID: 2696)
      • regsvr32.exe (PID: 2236)
      • regsvr32.exe (PID: 1520)
      • K8Update.exe (PID: 3288)
      • K8GM.exe (PID: 3428)
      • K8Bubble.exe (PID: 2444)
      • K8Update.exe (PID: 3852)
      • K8Update.exe (PID: 756)
      • K8Web.exe (PID: 3616)
      • LdsHelper.exe (PID: 2992)
      • BirdHelper.exe (PID: 2956)
      • regsvr32.exe (PID: 3176)
    • Downloads executable files from the Internet

      • nba@51_298479.exe (PID: 3488)
      • ldsgamemaster.exe (PID: 2800)
    • Changes settings of System certificates

      • ldsgamemaster.exe (PID: 2800)
      • AppMarket.exe (PID: 3720)
    • Registers / Runs the DLL via REGSVR32.EXE

      • ldsgamemaster.exe (PID: 2800)
      • kuai8_c200032_s1_p1.exe (PID: 2696)
      • HNInstall_Setup_3486648174_jk_001.exe (PID: 3344)
    • Adds new firewall rule via NETSH.EXE

      • Tinst.exe (PID: 3952)
    • Changes the autorun value in the registry

      • K8Bubble.exe (PID: 2444)
    • Connects to CnC server

      • HNInstall_Setup_3486648174_jk_001.exe (PID: 3344)
    • Loads the Task Scheduler COM API

      • HNInstall_Setup_3486648174_jk_001.exe (PID: 3344)
  • SUSPICIOUS

    • Creates files in the program directory

      • nba@51_298479.exe (PID: 3488)
      • ldsgamemaster.exe (PID: 2800)
      • AppMarket.exe (PID: 3720)
      • kuai8_c200032_s1_p1.exe (PID: 2696)
      • Tinst.exe (PID: 3952)
    • Reads Internet Cache Settings

      • LDSGameMasterInstRoad_212501.exe (PID: 2744)
      • ldsgamemaster.exe (PID: 2800)
      • explorer.exe (PID: 276)
      • GameDownload_hk_hj_syzs_500202007_jm.exe (PID: 2544)
      • GameDownload.exe (PID: 796)
      • K8GM.exe (PID: 3428)
      • K8Web.exe (PID: 3616)
      • nba@51_298479.exe (PID: 3488)
    • Creates files in the user directory

      • nba@51_298479.exe (PID: 3488)
      • SoftMgrInst.exe (PID: 3184)
      • ldsgamemaster.exe (PID: 2800)
      • GameDownload_hk_hj_syzs_500202007_jm.exe (PID: 2544)
      • LDSGameHall.exe (PID: 1400)
      • TenioDL.exe (PID: 2724)
      • Tinst.exe (PID: 3952)
      • AppMarket.exe (PID: 3720)
      • TenioDL.exe (PID: 2452)
      • kuai8_c200032_s1_p1.exe (PID: 2696)
      • K8GM.exe (PID: 2176)
      • K8GM.exe (PID: 3428)
      • K8Update.exe (PID: 756)
      • K8Web.exe (PID: 3616)
      • BirdHelper.exe (PID: 2956)
      • HNInstall_Setup_3486648174_jk_001.exe (PID: 3344)
    • Executable content was dropped or overwritten

      • LDSGameMasterInstRoad_212501.exe (PID: 2744)
      • nba@51_298479.exe (PID: 3488)
      • ldsgamemaster.exe (PID: 2800)
      • GameDownload_hk_hj_syzs_500202007_jm.exe (PID: 2544)
      • LDSGameHall.exe (PID: 1400)
      • Market.exe (PID: 3384)
      • Tinst.exe (PID: 3952)
      • kuai8_c200032_s1_p1.exe (PID: 2696)
      • HNInstall_Setup_3486648174_jk_001.exe (PID: 3344)
    • Low-level read access rights to disk partition

