Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://down-package.ludashicdn.com/downloader/temp_package/2024-07/%E8%85%BE%E8%AE%AF%E4%BC%9A.%E8%AE%AE_4496905339.exe

Overview

General Information

Sample URL:https://down-package.ludashicdn.com/downloader/temp_package/2024-07/%E8%85%BE%E8%AE%AF%E4%BC%9A.%E8%AE%AE_4496905339.exe
Analysis ID:1478577
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Chrome blocked dangerous download
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect virtualization through RDTSC time measurements
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains capabilities to detect virtual machines
Downloads executable code via HTTP
Drops PE files
Found dropped PE file which has not been started or loaded
Is looking for software installed on the system
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Sigma detected: File Download From Browser Process Via Inline URL
Stores files to the Windows start menu directory

Classification

Process Tree

  • System is w10x64_ra
  • chrome.exe (PID: 876 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://down-package.ludashicdn.com/downloader/temp_package/2024-07/???.?_4496905339.exe MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 6188 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1916,i,517428189521506084,16175199301985379620,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 6888 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5584 --field-trial-handle=1916,i,517428189521506084,16175199301985379620,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • ???.?_4496905339.exe (PID: 6852 cmdline: "C:\Users\user\Downloads\???.?_4496905339.exe" MD5: 3490DC6FE080B01509AE7ADF52D6F3D0)
    • ???.?_4496905339.exe (PID: 6756 cmdline: "C:\Users\user\Downloads\???.?_4496905339.exe" MD5: 3490DC6FE080B01509AE7ADF52D6F3D0)
    • ???.?_4496905339.exe (PID: 7748 cmdline: "C:\Users\user\Downloads\???.?_4496905339.exe" MD5: 3490DC6FE080B01509AE7ADF52D6F3D0)
  • rundll32.exe (PID: 7888 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • ???.?_4496905339.exe (PID: 8064 cmdline: "C:\Users\user\Downloads\???.?_4496905339.exe" MD5: 3490DC6FE080B01509AE7ADF52D6F3D0)
  • ???.?_4496905339.exe (PID: 8116 cmdline: "C:\Users\user\Downloads\???.?_4496905339.exe" MD5: 3490DC6FE080B01509AE7ADF52D6F3D0)
  • ???.?_4496905339.exe (PID: 7620 cmdline: "C:\Users\user\Downloads\???.?_4496905339.exe" MD5: 3490DC6FE080B01509AE7ADF52D6F3D0)
  • ???.?_4496905339.exe (PID: 4880 cmdline: "C:\Users\user\Downloads\???.?_4496905339.exe" MD5: 3490DC6FE080B01509AE7ADF52D6F3D0)
  • ???.?_4496905339.exe (PID: 3964 cmdline: "C:\Users\user\Downloads\???.?_4496905339.exe" MD5: 3490DC6FE080B01509AE7ADF52D6F3D0)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: File Download From Browser Process Via Inline URL
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://down-package.ludashicdn.com/downloader/temp_package/2024-07/???.?_4496905339.exe, CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://down-package.ludashicdn.com/downloader/temp_package/2024-07/???.?_4496905339.exe, CommandLine|base64offset|contains: -j~b,, Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3816, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://down-package.ludashicdn.com/downloader/temp_package/2024-07/???.?_4496905339.exe, ProcessId: 876, ProcessName: chrome.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Downloads\Unconfirmed 665717.crdownloadReversingLabs: Detection: 54%
Source: unknownHTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 47.104.160.247:443 -> 192.168.2.16:49716 version: TLS 1.2
Source: unknownHTTPS traffic detected: 47.104.160.247:443 -> 192.168.2.16:49724 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49727 version: TLS 1.2
Source: unknownHTTPS traffic detected: 47.104.160.247:443 -> 192.168.2.16:49732 version: TLS 1.2