      • LDSGameMasterInstRoad_212501.exe (PID: 2744)
      • ldsgamemaster.exe (PID: 2800)
      • GameMasterHelper.exe (PID: 3224)
      • GameDownload_hk_hj_syzs_500202007_jm.exe (PID: 2544)
      • LDSGameHall.exe (PID: 1400)
      • update.exe (PID: 2556)
      • AppMarket.exe (PID: 3720)
      • GameDownload.exe (PID: 796)
      • K8GM.exe (PID: 2176)
      • K8Update.exe (PID: 3288)
      • K8GM.exe (PID: 3428)
      • K8Update.exe (PID: 756)
      • K8Update.exe (PID: 3852)
      • K8Bubble.exe (PID: 2444)
      • BirdHelper.exe (PID: 2956)
      • LdsHelper.exe (PID: 2992)
      • HNInstall_Setup_3486648174_jk_001.exe (PID: 3344)
    • Adds / modifies Windows certificates

      • ldsgamemaster.exe (PID: 2800)
      • AppMarket.exe (PID: 3720)
    • Application launched itself

      • nba@51_298479.exe (PID: 3488)
    • Creates COM task schedule object

      • RegSvr32.exe (PID: 3080)
      • RegSvr32.exe (PID: 3328)
      • regsvr32.exe (PID: 1520)
      • regsvr32.exe (PID: 2236)
      • regsvr32.exe (PID: 3176)
      • regsvr32.exe (PID: 3132)
      • regsvr32.exe (PID: 3648)
    • Creates or modifies windows services

      • ldsgamemaster.exe (PID: 2800)
      • regsvr32.exe (PID: 3812)
    • Changes IE settings (feature browser emulation)

      • LDSGameHall.exe (PID: 1400)
      • kuai8_c200032_s1_p1.exe (PID: 2696)
      • K8GM.exe (PID: 3428)
    • Creates a software uninstall entry

      • LDSGameHall.exe (PID: 1400)
      • Tinst.exe (PID: 3952)
      • kuai8_c200032_s1_p1.exe (PID: 2696)
      • HNInstall_Setup_3486648174_jk_001.exe (PID: 3344)
    • Modifies the open verb of a shell class

      • LDSGameHall.exe (PID: 1400)
      • Tinst.exe (PID: 3952)
      • hnote.exe (PID: 3824)
    • Uses ICACLS.EXE to modify access control list

      • TenioDL.exe (PID: 2724)
    • Uses NETSH.EXE for network configuration

      • Tinst.exe (PID: 3952)
      • GameDownload_hk_hj_syzs_500202007_jm.exe (PID: 2544)
      • cmd.exe (PID: 4008)
      • cmd.exe (PID: 4072)
      • cmd.exe (PID: 3560)
      • cmd.exe (PID: 3588)
      • cmd.exe (PID: 3708)
    • Executed as Windows Service

      • QMEmulatorService.exe (PID: 2736)
    • Reads internet explorer settings

      • LDSGameHall.exe (PID: 1400)
      • K8Web.exe (PID: 3616)
      • K8GM.exe (PID: 3428)
    • Starts CMD.EXE for commands execution

      • kuai8_c200032_s1_p1.exe (PID: 2696)
    • Creates files in the Windows directory

      • ldsgamemaster.exe (PID: 2800)
      • svchost.exe (PID: 852)
    • Searches for installed software

      • ldsgamemaster.exe (PID: 2800)
  • INFO

    • Manual execution by user

      • nba@51_298479.exe (PID: 3140)
      • nba@51_298479.exe (PID: 3488)
    • Dropped object may contain Bitcoin addresses

      • ldsgamemaster.exe (PID: 2800)
      • kuai8_c200032_s1_p1.exe (PID: 2696)
      • K8GM.exe (PID: 3428)
    • Reads settings of System Certificates

      • explorer.exe (PID: 276)
      • GameDownload_hk_hj_syzs_500202007_jm.exe (PID: 2544)
      • AppMarket.exe (PID: 3720)
      • GameDownload.exe (PID: 796)
      • K8Web.exe (PID: 3616)
      • K8GM.exe (PID: 3428)
    • Reads the hosts file