Networking

barindex
Chrome blocked dangerous download
Source: screenshotOCR Text: Untitled ' ik_449690S339.exe m/downloader/temp_package/2024-07/EIF, Keep 4496905339.exe Blocked Dangerous 13:59 ENG p Type here to search SG 22/07/2024
Source: screenshotOCR Text: Untitled ' ik_449690S339.exe /downloader/temp_package/2024-07/EIF, Keep 4496905339.exe Blocked Dangerous 13:59 ENG p Type here to search SG 22/07/2024
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: Byte-nginxContent-Type: application/octet-streamContent-Length: 88904672Connection: keep-aliveAccept-Ranges: bytesAge: 989920Etag: "C081926BCE36136646044B124BB34D1E"Last-Modified: Fri, 28 Jun 2024 12:15:16 GMTX-Bdcdn-Cache-Status: TCP_HITX-Oss-Hash-Crc64ecma: 16312945158841337521X-Oss-Meta-Mtime: 1719568454X-Oss-Object-Type: NormalX-Oss-Request-Id: 668F83499C75C63032383725X-Oss-Server-Time: 73X-Oss-Storage-Class: StandardX-Request-Id: e4617eda184e00a71d130ef6ee054f3bX-Request-Ip: 8.46.123.33X-Response-Cache: edge_hitX-Response-Cinfo: 8.46.123.33X-Tt-Trace-Tag: id=5Date: Mon, 22 Jul 2024 18:00:08 GMTvia: cache04.hsct02Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 5b 03 1e 2f 1f 62 70 7c 1f 62 70 7c 1f 62 70 7c ab fe 81 7c 09 62 70 7c ab fe 83 7c b1 62 70 7c ab fe 82 7c 3f 62 70 7c 88 0b 75 7d 19 62 70 7c 89 0b 78 7d 1d 62 70 7c 1f 62 70 7c 1e 62 70 7c 5e 05 75 7d 0a 62 70 7c 87 0b 75 7d 19 62 70 7c 81 c2 b7 7c 1c 62 70 7c 4d 0a 73 7d 06 62 70 7c 4d 0a 74 7d 3b 62 70 7c 4d 0a 75 7d 9f 62 70 7c 16 1a f3 7c 18 62 70 7c 16 1a e3 7c 36 62 70 7c 1f 62 71 7c 1b 60 70 7c 89 0b 74 7d 1e 62 70 7c 89 0b 75 7d 79 62 70 7c 89 0b 70 7d 1e 62 70 7c 89 0b 8f 7c 1e 62 70 7c 1f 62 e7 7c 1d 62 70 7c 89 0b 72 7d 1e 62 70 7c 52 69 63 68 1f 62 70 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e 35 fd 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 10 00 24 18 00 00 b0 36 00 00 00 00 00 2b d9 0a 00 00 10 00 00 00 40 18 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 40 4f 00 00 04 00 00 7a f1 4c 05 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 80 1c 1d 00 58 00 00 00 d8 1c 1d 00 a4 01 00 00 00 20 1e 00 bc c9 2f 00 00 00 00 00 00 00 00 00 00 6a 4c 05 e0 29 00 00 00 f0 4d 00 d0 47 01 00 70 f9 1a 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 fa 1a 00 Data Ascii: MZ@X!L!This program cannot be run in DOS mode.$[/bp|bp|bp||bp||bp||?bp|u}bp|x}bp|bp|bp|^u}bp|u}bp||bp|Ms}bp|Mt};bp|Mu}bp||bp||6bp|bq|`p|t}bp|u}ybp|p}bp||bp|b|bp|r}bp|Richbp|PEL>5e!$6+@@OzL@X /jL)MGpTh
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: Byte-nginxContent-Type: application/octet-streamContent-Length: 88904672Connection: keep-aliveAccept-Ranges: bytesAge: 989920Etag: "C081926BCE36136646044B124BB34D1E"Last-Modified: Fri, 28 Jun 2024 12:15:16 GMTX-Bdcdn-Cache-Status: TCP_HITX-Oss-Hash-Crc64ecma: 16312945158841337521X-Oss-Meta-Mtime: 1719568454X-Oss-Object-Type: NormalX-Oss-Request-Id: 668F83499C75C63032383725X-Oss-Server-Time: 73X-Oss-Storage-Class: StandardX-Request-Id: e4617eda184e00a71d130ef6ee054f3bX-Request-Ip: 8.46.123.33X-Response-Cache: edge_hitX-Response-Cinfo: 8.46.123.33X-Tt-Trace-Tag: id=5Date: Mon, 22 Jul 2024 18:00:08 GMTvia: cache04.hsct02Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 5b 03 1e 2f 1f 62 70 7c 1f 62 70 7c 1f 62 70 7c ab fe 81 7c 09 62 70 7c ab fe 83 7c b1 62 70 7c ab fe 82 7c 3f 62 70 7c 88 0b 75 7d 19 62 70 7c 89 0b 78 7d 1d 62 70 7c 1f 62 70 7c 1e 62 70 7c 5e 05 75 7d 0a 62 70 7c 87 0b 75 7d 19 62 70 7c 81 c2 b7 7c 1c 62 70 7c 4d 0a 73 7d 06 62 70 7c 4d 0a 74 7d 3b 62 70 7c 4d 0a 75 7d 9f 62 70 7c 16 1a f3 7c 18 62 70 7c 16 1a e3 7c 36 62 70 7c 1f 62 71 7c 1b 60 70 7c 89 0b 74 7d 1e 62 70 7c 89 0b 75 7d 79 62 70 7c 89 0b 70 7d 1e 62 70 7c 89 0b 8f 7c 1e 62 70 7c 1f 62 e7 7c 1d 62 70 7c 89 0b 72 7d 1e 62 70 7c 52 69 63 68 1f 62 70 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e 35 fd 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 10 00 24 18 00 00 b0 36 00 00 00 00 00 2b d9 0a 00 00 10 00 00 00 40 18 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 40 4f 00 00 04 00 00 7a f1 4c 05 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 80 1c 1d 00 58 00 00 00 d8 1c 1d 00 a4 01 00 00 00 20 1e 00 bc c9 2f 00 00 00 00 00 00 00 00 00 00 6a 4c 05 e0 29 00 00 00 f0 4d 00 d0 47 01 00 70 f9 1a 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 fa 1a 00 Data Ascii: MZ@X!L!This program cannot be run in DOS mode.$[/bp|bp|bp||bp||bp||?bp|u}bp|x}bp|bp|bp|^u}bp|u}bp||bp|Ms}bp|Mt};bp|Mu}bp||bp||6bp|bq|`p|t}bp|u}ybp|p}bp||bp|b|bp|r}bp|Richbp|PEL>5e!$6+@@OzL@X /jL)MGpTh
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: Byte-nginxContent-Type: application/octet-streamContent-Length: 88904672Connection: keep-aliveAccept-Ranges: bytesAge: 989920Etag: "C081926BCE36136646044B124BB34D1E"Last-Modified: Fri, 28 Jun 2024 12:15:16 GMTX-Bdcdn-Cache-Status: TCP_HITX-Oss-Hash-Crc64ecma: 16312945158841337521X-Oss-Meta-Mtime: 1719568454X-Oss-Object-Type: NormalX-Oss-Request-Id: 668F83499C75C63032383725X-Oss-Server-Time: 73X-Oss-Storage-Class: StandardX-Request-Id: e4617eda184e00a71d130ef6ee054f3bX-Request-Ip: 8.46.123.33X-Response-Cache: edge_hitX-Response-Cinfo: 8.46.123.33X-Tt-Trace-Tag: id=5Date: Mon, 22 Jul 2024 18:00:08 GMTvia: cache04.hsct02Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 5b 03 1e 2f 1f 62 70 7c 1f 62 70 7c 1f 62 70 7c ab fe 81 7c 09 62 70 7c ab fe 83 7c b1 62 70 7c ab fe 82 7c 3f 62 70 7c 88 0b 75 7d 19 62 70 7c 89 0b 78 7d 1d 62 70 7c 1f 62 70 7c 1e 62 70 7c 5e 05 75 7d 0a 62 70 7c 87 0b 75 7d 19 62 70 7c 81 c2 b7 7c 1c 62 70 7c 4d 0a 73 7d 06 62 70 7c 4d 0a 74 7d 3b 62 70 7c 4d 0a 75 7d 9f 62 70 7c 16 1a f3 7c 18 62 70 7c 16 1a e3 7c 36 62 70 7c 1f 62 71 7c 1b 60 70 7c 89 0b 74 7d 1e 62 70 7c 89 0b 75 7d 79 62 70 7c 89 0b 70 7d 1e 62 70 7c 89 0b 8f 7c 1e 62 70 7c 1f 62 e7 7c 1d 62 70 7c 89 0b 72 7d 1e 62 70 7c 52 69 63 68 1f 62 70 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e 35 fd 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 10 00 24 18 00 00 b0 36 00 00 00 00 00 2b d9 0a 00 00 10 00 00 00 40 18 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 40 4f 00 00 04 00 00 7a f1 4c 05 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 80 1c 1d 00 58 00 00 00 d8 1c 1d 00 a4 01 00 00 00 20 1e 00 bc c9 2f 00 00 00 00 00 00 00 00 00 00 6a 4c 05 e0 29 00 00 00 f0 4d 00 d0 47 01 00 70 f9 1a 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 fa 1a 00 Data Ascii: MZ@X!L!This program cannot be run in DOS mode.$[/bp|bp|bp||bp||bp||?bp|u}bp|x}bp|bp|bp|^u}bp|u}bp||bp|Ms}bp|Mt};bp|Mu}bp||bp||6bp|bq|`p|t}bp|u}ybp|p}bp||bp|b|bp|r}bp|Richbp|PEL>5e!$6+@@OzL@X /jL)MGpTh
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: Byte-nginxContent-Type: application/octet-streamContent-Length: 88904672Connection: keep-aliveAccept-Ranges: bytesAge: 989934Etag: "C081926BCE36136646044B124BB34D1E"Last-Modified: Fri, 28 Jun 2024 12:15:16 GMTX-Bdcdn-Cache-Status: TCP_HITX-Oss-Hash-Crc64ecma: 16312945158841337521X-Oss-Meta-Mtime: 1719568454X-Oss-Object-Type: NormalX-Oss-Request-Id: 668F83499C75C63032383725X-Oss-Server-Time: 73X-Oss-Storage-Class: StandardX-Request-Id: fc12987cd5bf68518f0093ed8a923d4bX-Request-Ip: 8.46.123.33X-Response-Cache: edge_hitX-Response-Cinfo: 8.46.123.33X-Tt-Trace-Tag: id=5Date: Mon, 22 Jul 2024 18:00:22 GMTvia: cache01.hsct02Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 5b 03 1e 2f 1f 62 70 7c 1f 62 70 7c 1f 62 70 7c ab fe 81 7c 09 62 70 7c ab fe 83 7c b1 62 70 7c ab fe 82 7c 3f 62 70 7c 88 0b 75 7d 19 62 70 7c 89 0b 78 7d 1d 62 70 7c 1f 62 70 7c 1e 62 70 7c 5e 05 75 7d 0a 62 70 7c 87 0b 75 7d 19 62 70 7c 81 c2 b7 7c 1c 62 70 7c 4d 0a 73 7d 06 62 70 7c 4d 0a 74 7d 3b 62 70 7c 4d 0a 75 7d 9f 62 70 7c 16 1a f3 7c 18 62 70 7c 16 1a e3 7c 36 62 70 7c 1f 62 71 7c 1b 60 70 7c 89 0b 74 7d 1e 62 70 7c 89 0b 75 7d 79 62 70 7c 89 0b 70 7d 1e 62 70 7c 89 0b 8f 7c 1e 62 70 7c 1f 62 e7 7c 1d 62 70 7c 89 0b 72 7d 1e 62 70 7c 52 69 63 68 1f 62 70 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e 35 fd 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 10 00 24 18 00 00 b0 36 00 00 00 00 00 2b d9 0a 00 00 10 00 00 00 40 18 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 40 4f 00 00 04 00 00 7a f1 4c 05 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 80 1c 1d 00 58 00 00 00 d8 1c 1d 00 a4 01 00 00 00 20 1e 00 bc c9 2f 00 00 00 00 00 00 00 00 00 00 6a 4c 05 e0 29 00 00 00 f0 4d 00 d0 47 01 00 70 f9 1a 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 fa 1a 00 Data Ascii: MZ@X!L!This program cannot be run in DOS mode.$[/bp|bp|bp||bp||bp||?bp|u}bp|x}bp|bp|bp|^u}bp|u}bp||bp|Ms}bp|Mt};bp|Mu}bp||bp||6bp|bq|`p|t}bp|u}ybp|p}bp||bp|b|bp|r}bp|Richbp|PEL>5e!$6+@@OzL@X /jL)MGpTh
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: Byte-nginxContent-Type: application/octet-streamContent-Length: 88904672Connection: keep-aliveAccept-Ranges: bytesAge: 989955Etag: "C081926BCE36136646044B124BB34D1E"Last-Modified: Fri, 28 Jun 2024 12:15:16 GMTX-Bdcdn-Cache-Status: TCP_HITX-Oss-Hash-Crc64ecma: 16312945158841337521X-Oss-Meta-Mtime: 1719568454X-Oss-Object-Type: NormalX-Oss-Request-Id: 668F83499C75C63032383725X-Oss-Server-Time: 73X-Oss-Storage-Class: StandardX-Request-Id: ca42b42edd7a4993ecfecb0c8e2f531aX-Request-Ip: 8.46.123.33X-Response-Cache: edge_hitX-Response-Cinfo: 8.46.123.33X-Tt-Trace-Tag: id=5Date: Mon, 22 Jul 2024 18:00:43 GMTvia: cache05.hsct02Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 5b 03 1e 2f 1f 62 70 7c 1f 62 70 7c 1f 62 70 7c ab fe 81 7c 09 62 70 7c ab fe 83 7c b1 62 70 7c ab fe 82 7c 3f 62 70 7c 88 0b 75 7d 19 62 70 7c 89 0b 78 7d 1d 62 70 7c 1f 62 70 7c 1e 62 70 7c 5e 05 75 7d 0a 62 70 7c 87 0b 75 7d 19 62 70 7c 81 c2 b7 7c 1c 62 70 7c 4d 0a 73 7d 06 62 70 7c 4d 0a 74 7d 3b 62 70 7c 4d 0a 75 7d 9f 62 70 7c 16 1a f3 7c 18 62 70 7c 16 1a e3 7c 36 62 70 7c 1f 62 71 7c 1b 60 70 7c 89 0b 74 7d 1e 62 70 7c 89 0b 75 7d 79 62 70 7c 89 0b 70 7d 1e 62 70 7c 89 0b 8f 7c 1e 62 70 7c 1f 62 e7 7c 1d 62 70 7c 89 0b 72 7d 1e 62 70 7c 52 69 63 68 1f 62 70 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e 35 fd 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 10 00 24 18 00 00 b0 36 00 00 00 00 00 2b d9 0a 00 00 10 00 00 00 40 18 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 40 4f 00 00 04 00 00 7a f1 4c 05 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 80 1c 1d 00 58 00 00 00 d8 1c 1d 00 a4 01 00 00 00 20 1e 00 bc c9 2f 00 00 00 00 00 00 00 00 00 00 6a 4c 05 e0 29 00 00 00 f0 4d 00 d0 47 01 00 70 f9 1a 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 fa 1a 00 Data Ascii: MZ@X!L!This program cannot be run in DOS mode.$[/bp|bp|bp||bp||bp||?bp|u}bp|x}bp|bp|bp|^u}bp|u}bp||bp|Ms}bp|Mt};bp|Mu}bp||bp||6bp|bq|`p|t}bp|u}ybp|p}bp||bp|b|bp|r}bp|Richbp|PEL>5e!$6+@@OzL@X /jL)MGpTh
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /inst/get3 HTTP/1.1Accept: */*Accept-Language: zh-CN,zh;q=0.9Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36Host: softmgr-cfg.ludashi.comContent-Length: 192Cache-Control: no-cacheData Raw: 54 43 54 79 36 30 49 76 77 39 5a 57 4d 46 34 56 4e 45 79 50 6b 45 2b 37 4a 6b 55 4f 79 45 34 48 70 70 76 6b 4b 6b 44 7a 72 73 62 48 6f 32 75 48 6e 4b 57 5a 68 2b 2f 34 59 36 52 4d 78 65 50 49 41 2f 70 64 6f 67 62 6d 36 79 57 73 31 53 58 68 4a 44 6b 4c 58 41 33 44 36 71 5a 64 35 6d 79 35 2b 79 6a 65 56 72 64 6b 52 37 6d 73 44 2f 4e 30 36 50 35 77 4b 47 4a 52 48 55 2b 4b 61 64 71 2f 6e 33 6a 78 77 57 75 4d 33 64 30 36 7a 39 4b 30 4b 59 56 63 57 37 61 56 7a 79 76 67 57 41 69 4d 72 66 31 63 4e 71 77 42 7a 70 4d 79 4f 5a 73 2b 6d 2b 58 65 72 7a 75 77 30 75 6f 56 77 2b 79 41 Data Ascii: TCTy60Ivw9ZWMF4VNEyPkE+7JkUOyE4HppvkKkDzrsbHo2uHnKWZh+/4Y6RMxePIA/pdogbm6yWs1SXhJDkLXA3D6qZd5my5+yjeVrdkR7msD/N06P5wKGJRHU+Kadq/n3jxwWuM3d06z9K0KYVcW7aVzyvgWAiMrf1cNqwBzpMyOZs+m+Xerzuw0uoVw+yA
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=run&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=down_start&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=thunder&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=down_start&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=thunder&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=ldsdownstart&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=thunder&ex_ary[time]=0&ex_ary[errcode]=17_0_0&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /inst_pkgs/ludashi/6.1024.4025.626/ludashi_lite_sem.dll HTTP/1.1Accept: */*Accept-Encoding: gzip,deflate,brAccept-Language: zh-CN,zh;q=0.9Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36Host: cdn-thunder.ludashi.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=down_start&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=aliyun&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=aliyun&ex_ary[time]=0&ex_ary[errcode]=17_0_0&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=down_start&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=thunder&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /inst_pkgs/ludashi/6.1024.4025.626/ludashi_lite_sem.dll?xy_rid=zYl015sq7bvbJV HTTP/1.1Accept: */*Accept-Encoding: gzip,deflate,brAccept-Language: zh-CN,zh;q=0.9Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36Host: cdn-pc-thunder.ludashi.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /inst/get3 HTTP/1.1Accept: */*Accept-Language: zh-CN,zh;q=0.9Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36Host: softmgr-cfg.ludashi.comContent-Length: 192Cache-Control: no-cacheData Raw: 54 43 54 79 36 30 49 76 77 39 5a 57 4d 46 34 56 4e 45 79 50 6b 45 2b 37 4a 6b 55 4f 79 45 34 48 70 70 76 6b 4b 6b 44 7a 72 73 62 48 6f 32 75 48 6e 4b 57 5a 68 2b 2f 34 59 36 52 4d 78 65 50 49 41 2f 70 64 6f 67 62 6d 36 79 57 73 31 53 58 68 4a 44 6b 4c 58 41 33 44 36 71 5a 64 35 6d 79 35 2b 79 6a 65 56 72 64 6b 52 37 6d 73 44 2f 4e 30 36 50 35 77 4b 47 4a 52 48 55 2b 4b 61 64 71 2f 6e 33 6a 78 77 57 75 4d 33 64 30 36 7a 39 4b 30 4b 59 56 63 57 37 61 56 7a 79 76 67 57 41 69 4d 72 66 31 63 4e 71 77 42 7a 70 4d 79 4f 5a 73 2b 6d 2b 58 65 72 7a 75 77 30 75 6f 56 77 2b 79 41 Data Ascii: TCTy60Ivw9ZWMF4VNEyPkE+7JkUOyE4HppvkKkDzrsbHo2uHnKWZh+/4Y6RMxePIA/pdogbm6yWs1SXhJDkLXA3D6qZd5my5+yjeVrdkR7msD/N06P5wKGJRHU+Kadq/n3jxwWuM3d06z9K0KYVcW7aVzyvgWAiMrf1cNqwBzpMyOZs+m+Xerzuw0uoVw+yA
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=run&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=down_start&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=thunder&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /inst_pkgs/ludashi/6.1024.4025.626/ludashi_lite_sem.dll HTTP/1.1Accept: */*Accept-Encoding: gzip,deflate,brAccept-Language: zh-CN,zh;q=0.9Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36Host: cdn-thunder.ludashi.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=ldsdownstart&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=thunder&ex_ary[time]=0&ex_ary[errcode]=17_0_0&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=down_start&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=aliyun&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /inst_pkgs/ludashi/6.1024.4025.626/ludashi_lite_sem.dll?xy_rid=zYl016CO7bvq8y HTTP/1.1Accept: */*Accept-Encoding: gzip,deflate,brAccept-Language: zh-CN,zh;q=0.9Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36Host: cdn-pc-thunder.ludashi.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=aliyun&ex_ary[time]=0&ex_ary[errcode]=17_0_0&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=aliyun&ex_ary[time]=2188&ex_ary[errcode]=14_200_0&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /inst/get3 HTTP/1.1Accept: */*Accept-Language: zh-CN,zh;q=0.9Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36Host: softmgr-cfg.ludashi.comContent-Length: 192Cache-Control: no-cacheData Raw: 54 43 54 79 36 30 49 76 77 39 5a 57 4d 46 34 56 4e 45 79 50 6b 45 2b 37 4a 6b 55 4f 79 45 34 48 70 70 76 6b 4b 6b 44 7a 72 73 62 48 6f 32 75 48 6e 4b 57 5a 68 2b 2f 34 59 36 52 4d 78 65 50 49 41 2f 70 64 6f 67 62 6d 36 79 57 73 31 53 58 68 4a 44 6b 4c 58 41 33 44 36 71 5a 64 35 6d 79 35 2b 79 6a 65 56 72 64 6b 52 37 6d 73 44 2f 4e 30 36 50 35 77 4b 47 4a 52 48 55 2b 4b 61 64 71 2f 6e 33 6a 78 77 57 75 4d 33 64 30 36 7a 39 4b 30 4b 59 56 63 57 37 61 56 7a 79 76 67 57 41 69 4d 72 66 31 63 4e 71 77 42 7a 70 4d 79 4f 5a 73 2b 6d 2b 58 65 72 7a 75 77 30 75 6f 56 77 2b 79 41 Data Ascii: TCTy60Ivw9ZWMF4VNEyPkE+7JkUOyE4HppvkKkDzrsbHo2uHnKWZh+/4Y6RMxePIA/pdogbm6yWs1SXhJDkLXA3D6qZd5my5+yjeVrdkR7msD/N06P5wKGJRHU+Kadq/n3jxwWuM3d06z9K0KYVcW7aVzyvgWAiMrf1cNqwBzpMyOZs+m+Xerzuw0uoVw+yA
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=run&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=down_start&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=thunder&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=ldsdownstart&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /inst_pkgs/ludashi/6.1024.4025.626/ludashi_lite_sem.dll HTTP/1.1Accept: */*Accept-Encoding: gzip,deflate,brAccept-Language: zh-CN,zh;q=0.9Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36Host: cdn-thunder.ludashi.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=down_start&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=aliyun&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=aliyun&ex_ary[time]=0&ex_ary[errcode]=17_0_0&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /inst_pkgs/ludashi/6.1024.4025.626/ludashi_lite_sem.dll?xy_rid=zYl016u_7bw9kP HTTP/1.1Accept: */*Accept-Encoding: gzip,deflate,brAccept-Language: zh-CN,zh;q=0.9Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36Host: cdn-pc-thunder.ludashi.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=thunder&ex_ary[time]=0&ex_ary[errcode]=17_0_0&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=aliyun&ex_ary[time]=2500&ex_ary[errcode]=14_200_0&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=aliyun&ex_ary[time]=2500&ex_ary[errcode]=14_200_0&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /inst/get3 HTTP/1.1Accept: */*Accept-Language: zh-CN,zh;q=0.9Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36Host: softmgr-cfg.ludashi.comContent-Length: 192Cache-Control: no-cacheData Raw: 54 43 54 79 36 30 49 76 77 39 5a 57 4d 46 34 56 4e 45 79 50 6b 45 2b 37 4a 6b 55 4f 79 45 34 48 70 70 76 6b 4b 6b 44 7a 72 73 62 48 6f 32 75 48 6e 4b 57 5a 68 2b 2f 34 59 36 52 4d 78 65 50 49 41 2f 70 64 6f 67 62 6d 36 79 57 73 31 53 58 68 4a 44 6b 4c 58 41 33 44 36 71 5a 64 35 6d 79 35 2b 79 6a 65 56 72 64 6b 52 37 6d 73 44 2f 4e 30 36 50 35 77 4b 47 4a 52 48 55 2b 4b 61 64 71 2f 6e 33 6a 78 77 57 75 4d 33 64 30 36 7a 39 4b 30 4b 59 56 63 57 37 61 56 7a 79 76 67 57 41 69 4d 72 66 31 63 4e 71 77 42 7a 70 4d 79 4f 5a 73 2b 6d 2b 58 65 72 7a 75 77 30 75 6f 56 77 2b 79 41 Data Ascii: TCTy60Ivw9ZWMF4VNEyPkE+7JkUOyE4HppvkKkDzrsbHo2uHnKWZh+/4Y6RMxePIA/pdogbm6yWs1SXhJDkLXA3D6qZd5my5+yjeVrdkR7msD/N06P5wKGJRHU+Kadq/n3jxwWuM3d06z9K0KYVcW7aVzyvgWAiMrf1cNqwBzpMyOZs+m+Xerzuw0uoVw+yA
Source: global trafficDNS traffic detected: DNS query: down-package.ludashicdn.com
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: global trafficDNS traffic detected: DNS query: softmgr-cfg.ludashi.com
Source: global trafficDNS traffic detected: DNS query: softmgr-stat.ludashi.com
Source: global trafficDNS traffic detected: DNS query: s.ludashi.com
Source: global trafficDNS traffic detected: DNS query: cdn-thunder.ludashi.com
Source: global trafficDNS traffic detected: DNS query: paint-s.ludashi.com
Source: global trafficDNS traffic detected: DNS query: cdn-pc-thunder.ludashi.com
Source: unknownHTTP traffic detected: POST /downloader/soft/reportNew HTTP/1.1Accept: */*Accept-Language: zh-CN,zh;q=0.9Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36Host: softmgr-stat.ludashi.comContent-Length: 352Cache-Control: no-cacheData Raw: 38 6a 34 39 4e 37 65 56 70 61 68 37 6b 78 4c 61 47 39 2b 4b 63 54 77 56 65 71 78 71 34 37 69 48 72 69 43 45 75 49 64 69 4e 53 64 45 68 4d 58 76 64 33 6f 31 71 67 36 35 33 54 35 67 4d 54 73 66 67 6a 58 6e 4f 73 49 76 62 74 6c 37 63 57 74 72 32 2b 44 68 2f 59 35 6d 33 6b 41 69 59 4f 48 76 55 6e 4c 51 6e 4a 45 54 6f 7a 79 54 38 58 72 47 52 72 79 41 7a 6b 2f 67 32 79 64 6b 48 6e 61 55 42 79 42 32 77 56 77 54 77 49 77 4e 30 7a 50 6c 69 70 2f 63 46 6e 32 74 53 30 57 73 5a 69 4a 32 71 58 70 62 70 6e 4f 64 61 47 77 73 37 4a 38 70 6e 75 63 6b 34 32 71 42 64 6e 56 67 6c 38 57 64 75 78 69 4a 72 34 2f 5a 66 74 6e 64 55 7a 49 43 47 39 58 45 52 4d 38 6e 55 69 6b 53 33 47 52 64 30 50 50 51 48 4e 75 47 43 64 38 33 31 43 73 77 74 34 4c 4d 66 4d 35 6a 73 74 79 31 4f 2b 6c 2b 2f 45 78 66 68 44 59 6c 35 4d 2f 34 47 58 53 6b 50 47 35 6f 48 75 77 53 54 35 56 4b 69 43 33 32 4c 70 6f 56 61 46 47 55 6f 2b 33 78 70 37 49 43 38 6e 59 75 5a 42 63 57 4c 2b 78 6f 44 69 42 39 7a 4d 66 42 30 73 74 63 52 79 2f 38 31 4f 55 43 55 78 44 70 61 41 7a 56 4b 6f 69 6e 2b 6f 72 6e Data Ascii: 8j49N7eVpah7kxLaG9+KcTwVeqxq47iHriCEuIdiNSdEhMXvd3o1qg653T5gMTsfgjXnOsIvbtl7cWtr2+Dh/Y5m3kAiYOHvUnLQnJETozyT8XrGRryAzk/g2ydkHnaUByB2wVwTwIwN0zPlip/cFn2tS0WsZiJ2qXpbpnOdaGws7J8pnuck42qBdnVgl8WduxiJr4/ZftndUzICG9XERM8nUikS3GRd0PPQHNuGCd831Cswt4LMfM5jsty1O+l+/ExfhDYl5M/4GXSkPG5oHuwST5VKiC32LpoVaFGUo+3xp7IC8nYuZBcWL+xoDiB9zMfB0stcRy/81OUCUxDpaAzVKoin+orn
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownHTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 47.104.160.247:443 -> 192.168.2.16:49716 version: TLS 1.2
Source: unknownHTTPS traffic detected: 47.104.160.247:443 -> 192.168.2.16:49724 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49727 version: TLS 1.2
Source: unknownHTTPS traffic detected: 47.104.160.247:443 -> 192.168.2.16:49732 version: TLS 1.2
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory allocated: 77650000 page execute and read and write
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory allocated: 77650000 page execute and read and write
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory allocated: 77650000 page execute and read and write
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory allocated: 77650000 page execute and read and write
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory allocated: 77650000 page execute and read and write
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory allocated: 77650000 page execute and read and write
Source: classification engineClassification label: mal60.evad.win@29/20@15/159
Source: C:\Users\user\Downloads\???.?_4496905339.exeFile created: C:\Program Files (x86)\Ludashi
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Users\user\Downloads\???.?_4496905339.exeMutant created: \Sessions\1\BaseNamedObjects\CUSERSuserAPPDATAROAMINGDOWNLOADERDOWNLOADERLOG
Source: C:\Users\user\Downloads\???.?_4496905339.exeMutant created: \Sessions\1\BaseNamedObjects\ThunderMissionDownloadingMutex