      • GameDownload_hk_hj_syzs_500202007_jm.exe (PID: 2544)
      • AppMarket.exe (PID: 3720)
      • GameDownload.exe (PID: 796)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: a799857e7d44840d86bf1c4dff23db15e1c4be97fdd8a5a28071b1e1a062d85c
ZipUncompressedSize: 2576384
ZipCompressedSize: 1360201
ZipCRC: 0x00000000
ZipModifyDate: 1980:00:00 00:00:00
ZipCompression: Unknown (99)
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
69
Malicious processes
28
Suspicious processes
4

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe no specs nba@51_298479.exe no specs nba@51_298479.exe notepad.exe no specs ldsgamemasterinstroad_212501.exe ldsgamemaster.exe softmgrinst.exe nba@51_298479.exe no specs gamemasterhelper.exe regsvr32.exe no specs regsvr32.exe no specs explorer.exe gamedownload_hk_hj_syzs_500202007_jm.exe svchost.exe ldsgamehall.exe teniodl.exe update.exe icacls.exe no specs market.exe tinst.exe qmemulatorservice.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs nba@51_298479.exe no specs appmarket.exe tbswebrenderer.exe gamedownload.exe teniodl.exe kuai8_c200032_s1_p1.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs k8gm.exe netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs k8update.exe regsvr32.exe no specs regsvr32.exe no specs k8gm.exe k8bubble.exe nba@51_298479.exe no specs k8update.exe k8update.exe k8web.exe birdhelper.exe regsvr32.exe no specs ldshelper.exe hninstall_setup_3486648174_jk_001.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs hnote.exe no specs notepaper.exe no specs regedit.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3056"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\nba@51_298479.exe.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3140"C:\Users\admin\Desktop\nba@51_298479.exe" C:\Users\admin\Desktop\nba@51_298479.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
3488"C:\Users\admin\Desktop\nba@51_298479.exe" C:\Users\admin\Desktop\nba@51_298479.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
1648"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\404Error.txtC:\Windows\system32\NOTEPAD.EXEnba@51_298479.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2744"C:\Users\admin\AppData\Local\Temp\LDSGameMasterInstRoad_212501.exe" C:\Users\admin\AppData\Local\Temp\LDSGameMasterInstRoad_212501.exe
nba@51_298479.exe
User:
admin
Integrity Level:
HIGH
Description:
手机模拟大师
Exit code:
0
Version:
5, 2, 0, 1030
2800"C:\Users\admin\AppData\Local\Temp\ldsgamemaster.exe" /PID="212501" /S /FROM=instC:\Users\admin\AppData\Local\Temp\ldsgamemaster.exe
LDSGameMasterInstRoad_212501.exe
User:
admin
Integrity Level:
HIGH
Description:
手机模拟大师
Version:
5.1.2051.2080
3184"C:\LDSGameMaster\SoftMgr\SoftMgrInst.exe" --hwnd=196976 --from=LDSGameMaster --new=true --logC:\LDSGameMaster\SoftMgr\SoftMgrInst.exe
ldsgamemaster.exe
User:
admin
Integrity Level:
HIGH
Description:
SoftMgrInst Module
Exit code:
0
Version:
1, 0, 0, 1070
1632C:\Users\admin\Desktop\nba@51_298479.exe {commondesktop}\ÊÖ»úÄ£Äâ´óʦ.lnk,{userdesktop}\ÊÖ»úÄ£Äâ´óʦ.lnkC:\Users\admin\Desktop\nba@51_298479.exenba@51_298479.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3224C:\LDSGameMaster\Utils\GameMasterHelper.exeC:\LDSGameMaster\Utils\GameMasterHelper.exe
ldsgamemaster.exe
User:
admin
Integrity Level:
HIGH
Version:
6.0.0.1001
3080"C:\Windows\System32\RegSvr32.exe" /s /i "C:\LDSGameMaster\GameMemoryOpt.dll"C:\Windows\System32\RegSvr32.exeldsgamemaster.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
4
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
16 379
Read events
14 000
Write events
0
Delete events
0