Source: C:\Users\user\Downloads\???.?_4496905339.exeFile created: C:\Users\user\AppData\Local\Temp\{CBD60465-8C6A-454a-9911-61083ABC1FB3}.tf
Source: C:\Users\user\Downloads\???.?_4496905339.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://down-package.ludashicdn.com/downloader/temp_package/2024-07/???.?_4496905339.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1916,i,517428189521506084,16175199301985379620,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5584 --field-trial-handle=1916,i,517428189521506084,16175199301985379620,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Users\user\Downloads\???.?_4496905339.exe "C:\Users\user\Downloads\???.?_4496905339.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1916,i,517428189521506084,16175199301985379620,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5584 --field-trial-handle=1916,i,517428189521506084,16175199301985379620,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Users\user\Downloads\???.?_4496905339.exe "C:\Users\user\Downloads\???.?_4496905339.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Users\user\Downloads\???.?_4496905339.exe "C:\Users\user\Downloads\???.?_4496905339.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Users\user\Downloads\???.?_4496905339.exe "C:\Users\user\Downloads\???.?_4496905339.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Users\user\Downloads\???.?_4496905339.exe "C:\Users\user\Downloads\???.?_4496905339.exe"
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Users\user\Downloads\???.?_4496905339.exe "C:\Users\user\Downloads\???.?_4496905339.exe"
Source: unknownProcess created: C:\Users\user\Downloads\???.?_4496905339.exe "C:\Users\user\Downloads\???.?_4496905339.exe"
Source: unknownProcess created: C:\Users\user\Downloads\???.?_4496905339.exe "C:\Users\user\Downloads\???.?_4496905339.exe"
Source: unknownProcess created: C:\Users\user\Downloads\???.?_4496905339.exe "C:\Users\user\Downloads\???.?_4496905339.exe"
Source: unknownProcess created: C:\Users\user\Downloads\???.?_4496905339.exe "C:\Users\user\Downloads\???.?_4496905339.exe"
Source: unknownProcess created: C:\Users\user\Downloads\???.?_4496905339.exe "C:\Users\user\Downloads\???.?_4496905339.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: apphelp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: dbghelp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: firewallapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: dnsapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: fwbase.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: windows.storage.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: wldp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: msasn1.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: cryptsp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: rsaenh.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: cryptbase.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: gpapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: cryptnet.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: profapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: netapi32.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: netbios.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: version.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: wininet.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: iertutil.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: sspicli.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: winhttp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: mswsock.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: winnsi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: urlmon.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: srvcli.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: netutils.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: fwpuclnt.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: windowscodecs.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: schannel.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: mskeyprotect.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: ntasn1.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: dpapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: ncrypt.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: ncryptsslp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: dbghelp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: firewallapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: dnsapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: fwbase.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: windows.storage.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: wldp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: dbghelp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: firewallapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: dnsapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: fwbase.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: windows.storage.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: wldp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: msasn1.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: cryptsp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: rsaenh.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: cryptbase.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: gpapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: cryptnet.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: profapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: netapi32.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: netbios.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: version.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: wininet.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: iertutil.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: sspicli.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: winhttp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: mswsock.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: winnsi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: urlmon.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: srvcli.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: netutils.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: fwpuclnt.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: windowscodecs.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: dpapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: schannel.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: mskeyprotect.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: ntasn1.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: ncrypt.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: ncryptsslp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: dbghelp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: firewallapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: dnsapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: fwbase.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: windows.storage.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: wldp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: dbghelp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: firewallapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: dnsapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: fwbase.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: windows.storage.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: wldp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: msasn1.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: cryptsp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: rsaenh.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: cryptbase.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: gpapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: cryptnet.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: profapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: netapi32.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: netbios.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: version.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: wininet.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: iertutil.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: sspicli.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: winhttp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: mswsock.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: winnsi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: urlmon.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: srvcli.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: netutils.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: fwpuclnt.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: windowscodecs.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: dpapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: schannel.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: mskeyprotect.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: ntasn1.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: ncrypt.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: ncryptsslp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: dbghelp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: firewallapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: dnsapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: fwbase.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: windows.storage.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: wldp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: msasn1.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: cryptsp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: rsaenh.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: cryptbase.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: gpapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: cryptnet.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: profapi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: netapi32.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: netbios.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: version.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: wininet.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: iertutil.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: sspicli.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: winhttp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: mswsock.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: winnsi.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: urlmon.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: srvcli.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: netutils.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeSection loaded: fwpuclnt.dll
Source: C:\Users\user\Downloads\???.?_4496905339.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\791539ef-d6b9-4d91-82dd-13eaac0fa897.tmpJump to dropped file
Source: C:\Users\user\Downloads\???.?_4496905339.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\ludashi_lite_sem[1].dllJump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\Unconfirmed 665717.crdownloadJump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Hooking and other Techniques for Hiding and Protection

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6852 base: 11F0005 value: E9 2B BA 4B 76
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6852 base: 776ABA30 value: E9 DA 45 B4 89
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6852 base: 1540008 value: E9 8B 8E 1B 76
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6852 base: 776F8E90 value: E9 80 71 E4 89
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6852 base: 1550005 value: E9 8B 4D 41 75
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6852 base: 76964D90 value: E9 7A B2 BE 8A
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6852 base: 16D0005 value: E9 EB EB 2A 75
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6852 base: 7697EBF0 value: E9 1A 14 D5 8A
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6852 base: 16E0005 value: E9 8B 8A 50 74
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6852 base: 75BE8A90 value: E9 7A 75 AF 8B
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6852 base: 16F0005 value: E9 2B 02 52 74
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6852 base: 75C10230 value: E9 DA FD AD 8B
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6756 base: 1690005 value: E9 2B BA 01 76
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6756 base: 776ABA30 value: E9 DA 45 FE 89
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6756 base: 3260008 value: E9 8B 8E 49 74
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6756 base: 776F8E90 value: E9 80 71 B6 8B
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6756 base: 3280005 value: E9 8B 4D 6E 73
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6756 base: 76964D90 value: E9 7A B2 91 8C
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6756 base: 32A0005 value: E9 EB EB 6D 73
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6756 base: 7697EBF0 value: E9 1A 14 92 8C
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6756 base: 32B0005 value: E9 8B 8A 93 72
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6756 base: 75BE8A90 value: E9 7A 75 6C 8D
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6756 base: 33D0005 value: E9 2B 02 84 72
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 6756 base: 75C10230 value: E9 DA FD 7B 8D
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7748 base: 830005 value: E9 2B BA E7 76
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7748 base: 776ABA30 value: E9 DA 45 18 89
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7748 base: 840008 value: E9 8B 8E EB 76
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7748 base: 776F8E90 value: E9 80 71 14 89
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7748 base: 850005 value: E9 8B 4D 11 76
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7748 base: 76964D90 value: E9 7A B2 EE 89
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7748 base: 2CE0005 value: E9 EB EB C9 73
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7748 base: 7697EBF0 value: E9 1A 14 36 8C
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7748 base: 2CF0005 value: E9 8B 8A EF 72
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7748 base: 75BE8A90 value: E9 7A 75 10 8D
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7748 base: 2D00005 value: E9 2B 02 F1 72
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7748 base: 75C10230 value: E9 DA FD 0E 8D
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 8116 base: 660005 value: E9 2B BA 04 77
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 8116 base: 776ABA30 value: E9 DA 45 FB 88
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 8116 base: 670008 value: E9 8B 8E 08 77
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 8116 base: 776F8E90 value: E9 80 71 F7 88
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 8116 base: 680005 value: E9 8B 4D 2E 76
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 8116 base: 76964D90 value: E9 7A B2 D1 89
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 8116 base: 6A0005 value: E9 EB EB 2D 76
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 8116 base: 7697EBF0 value: E9 1A 14 D2 89
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 8116 base: 7C0005 value: E9 8B 8A 42 75
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 8116 base: 75BE8A90 value: E9 7A 75 BD 8A
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 8116 base: 7D0005 value: E9 2B 02 44 75
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 8116 base: 75C10230 value: E9 DA FD BB 8A
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7620 base: 850005 value: E9 2B BA E5 76
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7620 base: 776ABA30 value: E9 DA 45 1A 89
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7620 base: 1230008 value: E9 8B 8E 4C 76
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7620 base: 776F8E90 value: E9 80 71 B3 89
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7620 base: 1240005 value: E9 8B 4D 72 75
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7620 base: 76964D90 value: E9 7A B2 8D 8A
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7620 base: 1260005 value: E9 EB EB 71 75
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7620 base: 7697EBF0 value: E9 1A 14 8E 8A
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7620 base: 1370005 value: E9 8B 8A 87 74
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7620 base: 75BE8A90 value: E9 7A 75 78 8B
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7620 base: 1380005 value: E9 2B 02 89 74
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 7620 base: 75C10230 value: E9 DA FD 76 8B
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 3964 base: 1550005 value: E9 2B BA 15 76
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 3964 base: 776ABA30 value: E9 DA 45 EA 89
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 3964 base: 16C0008 value: E9 8B 8E 03 76
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 3964 base: 776F8E90 value: E9 80 71 FC 89
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 3964 base: 3270005 value: E9 8B 4D 6F 73
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 3964 base: 76964D90 value: E9 7A B2 90 8C
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 3964 base: 3290005 value: E9 EB EB 6E 73
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 3964 base: 7697EBF0 value: E9 1A 14 91 8C
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 3964 base: 32A0005 value: E9 8B 8A 94 72
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 3964 base: 75BE8A90 value: E9 7A 75 6B 8D
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 3964 base: 32B0005 value: E9 2B 02 96 72
Source: C:\Users\user\Downloads\???.?_4496905339.exeMemory written: PID: 3964 base: 75C10230 value: E9 DA FD 69 8D
Source: C:\Users\user\Downloads\???.?_4496905339.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
Source: C:\Users\user\Downloads\???.?_4496905339.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\???.?_4496905339.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\???.?_4496905339.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Downloads\???.?_4496905339.exeRDTSC instruction interceptor: First address: 9B2B2C second address: 9B2B32 instructions: 0x00000000 rdtsc 0x00000002 movsx eax, sp 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Downloads\???.?_4496905339.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001 name: DriverDesc
Source: C:\Users\user\Downloads\???.?_4496905339.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\ludashi_lite_sem[1].dllJump to dropped file
Source: C:\Users\user\Downloads\???.?_4496905339.exeRegistry key enumerated: More than 132 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Downloads\???.?_4496905339.exeRegistry key enumerated: More than 132 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Downloads\???.?_4496905339.exeRegistry key enumerated: More than 132 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Downloads\???.?_4496905339.exeRegistry key enumerated: More than 132 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Downloads\???.?_4496905339.exeRegistry key enumerated: More than 132 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Downloads\???.?_4496905339.exeRegistry key enumerated: More than 132 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Downloads\???.?_4496905339.exeRegistry key enumerated: More than 132 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Downloads\???.?_4496905339.exeRegistry key enumerated: More than 132 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Downloads\???.?_4496905339.exeFile opened: PhysicalDrive0
Source: C:\Users\user\Downloads\???.?_4496905339.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Downloads\???.?_4496905339.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Downloads\???.?_4496905339.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Downloads\???.?_4496905339.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Downloads\???.?_4496905339.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Downloads\???.?_4496905339.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Downloads\???.?_4496905339.exeProcess information queried: ProcessInformation
Source: C:\Users\user\Downloads\???.?_4496905339.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
Registry Run Keys / Startup Folder		1
Process Injection		2
Masquerading		1
Credential API Hooking		1
Query Registry		Remote Services1
Credential API Hooking		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
Registry Run Keys / Startup Folder		2
Virtualization/Sandbox Evasion		LSASS Memory22
Security Software Discovery		Remote Desktop ProtocolData from Removable Media11
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Process Injection		Security Account Manager2
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Rundll32		NTDS11
Process Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets123
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
https://down-package.ludashicdn.com/downloader/temp_package/2024-07/._4496905339.exe0%Avira URL Cloudsafe