Modification events

No data
Executable files
426
Suspicious files
218
Text files
1 951
Unknown types
57

Dropped files

PID
Process
Filename
Type
3056WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3056.8683\a799857e7d44840d86bf1c4dff23db15e1c4be97fdd8a5a28071b1e1a062d85c
MD5:
SHA256:
2744LDSGameMasterInstRoad_212501.exeC:\Users\admin\AppData\Local\Temp\{0F890ACD-19C6-4ace-BAE4-463224FC7592}.tf
MD5:
SHA256:
2744LDSGameMasterInstRoad_212501.exeC:\Users\admin\AppData\Local\Temp\ludE995.tmp
MD5:
SHA256:
2744LDSGameMasterInstRoad_212501.exeC:\Users\admin\AppData\Local\Temp\{4A7C38A0-59DB-4cf0-A7C3-B5278BB5A275}.tf
MD5:
SHA256:
2744LDSGameMasterInstRoad_212501.exeC:\Users\admin\AppData\Local\Temp\ludE9C4.tmp
MD5:
SHA256:
2744LDSGameMasterInstRoad_212501.exeC:\Users\admin\AppData\Local\Temp\{BD1EED3A-031E-4279-83E9-7203B865B7D1}.tf
MD5:
SHA256:
2744LDSGameMasterInstRoad_212501.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\mgame[1].txt
MD5:
SHA256:
2744LDSGameMasterInstRoad_212501.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\mgame[2].txt
MD5:
SHA256:
2744LDSGameMasterInstRoad_212501.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\mgame[1].txt
MD5:
SHA256:
2800ldsgamemaster.exeC:\Users\admin\AppData\Local\Temp\{652E4AC1-F221-4d1e-8143-7128A80953B5}.tf
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
490
TCP/UDP connections
327
DNS requests
94
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3488
nba@51_298479.exe
GET
104.24.21.50:80
http://myip.ipip.net/
US
suspicious
2744
LDSGameMasterInstRoad_212501.exe
GET
104.192.108.17:80
http://dl.ludashi.com/gamemaster/buychannelFull.exe
US
whitelisted
2744
LDSGameMasterInstRoad_212501.exe
GET
104.192.108.17:80
http://dl.ludashi.com/gamemaster/buychannelFull.exe
US
whitelisted
2744
LDSGameMasterInstRoad_212501.exe
GET
104.192.108.17:80
http://dl.ludashi.com/gamemaster/buychannelFull.exe
US
whitelisted
3488
nba@51_298479.exe
GET
200
140.143.170.124:80
http://i.ttz3.cn/getsoft/51/298479/nba
CN
text
97 b
malicious
3488
nba@51_298479.exe
GET
200
1.189.213.200:80
http://download.ttz3.cn/404Error.txt
CN
binary
18 b
malicious
2744
LDSGameMasterInstRoad_212501.exe
GET
104.192.108.17:80
http://dl.ludashi.com/gamemaster/buychannelFull.exe
US
whitelisted
3488
nba@51_298479.exe
GET
200
104.192.108.17:80
http://dl.ludashi.com/gamemaster/LDSGameMasterInstRoad_212501.exe
US
executable
1.34 Mb
whitelisted
3488
nba@51_298479.exe
POST
200
123.206.4.86:80
http://xzqlog.ttz3.cn/api/xzqdata
CN
text
47 b
malicious
3488
nba@51_298479.exe
POST
200
123.206.4.86:80
http://xzqlog.ttz3.cn/api/xzqdata
CN
text
47 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3488
nba@51_298479.exe
140.143.170.124:80
i.ttz3.cn
Shenzhen Tencent Computer Systems Company Limited
CN
malicious
3488
nba@51_298479.exe
104.192.108.17:80
dl.ludashi.com
Beijing Qihu Technology Company Limited
US
malicious
2800
ldsgamemaster.exe
116.136.135.223:80
cdn-file-ssl-monidashi.ludashi.com
CN
unknown
3488
nba@51_298479.exe
104.24.21.50:80
myip.ipip.net
Cloudflare Inc
US
shared
2800
ldsgamemaster.exe
115.28.112.133:80
l.public.ludashi.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
2800
ldsgamemaster.exe
68.232.34.240:80
www.download.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2744
LDSGameMasterInstRoad_212501.exe
114.115.214.33:80
s.ludashi.com
China Unicom Beijing Province Network
CN
suspicious
2800
ldsgamemaster.exe
114.115.214.33:80
s.ludashi.com
China Unicom Beijing Province Network
CN
suspicious
3488
nba@51_298479.exe
1.189.213.200:80
download.ttz3.cn
CHINA UNICOM China169 Backbone
CN
unknown
3488
nba@51_298479.exe
123.206.4.86:80
xzqlog.ttz3.cn
Shenzhen Tencent Computer Systems Company Limited
CN
malicious