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\Downloads\Unconfirmed 665717.crdownload54%ReversingLabsWin32.Trojan.Generic

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://softmgr-stat.ludashi.com/downloader/soft/reportNew0%Avira URL Cloudsafe
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=ldsdownstart&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@8276433324810%Avira URL Cloudsafe
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_start&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=thunder&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@8276433324810%Avira URL Cloudsafe
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=thunder&ex_ary[time]=0&ex_ary[errcode]=17_0_0&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@8276433324810%Avira URL Cloudsafe
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=run&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@8276433324810%Avira URL Cloudsafe
http://cdn-thunder.ludashi.com/inst_pkgs/ludashi/6.1024.4025.626/ludashi_lite_sem.dll0%Avira URL Cloudsafe
http://softmgr-cfg.ludashi.com/inst/get30%Avira URL Cloudsafe
http://cdn-pc-thunder.ludashi.com/inst_pkgs/ludashi/6.1024.4025.626/ludashi_lite_sem.dll?xy_rid=zYl015sq7bvbJV0%Avira URL Cloudsafe
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_start&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=aliyun&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@8276433324810%Avira URL Cloudsafe
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=aliyun&ex_ary[time]=0&ex_ary[errcode]=17_0_0&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@8276433324810%Avira URL Cloudsafe
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=aliyun&ex_ary[time]=2188&ex_ary[errcode]=14_200_0&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@8276433324810%Avira URL Cloudsafe
http://cdn-pc-thunder.ludashi.com/inst_pkgs/ludashi/6.1024.4025.626/ludashi_lite_sem.dll?xy_rid=zYl016CO7bvq8y0%Avira URL Cloudsafe
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=aliyun&ex_ary[time]=2500&ex_ary[errcode]=14_200_0&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@8276433324810%Avira URL Cloudsafe
http://cdn-pc-thunder.ludashi.com/inst_pkgs/ludashi/6.1024.4025.626/ludashi_lite_sem.dll?xy_rid=zYl016u_7bw9kP0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
softmgr-cfg.ludashi.com
49.4.55.6
truefalse
    		unknown
    softmgr-stat.ludashi.com
    		114.115.204.103
    		truefalse
      		unknown
      s.ludashi.com
      		47.117.76.201
      		truefalse
        		unknown
        down-package.ludashicdn.com.w.kunluncan.com
        		180.163.207.110
        		truefalse
          		unknown
          sx-common-v4.volcgtm.com
          		111.174.12.100
          		truefalse
            		unknown
            www.google.com
            		172.217.16.196
            		truefalse
              		unknown
              paint.ludashi.com
              		47.104.160.247
              		truefalse
                		unknown
                cdn-thunder.ludashi.com.gslb.kuiniuca.com
                		116.211.85.130
                		truefalse
                  		unknown
                  paint-s.ludashi.com
                  		unknown
                  		unknownfalse
                    		unknown
                    cdn-thunder.ludashi.com
                    		unknown
                    		unknownfalse
                      		unknown
                      down-package.ludashicdn.com
                      		unknown
                      		unknownfalse
                        		unknown
                        cdn-pc-thunder.ludashi.com
                        		unknown
                        		unknownfalse
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=run&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481false
                          • Avira URL Cloud: safe
                          		unknown
                          http://softmgr-stat.ludashi.com/downloader/soft/reportNewfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=aliyun&ex_ary[time]=2188&ex_ary[errcode]=14_200_0&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481false
                          • Avira URL Cloud: safe
                          		unknown
                          http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=ldsdownstart&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481false
                          • Avira URL Cloud: safe
                          		unknown
                          http://cdn-pc-thunder.ludashi.com/inst_pkgs/ludashi/6.1024.4025.626/ludashi_lite_sem.dll?xy_rid=zYl015sq7bvbJVfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://softmgr-cfg.ludashi.com/inst/get3false
                          • Avira URL Cloud: safe
                          		unknown
                          http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_start&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=thunder&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481false
                          • Avira URL Cloud: safe
                          		unknown
                          http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=thunder&ex_ary[time]=0&ex_ary[errcode]=17_0_0&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481false
                          • Avira URL Cloud: safe
                          		unknown
                          http://cdn-thunder.ludashi.com/inst_pkgs/ludashi/6.1024.4025.626/ludashi_lite_sem.dllfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_start&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=aliyun&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481false
                          • Avira URL Cloud: safe
                          		unknown
                          http://cdn-pc-thunder.ludashi.com/inst_pkgs/ludashi/6.1024.4025.626/ludashi_lite_sem.dll?xy_rid=zYl016CO7bvq8yfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=aliyun&ex_ary[time]=0&ex_ary[errcode]=17_0_0&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481false
                          • Avira URL Cloud: safe
                          		unknown
                          http://cdn-pc-thunder.ludashi.com/inst_pkgs/ludashi/6.1024.4025.626/ludashi_lite_sem.dll?xy_rid=zYl016u_7bw9kPfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1023.1185.719&modver=6.1023.1185.719&mid=476c9762281cd642f0110c29927a8b70&ex_ary[method]=aliyun&ex_ary[time]=2500&ex_ary[errcode]=14_200_0&ex_ary[siteid]=1117&ex_ary[softid]=23080718&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=soft_lds.fengnue.cn@@827643332481false
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          142.250.186.46
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          1.1.1.1
                          		unknownAustralia
                          		13335CLOUDFLARENETUSfalse
                          116.211.85.130
                          		cdn-thunder.ludashi.com.gslb.kuiniuca.comChina
                          		58563CHINATELECOM-HUBEI-IDCCHINANETHubeiprovincenetworkCNfalse
                          114.115.204.103
                          		softmgr-stat.ludashi.comChina
                          		4808CHINA169-BJChinaUnicomBeijingProvinceNetworkCNfalse
                          49.4.55.6
                          		softmgr-cfg.ludashi.comChina
                          		55990HWCSNETHuaweiCloudServicedatacenterCNfalse
                          180.163.207.110
                          		down-package.ludashicdn.com.w.kunluncan.comChina
                          		4812CHINANET-SH-APChinaTelecomGroupCNfalse
                          142.250.181.227
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          111.174.12.100
                          		sx-common-v4.volcgtm.comChina
                          		136194CHINATELECOM-HUBEI-HUANGSHI-IDCHuangshiHubeiProvincePfalse
                          239.255.255.250
                          		unknownReserved
                          		unknownunknownfalse
                          142.250.185.163
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          47.117.76.201
                          		s.ludashi.comChina
                          		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse
                          47.104.160.247
                          		paint.ludashi.comChina
                          		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse
                          64.233.184.84
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          142.250.184.206
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          172.217.16.196
                          		www.google.comUnited States
                          		15169GOOGLEUSfalse

                          Private

                          IP
                          192.168.2.16

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1478577
                          Start date and time:2024-07-22 19:59:22 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:defaultwindowsinteractivecookbook.jbs
                          Sample URL:https://down-package.ludashicdn.com/downloader/temp_package/2024-07/%E8%85%BE%E8%AE%AF%E4%BC%9A.%E8%AE%AE_4496905339.exe
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:31
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:1
                          Technologies:
                          • EGA enabled
                          Analysis Mode:stream
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal60.evad.win@29/20@15/159

                          Warnings

                          • Exclude process from analysis (whitelisted): svchost.exe
                          • Excluded IPs from analysis (whitelisted): 142.250.185.163, 142.250.184.206, 64.233.184.84, 34.104.35.123
                          • Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, clientservices.googleapis.com, clients.l.google.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                          • VT rate limit hit for: https://down-package.ludashicdn.com/downloader/temp_package/2024-07/._4496905339.exe

                          Created / dropped Files

                          C:\Program Files (x86)\Ludashi\{01A9E3C1-1F4D-42b3-BB12-2F90555A03A8}.tf

                          Download File
                          Process:C:\Users\user\Downloads\???.?_4496905339.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):38
                          Entropy (8bit):2.8409404014017015
                          Encrypted:false
                          SSDEEP:
                          MD5:AB59C4027B99D394C91D193AEF8BD847
                          SHA1:60E3D94CD872BFB29FF7294F2C7C689D565DFF90
                          SHA-256:987559502D71C820FB0CC5F21087E58865E9BCA3527A39EB8FCA1CB392CF2736
                          SHA-512:7DF6ED947C7FBCBA5083B3E4B30196F4B151A21173ADD81E159867A8962A98ABAAF8E431E5482AECDE08D991096EDDD1A4949F96B711BAED9B95DF3980BA8B56
                          Malicious:false
                          Reputation:unknown
                          Preview:{.0.1.A.9.E.3.C.1.-.1.F.4.D.-.4.2.b.3.

                          C:\Program Files (x86)\Ludashi\{42C2258E-92F0-441b-B720-EAFDB931F34B}.tf

                          Download File
                          Process:C:\Users\user\Downloads\???.?_4496905339.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):38
                          Entropy (8bit):2.7356772435069643
                          Encrypted:false
                          SSDEEP:
                          MD5:D8E471E8F50F81F155A1171090EE9FC7
                          SHA1:F10D22405CF857D7A95590A5315442C7A713F2B0
                          SHA-256:711048AB97C7707DC9B42DF5EDD54B6EB55A8A6C0ADE58C03E254E2442518B29
                          SHA-512:42DC8BB07C74A58CD35C5DA1FF84BDB6EFB42A98B6A752817C74B205603DC9527A9B8B36A9D66C455416510577A22EDE151BDE08A45BA9F8045040FF81620208
                          Malicious:false
                          Reputation:unknown
                          Preview:{.4.2.C.2.2.5.8.E.-.9.2.F.0.-.4.4.1.b.

                          C:\Program Files (x86)\Ludashi\{4B892170-78D4-45a4-A374-7219E339F866}.tf

                          Download File
                          Process:C:\Users\user\Downloads\???.?_4496905339.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):38
                          Entropy (8bit):2.7555427040902134
                          Encrypted:false
                          SSDEEP:
                          MD5:B9ABAD1027D66A066DF6F1854051936F
                          SHA1:65A5AB075D58268809F8B53F8C701AEEEA12773F
                          SHA-256:896C4B2173250E019F11F23F92222AF02F76B87D6BF4B0CE479A0063D442DABF
                          SHA-512:EDEC1CAD6B59AE639D0054539BFF1B410EA5253DF7517C44671C350E5BFDD39D9B6B2A61BAE45DCE7BD16F65DC284B5950877117DE20C63B10A00CEFCDB4DE21
                          Malicious:false
                          Reputation:unknown
                          Preview:{.4.B.8.9.2.1.7.0.-.7.8.D.4.-.4.5.a.4.

                          C:\Program Files (x86)\Ludashi\{A822FEC8-2373-45de-8893-801BC9F3D7EB}.tf

                          Download File
                          Process:C:\Users\user\Downloads\???.?_4496905339.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):38
                          Entropy (8bit):2.8409404014017015
                          Encrypted:false
                          SSDEEP:
                          MD5:D5316C0B0D47E0B393398CC3B187B72B
                          SHA1:41BC095D6401983C8D94B4625E50AEA48204F996
                          SHA-256:8A98B779650C3441B976BE57FE49B8BA9CF111E62C527FBD7D759FE78EFB55A4
                          SHA-512:FA0D2BE9E676CCBF1D990A5790ED0722E4EAC78FAEB04E96B80503107800BBF58833E22FB92755CC76502D1A8A816151957E537DD6C12017DE073024FE0A76E5
                          Malicious:false
                          Reputation:unknown
                          Preview:{.A.8.2.2.F.E.C.8.-.2.3.7.3.-.4.5.d.e.

                          C:\Program Files (x86)\Ludashi\{C9D7AA2D-D383-4400-B8DE-C6F81EBC905E}.tf

                          Download File
                          Process:C:\Users\user\Downloads\???.?_4496905339.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):38
                          Entropy (8bit):2.7356772435069647
                          Encrypted:false
                          SSDEEP:
                          MD5:94AC2834FAC612A8E71F8AC3D744E550
                          SHA1:7CA9112D35819A1CF0A109D6A4AD47EB6402DEEB
                          SHA-256:6248679A63A020789ABFCBDACD9E42F521DB1CBE00590A48D12896CB5DDDC49E
                          SHA-512:3329007B5A66CFA35F9766A8C6E095F1BFEE81314842328D4A3E29A3D41A097AA7BBD24D391744E0EFC8C3664D7C0B5639637547B747BF01ABA0DAF771F7EBB4
                          Malicious:false
                          Reputation:unknown
                          Preview:{.C.9.D.7.A.A.2.D.-.D.3.8.3.-.4.4.0.0.

                          C:\Program Files (x86)\Ludashi\{D56A387B-F2BF-4de1-9441-C21D77A845E5}.tf

                          Download File
                          Process:C:\Users\user\Downloads\???.?_4496905339.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):38
                          Entropy (8bit):2.9660690198796873
                          Encrypted:false
                          SSDEEP:
                          MD5:E6A040DEDD8186F26380E867A216C451
                          SHA1:9368143DE7AC396E5669AC32B44ED21CAE4FA040
                          SHA-256:CA6B7F331B865BD2D2A1F33213468EB5922795AEF70FF2F42EA604C5DE77A935
                          SHA-512:C11B7ABBF21E649C26ED6667F513B3232CA081C2E2614F71E854A228166C4EAFD62B8B1B9BFF067555613AC5D26604D323F7561DBED9B2E7F3ADBD609BB8088B
                          Malicious:false
                          Reputation:unknown
                          Preview:{.D.5.6.A.3.8.7.B.-.F.2.B.F.-.4.d.e.1.

                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\allcommon[1].txt

                          Download File
                          Process:C:\Users\user\Downloads\???.?_4496905339.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):2
                          Entropy (8bit):1.0
                          Encrypted:false
                          SSDEEP:
                          MD5:444BCB3A3FCF8389296C49467F27E1D6
                          SHA1:7A85F4764BBD6DAF1C3545EFBBF0F279A6DC0BEB
                          SHA-256:2689367B205C16CE32ED4200942B8B8B1E262DFC70D9BC9FBC77C49699A4F1DF
                          SHA-512:9FBBBB5A0F329F9782E2356FA41D89CF9B3694327C1A934D6AF2A9DF2D7F936CE83717FB513196A4CE5548471708CD7134C2AE99B3C357BCABB2EAFC7B9B7570
                          Malicious:false
                          Reputation:unknown
                          Preview:ok

                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\get3[1].htm

                          Download File
                          Process:C:\Users\user\Downloads\???.?_4496905339.exe
                          File Type:ASCII text, with very long lines (1600), with no line terminators
                          Category:dropped
                          Size (bytes):1600
                          Entropy (8bit):5.969265964511363
                          Encrypted:false
                          SSDEEP:
                          MD5:635E9A1285A8B0520A07BB67A945ABB9
                          SHA1:C1EDB4B35D759DFF0C9CF4A5B9C780574C60D143
                          SHA-256:84A2E92EAF86074818639A049F5D04C02D79AE50F5B66C71FE8EB7F93743BD56
                          SHA-512:FA6E62765918B9DA17F9E6AEE8EEF476DC4AC193515DE9C5908C4E42A091D60404B52732EA2BEE055182A8949CBC8FDE11F82E1258CE8CAED79B66813A813AAD
                          Malicious:false
                          Reputation:unknown
                          Preview:TYna9pwhk2RwSlH/eyfuhBqWS92CIIbCOvqt7O4K5R40/JDPx655EnIr/jrnc+PeLwmOZqOLuf16vk19Ulpjj3r8NQxdbjU4CxLtZwXfKX795aJXI/7OZQHzvB6XmD6fQqg76fTkEllGn1RKOTxKY/8yqeRZwSJDAPwwlITmDjKqzIyvHDYmO1AAGrKHV1zc4zNWXpfEqch9hAb0lNNLYwh4r5l2I4Sn5G3Olk7pK2W1Fadf7ty+1HneLfcf+XmouAspyvmvhVmrr/LW6NH9adh8XAsF4/NQQZfFIobJlvKlYdSN1cvSVsyZalzQvTaWYOex+0CsQUbeuQ7tz3/pHkF7bSvtSit5r6l4tuB7JUdjQFraEfw9VjIfDCt827C1q5I1z3vI72C1+ZJ2cNiXAAfq4CuLF9IxPiyNGui0h/tPKXZSBAEmevWS09sPrf6pR2qORe1UjGdjMleYNA3vsAPDgQynnRznjYAVw2alRyAqqnYrRj5yNX+0It84UbA3XueXa3IXZMMH2UzjUzhDCGUzWQ9dG1FymXhWRsuBEsa1goayWgTjkFTwwp+Y2Y5jiLl5nvYYiiKjktxJKCNPNz4EaVqHSa7CaRq/zVMKQzSkYCbR9zJIzHzjlvCGNmeWp5RKGtAkAndcfXVfusqK7cukUazt+8DFKU237sc9niBayP6AEnxzhBZEzt8fgSz1Sx+tSomyITE2RgXd7s5GJskBvGawSk+HOxmXC5+3Wkx9DbxpI6zIgH3gbI2lqAdjK05qyXJzTKYw+ykWC0rC5Ug3bEptnlFi1BZGSPcK/7pIN2xKbZ5RYlEBsThghDgz5nqTQU9zoLDYSlK7/kROrtL8e2ic4ZfhP7TfXl/TEfKvBNhrb/9O10SxO7GIuuouoDogBZd5i9/UIKdf1LS2Nle4VRR3hi671Q1MQ7+/BGpbYFs/RSlBeGKfct0So0+udwPojvDLAhsI9WYj5vuVZnWk2sXNhv1BbEXNGpcH

                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\ludashi_lite_sem[1].dll

                          Download File
                          Process:C:\Users\user\Downloads\???.?_4496905339.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):40960
                          Entropy (8bit):6.26977245169501
                          Encrypted:false
                          SSDEEP:
                          MD5:EF9FDA874D8291D6849A24220EAC11D2
                          SHA1:851A14ADA49A56F148A28BC030CED305B4045DED
                          SHA-256:51B4128A47C1B99A7687A7E27D135F61778E64B113880532337375690CECADAD
                          SHA-512:D66098EC336FB7B86E3E1FD1661D574CA234A73A06D950E63F18960C8F356871C3DD85E7B9A58168A19E2A5734D89CA0C844510FCC8D0809FD59C4F9AA81BF81
                          Malicious:true
                          Reputation:unknown
                          Preview:MZ......................@...................................X...........!..L.!This program cannot be run in DOS mode....$.......[../.bp|.bp|.bp|...|.bp|...|.bp|...|?bp|..u}.bp|..x}.bp|.bp|.bp|^.u}.bp|..u}.bp|..|.bp|M.s}.bp|M.t};bp|M.u}.bp|...|.bp|...|6bp|.bq|.`p|..t}.bp|..u}ybp|..p}.bp|...|.bp|.b.|.bp|..r}.bp|Rich.bp|........................PE..L...>5.e...........!.....$....6.....+........@...............................@O.....z.L...@.............................X............ ..../..........jL..)....M..G..p...T...................h...........@............@..`............................text...W".......$.................. ..`.rdata..&....@.......(..............@..@.data........P.......6..............@....rsrc...../.. ..../.................@..@.reloc...G....M..H....M.............@..B................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\{5AECD4D0-EED7-46fc-90C7-61D48F78F8BE}.tf

                          Download File
                          Process:C:\Users\user\Downloads\???.?_4496905339.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):38
                          Entropy (8bit):2.7684433618710838
                          Encrypted:false
                          SSDEEP:
                          MD5:3473A30296E0F40B520C00DADD2C93E3
                          SHA1:B44592AAC6477BAD40C0C624343F07D2241CD56C
                          SHA-256:97E202155A0E044E1E8E7E86D24929792496CB781915425DD77BA3C9133D8215
                          SHA-512:37C264211A3E8467D7FA8B4EC167D3FAD14794988103CE5872F88EDAC9298BBD9D3607DDCF5A7B1F664EDD4A38A7DCD7E586DE58B39C48EB3760D0D7EC5353E1
                          Malicious:false
                          Reputation:unknown
                          Preview:{.5.A.E.C.D.4.D.0.-.E.E.D.7.-.4.6.f.c.

                          C:\Users\user\AppData\Local\Temp\{772E5D2C-7E52-488c-A129-8C89330575A6}.tf

                          Download File
                          Process:C:\Users\user\Downloads\???.?_4496905339.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):38
                          Entropy (8bit):2.6631802039763475
                          Encrypted:false
                          SSDEEP:
                          MD5:2DB22936193B3931892E83DA96F0FB3C
                          SHA1:02A93A9FB174EE24E84E9A96873856DE4D0BA888
                          SHA-256:467BD4D01146D73751FC2698026BEA8F53AD1983C5F9EBE3A1396F44C3A028B0
                          SHA-512:345C63C1FF9427186E56C17E16779EE8B9413BADA7EBA1F26F9F56EDD4952470EC05AFB519D245A8E408AB14C1B6E698323337EA77CC16BADA268E0DB081BB42
                          Malicious:false
                          Reputation:unknown
                          Preview:{.7.7.2.E.5.D.2.C.-.7.E.5.2.-.4.8.8.c.