DNS requests

Domain
IP
Reputation
i.ttz3.cn
  • 140.143.170.124
unknown
xzqlog.ttz3.cn
  • 123.206.4.86
malicious
myip.ipip.net
  • 104.24.21.50
  • 104.24.20.50
suspicious
download.ttz3.cn
  • 1.189.213.200
  • 118.212.234.89
  • 27.221.28.204
  • 59.80.39.108
  • 1.189.213.92
  • 101.69.121.89
  • 113.1.0.63
  • 118.212.231.61
  • 121.31.30.201
  • 27.221.28.254
  • 220.194.87.190
  • 42.56.79.189
malicious
dl.ludashi.com
  • 104.192.108.17
  • 104.192.108.18
whitelisted
s.ludashi.com
  • 114.115.214.33
suspicious
www.download.windowsupdate.com
  • 68.232.34.240
whitelisted
zhushou.ludashi.com
  • 120.27.83.10
unknown
l.public.ludashi.com
  • 115.28.112.133
unknown
cdn-file-ssl-monidashi.ludashi.com
  • 116.136.135.223
  • 116.136.135.227
  • 116.136.135.224
  • 116.136.135.222
  • 116.136.135.225
  • 116.136.135.228
  • 116.136.135.221
  • 116.136.135.226
malicious

Threats

PID
Process
Class
Message
3488
nba@51_298479.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2744
LDSGameMasterInstRoad_212501.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3184
SoftMgrInst.exe
Generic Protocol Command Decode
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
3184
SoftMgrInst.exe
Generic Protocol Command Decode
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)
3184
SoftMgrInst.exe
Generic Protocol Command Decode
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
3488
nba@51_298479.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2800
ldsgamemaster.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2800
ldsgamemaster.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2544
GameDownload_hk_hj_syzs_500202007_jm.exe
Generic Protocol Command Decode
SURICATA TLS error message encountered
2544
GameDownload_hk_hj_syzs_500202007_jm.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
7 ETPRO signatures available at the full report
Process
Message
GameDownload_hk_hj_syzs_500202007_jm.exe
[Downloader] GetLogicalDrives 4
GameDownload_hk_hj_syzs_500202007_jm.exe
[Downloader] DriverType C: = 3
GameDownload_hk_hj_syzs_500202007_jm.exe
[Downloader] GetLogicalDrives 4
GameDownload_hk_hj_syzs_500202007_jm.exe
[Downloader] DriverType C: = 3
LDSGameHall.exe
==============FindEmulatorToHallBridgeWindow Error:0.
LDSGameHall.exe
==============FindEmulatorToHallBridgeWindow Error:0.
LDSGameHall.exe
==============FindEmulatorToHallBridgeWindow Error:0.
LDSGameHall.exe
==============FindEmulatorToHallBridgeWindow Error:0.
LDSGameHall.exe
==============FindEmulatorToHallBridgeWindow Error:0.
LDSGameHall.exe
==============FindEmulatorToHallBridgeWindow Error:0.