                          C:\Users\user\AppData\Local\Temp\{CBD60465-8C6A-454a-9911-61083ABC1FB3}.tf

                          Download File
                          Process:C:\Users\user\Downloads\???.?_4496905339.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):38
                          Entropy (8bit):2.7158117829237156
                          Encrypted:false
                          SSDEEP:
                          MD5:4A0D0367D413EF06EDF9BAA7819334FD
                          SHA1:16ED64BFF07FC5BEEB8D5828F4DA4B3CAA59CD90
                          SHA-256:4739D4B1EB998E9CF67DDC51EEB31D2D3AB698BB57DBF6036F1CE327996B83E0
                          SHA-512:506B8990807A9B8B059D5777EE9FE4114CADD8F18AA92B7C7F40651103F99F6950FF258E95391CBF0A88C8138E352B7D8169BC1B69ACAC1A06DC608EFDEF9432
                          Malicious:false
                          Reputation:unknown
                          Preview:{.C.B.D.6.0.4.6.5.-.8.C.6.A.-.4.5.4.a.

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jul 22 16:59:47 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                          Category:dropped
                          Size (bytes):2673
                          Entropy (8bit):3.9880849031037577
                          Encrypted:false
                          SSDEEP:
                          MD5:06CD6DE48CFD71180B3F8B5A7B29F702
                          SHA1:A528C53D4C2D5802B423794D64B09E4D2BBE01A3
                          SHA-256:BC060F1CE893F601B23E5FD1FD255FCA97117B21ADB42B99DD7CBAAC72D9F260
                          SHA-512:FA8D99F749A91F486E30D050EBF8DA2C2DCC4D91529DDF59C628C600028FA9BBF21A3B1723632785B47FEA3DE993E1738969E09800B3DCFF477086ED8C411879
                          Malicious:false
                          Reputation:unknown
                          Preview:L..................F.@.. ...$+.,.....C..`...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Xq.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xw.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xw.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xw............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xx............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............5.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jul 22 16:59:47 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                          Category:dropped
                          Size (bytes):2675
                          Entropy (8bit):4.008010403255031
                          Encrypted:false
                          SSDEEP:
                          MD5:D6801576873B77C3B2A04F302BBD42EC
                          SHA1:3556B1564262382670EAC0613914DEEDC9F2CCAD
                          SHA-256:67BBE7A8FAE92AFB6FD2EBD931C8587881D67CCBFB14E2CB27621DE1AD66834D
                          SHA-512:AD97A71FDA90B62F7D41338DCFA50E1CD535ABB89EBC9A32A94D57D5B339EB6997D41F9E037F7C3A38CE2878694F1E339CED1A149EF1596D5DE31C47A9E01D60
                          Malicious:false
                          Reputation:unknown
                          Preview:L..................F.@.. ...$+.,........`...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Xq.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xw.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xw.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xw............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xx............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............5.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                          Category:dropped
                          Size (bytes):2689
                          Entropy (8bit):4.014748080647959
                          Encrypted:false
                          SSDEEP:
                          MD5:58FB1ED08949D60D3781CB8C58B51320
                          SHA1:47D8EECFFBB0B7E82AA75BAC5D7C4C028CC35C04
                          SHA-256:2AF3D58562F8CB34C74165460E709DC4A15484E1BDCFA820F2C059F934067552
                          SHA-512:3DE08947EC732ED72BC87C7459920344E9B8413B2E7F5505C1FF5F374C4A9CA396524A2E7DA95D5C33FE5B68B8913BD73887472F72B00CDECF90458798FCCF39
                          Malicious:false
                          Reputation:unknown
                          Preview:L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Xq.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xw.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xw.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xw............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............5.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jul 22 16:59:47 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                          Category:dropped
                          Size (bytes):2677
                          Entropy (8bit):4.003182632299254
                          Encrypted:false
                          SSDEEP:
                          MD5:C1454002E122470406DA843DB8088316
                          SHA1:8623EA1E04927D08A057D2F90ED6A279F89B33ED
                          SHA-256:035ADF80FDF0636704ED93896828F380AAAD78DD471CC361CB1B97E2108E194D
                          SHA-512:426D9558D4E74BD696A9BA81A75CEA8362B8E82BED976A5A327B658AFFA0AA9D401B57DD01BA16E8C95F0D0CBD3B2FA5F374EAAA3F0C4274D0189D2E5E9ECDB9
                          Malicious:false
                          Reputation:unknown
                          Preview:L..................F.@.. ...$+.,....e...`...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Xq.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xw.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xw.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xw............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xx............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............5.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jul 22 16:59:47 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                          Category:dropped
                          Size (bytes):2677
                          Entropy (8bit):3.993512055931813
                          Encrypted:false
                          SSDEEP:
                          MD5:416098E78146FA73DD2100E14AC69CEC
                          SHA1:DF6C58DAEE1FB1AB033D7DFAD2328AC03F4E591F
                          SHA-256:9528A5384F7CDBB47FE98595ACD8A5EEF7D7032B74086951FA1C40A8E0D48495
                          SHA-512:611C46629E7D3D2C7361584EBFDECA5578E11979AAD9A8E779C7336856D80889B2B8BC957DCAED247E5F8249DCBA6EE69A98678C6E6165267A00A18CF1118502
                          Malicious:false
                          Reputation:unknown
                          Preview:L..................F.@.. ...$+.,....Y...`...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Xq.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xw.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xw.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xw............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xx............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............5.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jul 22 16:59:47 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                          Category:dropped
                          Size (bytes):2679
                          Entropy (8bit):4.0041163601117225
                          Encrypted:false
                          SSDEEP:
                          MD5:15B25AD5C096337D6566153D1E61DCA4
                          SHA1:6F7B029F8E45FF2FA30ED4AEB2AE575F37F4C3D6
                          SHA-256:B617DC28A41AE3B9911924FE430003DC0BDCB67F9067AC6162DB1B9313A95738
                          SHA-512:AA0F5316C78512F4653FA77C0C5754DCCA6D65FD4335142665CC1796F8D8E0868EED4B48BED8BCAEACAB1B239F634C12A72D8CB585AC334D6BE60D2C35BB81F3
                          Malicious:false
                          Reputation:unknown
                          Preview:L..................F.@.. ...$+.,........`...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Xq.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xw.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xw.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xw............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xx............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............5.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                          C:\Users\user\Downloads\791539ef-d6b9-4d91-82dd-13eaac0fa897.tmp

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):16384
                          Entropy (8bit):7.256384775198924
                          Encrypted:false
                          SSDEEP:
                          MD5:3B8BC0C0863F91E429E7BF26E4BA4002
                          SHA1:F48E1A91ED547A544492039B20730272D3188ABF
                          SHA-256:F8B71B01E8350A83931823F486E2C368570137286371BBD55D6C0D36CEC33092
                          SHA-512:7BCB404B79654E3BDCBA3F82AC689604778FC6677269848695EE031A19DAD8878EB146266CBCE6A8605B3208B772DBD53CB56D64643ED936FF10186C57B677C2
                          Malicious:true
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8..d.................:..........,.I......P....@...................................O...@.........................tZt.H...p.o.........=.............O.....................................P... ...@..@.............v.x.....<......................text....8.......................... ..`.rdata...c...P......................@..@.data...............................@....upx0...n.).........................`..`.upx1....ZH...9..\H.................`..`.reloc...............`H.............@..@.rsrc...=............fH.............@..@........................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\Downloads\Unconfirmed 665717.crdownload

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):5187472
                          Entropy (8bit):7.874859686733168
                          Encrypted:false
                          SSDEEP:
                          MD5:3490DC6FE080B01509AE7ADF52D6F3D0
                          SHA1:84ED7D674DAA4B8FC5DB1F40C2D22B052C678672
                          SHA-256:A96982E8C7C60161303DB9DF2235268A7BE9A2DAC2FD5FDD12BA317CD7259CB0
                          SHA-512:CEDF06CD7313E20B291A45F09E937AEED3D53F4EB9D0F666A62C4B493686FB5702297FFDD36E66AFE6A2ED16028354301EDEEDE8170DCB269A4AD1D4341ED750
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 54%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8..d.................:..........,.I......P....@...................................O...@.........................tZt.H...p.o.........=.............O.....................................P... ...@..@.............v.x.....<......................text....8.......................... ..`.rdata...c...P......................@..@.data...............................@....upx0...n.).........................`..`.upx1....ZH...9..\H.................`..`.reloc...............`H.............@..@.rsrc...=............fH.............@..@........................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\Downloads\~...._4496905339.exe (copy)

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):0
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:
                          MD5:3490DC6FE080B01509AE7ADF52D6F3D0
                          SHA1:84ED7D674DAA4B8FC5DB1F40C2D22B052C678672
                          SHA-256:A96982E8C7C60161303DB9DF2235268A7BE9A2DAC2FD5FDD12BA317CD7259CB0
                          SHA-512:CEDF06CD7313E20B291A45F09E937AEED3D53F4EB9D0F666A62C4B493686FB5702297FFDD36E66AFE6A2ED16028354301EDEEDE8170DCB269A4AD1D4341ED750
                          Malicious:true
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8..d.................:..........,.I......P....@...................................O...@.........................tZt.H...p.o.........=.............O.....................................P... ...@..@.............v.x.....<......................text....8.......................... ..`.rdata...c...P......................@..@.data...............................@....upx0...n.).........................`..`.upx1....ZH...9..\H.................`..`.reloc...............`H.............@..@.rsrc...=............fH.............@..@........................................................................................................................................................................................................................................................................................................................................................

                          Static File Info

                          No static file info